Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looks suspicious: WinSecMonitor says updates disabled, but updates NOT disabled - what is this?


  • This topic is locked This topic is locked
26 replies to this topic

#1 Quex

Quex

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tucson, The Land of AZ
  • Local time:09:18 AM

Posted 11 January 2012 - 03:40 PM

WELL, this HAD been a clean machine until somebody came home for the holidays and started doing silly things on it.

Following a terrible case of fake security centers and redirect viruses (that you wonderful Bleeping fellows so patiently solved for me, thank you again) about two years ago, I have kept MalwareBytes on this machine and run it occasionally... perhaps once a month. I would run it much more often but for the fact that said machine is geriatric, and official owner of said machine insists on using McAfee and turning off Mbam in the middle of a scan if he finds it running.

Mbam has generally not found anything (except a coupon printer once or twice) since the first incident. Neither has McAfee.

Then, suddenly, McAfee finds something this past weekend. I do not have a log (unless it made one somewhere on its own, don't know how McAfee does its thing), but it supposedly found five different issues and fixed them all on its own, nevermind giving the user an explanation of what they were. Now McAfee reports the system is clear, but something suspicious has started happening: the little Windows Security Alert shield is appearing in the notification tray, insisting that the system is at risk because auto-updates are turned off. When I ask this prompt to turn the updates back on for me, it says that it can't and provides instructions to do it manually through the control panel>system>etc. I follow these instructions and... wth, updates are supposedly already turned on. The tiny red shield with an X in it remains in the bottom right corner, insisting that updates are off. Hmm.

So I ran Mbam to see if it could catch anything more, and sure enough, it does:

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.


That sounds like it relates to the problem. Restart the system, but alert does not go away. Another Mbam quick scan comes up clean. On a hunch, I set Mbam to run a full scan and left it overnight. Come back in the morning and receive the news that Mbam has crashed, do you want to send a report to Microsoft, etc. NO, no I don't. But Mbam has never crashed on me before. ._.

Tried to run another full scan, and this time got:

Files Detected: 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2213\A0350792.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.


Restart again, Windows Security Alert shield still in the notification tray, still insisting that updates are turned off. So now I'm on Bleeping asking the experts. What is confusing my system? Are the updates actually on and the notifier is mistaken, or are they actually off and the control panel is lying to me? What are these seemingly small things Mbam needs a full scan to dredge up?

Many thanks in advance for your wisdom. :3

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:18 AM

Posted 11 January 2012 - 04:02 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:18 PM

Posted 11 January 2012 - 04:02 PM

What scan are you doing with Mbam? Complete or quick?

The stuff in your first quote box refers to Windows Security Center Alerts, and also can you take a picture of what you are seeing?

#4 Quex

Quex
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tucson, The Land of AZ
  • Local time:09:18 AM

Posted 11 January 2012 - 05:45 PM

What scan are you doing with Mbam? Complete or quick?


Done 4 of them so far:

Quick scan #1 caught the first 3 things in the registry, then
Quick scan #2 came up clean. Then...
Complete scan #1 failed and crashed the program, and then...
Complete scan #2 caught RiskWare.Tool.CK.

The stuff in your first quote box refers to Windows Security Center Alerts, and also can you take a picture of what you are seeing?


Yep! Took some screencaps and added graffiti:

https://picasaweb.google.com/lh/photo/ntKOUqhNHFiVH1vsPW0EFNsfzzDBGgykONpX_2H6NF8?feat=directlink

https://picasaweb.google.com/lh/photo/5qOcxY0M7KmA2l3LnZ-uj9sfzzDBGgykONpX_2H6NF8?feat=directlink

(It seems I am not allowed to embed them in this post, though.)


#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:18 AM

Posted 11 January 2012 - 05:46 PM

Follow my reply #2.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 Quex

Quex
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tucson, The Land of AZ
  • Local time:09:18 AM

Posted 11 January 2012 - 06:15 PM

Download Security Check from HERE, and save it to your Desktop. ETC, etc...


Sorry for the wait, was in progress. Here's what came back:

Security Check output:


Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

McAfee AntiVirus Plus
McAfee Security Scan Plus
McAfee Shredder
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
CCleaner
Java™ 6 Update 24
Out of date Java installed!
Adobe Flash Player 11.1.102.55
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

 
Farbar Service Scanner output:

Farbar Service Scanner
Ran by Quex (administrator) on 11-01-2012 at 15:52:37
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Line 2468 Error: Variable used without being declared.

 
MiniToolBox output:
MiniToolBox by Farbar
Ran by Quex (administrator) on 11-01-2012 at 15:55:20
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com

There are 15064 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Intel® PRO/100 VE Network Connection = Local Area Connection (Disconnected)
Compact Wireless-G USB Adapter = Wireless Network Connection 13 (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection 13"

set address name="Wireless Network Connection 13" source=dhcp
set address name="Wireless Network Connection 13" gateway=0.0.0.0 gwmetric=
set dns name="Wireless Network Connection 13" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection 13" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : D4QMHT31

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.az.comcast.net.



Ethernet adapter Wireless Network Connection 13:



Connection-specific DNS Suffix . : hsd1.az.comcast.net.

Description . . . . . . . . . . . : Compact Wireless-G USB Adapter #6

Physical Address. . . . . . . . . : 00-14-BF-7D-72-FC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 75.75.75.75

75.75.76.76

Lease Obtained. . . . . . . . . . : Wednesday, January 11, 2012 7:57:03 AM

Lease Expires . . . . . . . . . . : Thursday, January 12, 2012 7:57:03 AM

Server: cdns01.comcast.net
Address: 75.75.75.75

Name: google.com
Addresses: 74.125.224.52, 74.125.224.49, 74.125.224.48, 74.125.224.51
74.125.224.50



Pinging google.com [74.125.224.84] with 32 bytes of data:



Reply from 74.125.224.84: bytes=32 time=32ms TTL=54

Reply from 74.125.224.84: bytes=32 time=32ms TTL=54



Ping statistics for 74.125.224.84:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 32ms, Maximum = 32ms, Average = 32ms

Server: cdns01.comcast.net
Address: 75.75.75.75

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 98.139.180.149



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=56ms TTL=51

Reply from 209.191.122.70: bytes=32 time=57ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 56ms, Maximum = 57ms, Average = 56ms

Server: cdns01.comcast.net
Address: 75.75.75.75

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 14 bf 7d 72 fc ...... Compact Wireless-G USB Adapter #6 - McAfee Core NDIS Intermediate Filter Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 25
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 25
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 25
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/11/2012 00:36:48 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 396 (0x18c)

Thread address : 0x7C90E514

Thread message :

Build VSCORE.14.4.0.380 / 5400.1158

 


I'll be back with the output of the Avast and Mbam scans as soon as they complete.Ha ha, pink.

And thank you, as always.

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:18 PM

Posted 11 January 2012 - 06:54 PM

Your mini-toolbox output is incomplete.

#8 Quex

Quex
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tucson, The Land of AZ
  • Local time:09:18 AM

Posted 11 January 2012 - 07:02 PM

Your mini-toolbox output is incomplete.


I noted that. The program crashes after gathering the connection data.

#9 Quex

Quex
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tucson, The Land of AZ
  • Local time:09:18 AM

Posted 11 January 2012 - 07:34 PM

Continuing from above:

aswMBR output:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-11 16:02:44
-----------------------------
16:02:44.609 OS Version: Windows 5.1.2600 Service Pack 3
16:02:44.609 Number of processors: 1 586 0x209
16:02:44.609 ComputerName: D4QMHT31 UserName:
16:02:48.968 Initialize success
16:09:33.765 AVAST engine defs: 12011101
16:12:23.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:12:23.312 Disk 0 Vendor: IC35L090AVV207-0 V23OA66A Size: 76293MB BusType: 3
16:12:23.343 Disk 0 MBR read successfully
16:12:23.343 Disk 0 MBR scan
16:12:26.640 Disk 0 Windows XP default MBR code
16:12:26.656 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
16:12:29.406 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76245 MB offset 80325
16:12:30.359 Disk 0 scanning sectors +156232125
16:12:31.000 Disk 0 scanning C:\WINDOWS\system32\drivers
16:13:42.703 Service scanning
16:13:48.296 Modules scanning
16:14:35.609 Module: C:\WINDOWS\system32\dla\tfsndres.sys **SUSPICIOUS**
16:14:44.343 Disk 0 trace - called modules:
16:14:44.703 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
16:14:44.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83785ab8]
16:14:44.703 3 CLASSPNP.SYS[f87b6fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x837a4b00]
16:14:46.640 AVAST engine scan C:\WINDOWS
16:15:18.546 AVAST engine scan C:\WINDOWS\system32
16:22:57.390 AVAST engine scan C:\WINDOWS\system32\drivers
16:23:58.593 AVAST engine scan C:\Documents and Settings\Harland Hirtzel
16:34:13.843 AVAST engine scan C:\Documents and Settings\All Users
16:43:54.453 Scan finished successfully
16:59:43.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Harland Hirtzel\Desktop\MBR.dat"
16:59:43.203 The log file has been saved successfully to "C:\Documents and Settings\Harland Hirtzel\Desktop\aswMBR.txt"

 
And lastly,
MBAM Output:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Harland Hirtzel :: D4QMHT31 [administrator]

1/11/2012 5:05:16 PM
mbam-log-2012-01-11 (17-05-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208323
Time elapsed: 21 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:18 AM

Posted 11 January 2012 - 08:05 PM

Restart in safe mode and try to re-run FSS and MiniToolbox.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 Quex

Quex
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tucson, The Land of AZ
  • Local time:09:18 AM

Posted 14 January 2012 - 03:51 PM

Restart in safe mode and try to re-run FSS and MiniToolbox.


Roger that. Now I have a most grievous error: I cannot get the thing to boot in safe mode AT ALL. Not basic safe, not safe with networking, not even safe with command prompt. I just get the long list of drivers on a black screen, then... nothing. It hangs and stays that way. After 30 minutes, did a hard boot and tried again. And again. And again. Do I have a registry error that's causing this....?

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:18 PM

Posted 14 January 2012 - 06:28 PM

Hi and :welcome:

Lets try Combofix in Normal Mode.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:18 PM

Posted 14 January 2012 - 07:33 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Quex

Quex
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tucson, The Land of AZ
  • Local time:09:18 AM

Posted 15 January 2012 - 02:43 PM

Uh-oh, now ComboFix is involved. This means I'm in trouble, doesn't it...? Log is attached.

I noticed a hiccup during the scan: somewhere between completing stages 37 and 50, a notice came up that "PEV.exe has encountered and error and needs to close etc.", if that means anything to you all... I have never seen PEV.exe in the list of processes running native to the machine before, so I'm hoping it was a not-very-important element of the ComboFix process. Please let me know if I need to run the scan again for some reason.

Attached Files

  • Attached File  log.txt   53.73KB   3 downloads


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:18 PM

Posted 15 January 2012 - 05:55 PM

From time to time we do see those hiccups. Nothing to worry about.

Perform a scan with Malwarebytes' Anti-Malware.
  • Launch and update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Lets try ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users