Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus


  • Please log in to reply
20 replies to this topic

#1 drpaul88

drpaul88

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 January 2012 - 01:29 PM

Thanks to this site I believe I have rid my desktop of 95% of the system check bug but I know there is still some left. Periodically malwarebytes & spyware doc still find stuff. My start programs still show "empty" as well. Under the smtmp file there is a folder with a 2 next to it, and inside is a system check shortcut icon.....

Not sure how to proceed from here?

Thanks,

Paul

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:16 PM

Posted 26 January 2012 - 02:18 PM

Welcome aboard Posted Image

Let's see, if we can recover your missing features.
Download and run UnHide
Let me know, if it worked.

Then....

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 January 2012 - 02:47 PM

OK...here goes. Hope I do it correctly. I had done the malwarebytes already so I found those results:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
AVG 2011
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 15
Out of date Java installed!
Adobe Flash Player ( 10.3.183.11) Flash Player Out of Date!
Mozilla Firefox (3.6.25) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgemc.exe
``````````End of Log````````````


Farbar Service Scanner Version: 18-01-2012 01
Ran by Paul (administrator) on 26-01-2012 at 14:38:17
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: Attention! Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2008-04-14 07:00] - [2008-10-16 09:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) pctgntdi(10) PSched(7) Tcpip(4)
0x0900000005000000010000000200000003000000040000000A000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****



MiniToolBox by Farbar Version: 18-01-2012
Ran by Paul (administrator) on 26-01-2012 at 14:39:34
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Intel® PRO/100 VE Network Connection = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : paul-c5d256c778

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : ec.rr.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : ec.rr.com

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-19-D1-2D-2A-02

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 209.18.47.61

209.18.47.62

Lease Obtained. . . . . . . . . . : Thursday, January 26, 2012 1:18:56 PM

Lease Expires . . . . . . . . . . : Friday, January 27, 2012 1:18:56 PM

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 74.125.45.103, 74.125.45.104, 74.125.45.105, 74.125.45.106
74.125.45.147, 74.125.45.99



Pinging google.com [74.125.47.104] with 32 bytes of data:



Reply from 74.125.47.104: bytes=32 time=28ms TTL=53

Reply from 74.125.47.104: bytes=32 time=28ms TTL=53



Ping statistics for 74.125.47.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 28ms, Maximum = 28ms, Average = 28ms

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 98.139.180.149



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=49ms TTL=53

Reply from 209.191.122.70: bytes=32 time=44ms TTL=53



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 44ms, Maximum = 49ms, Average = 46ms

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 d1 2d 2a 02 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.2.101 192.168.2.101 20
192.168.2.0 255.255.255.0 192.168.2.101 192.168.2.101 20
192.168.2.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.101 192.168.2.101 20
224.0.0.0 240.0.0.0 192.168.2.101 192.168.2.101 20
255.255.255.255 255.255.255.255 192.168.2.101 192.168.2.101 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 02 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 03 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/24/2012 01:50:24 PM) (Source: MySQL) (User: )
Description: Can't start server: can't create PID file: Permission denied

For more information, see Help and Support Center at http://www.mysql.com.

Error: (01/24/2012 01:50:24 PM) (Source: MySQL) (User: )
Description: c:\xampp\mysql\bin\mysqld.exe: Can't create/write to file 'C:\xampp\mysql\data\mysql.pid' (Errcode: 13)

For more information, see Help and Support Center at http://www.mysql.com.

Error: (01/24/2012 01:43:22 PM) (Source: MySQL) (User: )
Description: Can't start server: can't create PID file: Permission denied

For more information, see Help and Support Center at http://www.mysql.com.

Error: (01/24/2012 01:43:22 PM) (Source: MySQL) (User: )
Description: c:\xampp\mysql\bin\mysqld.exe: Can't create/write to file 'C:\xampp\mysql\data\mysql.pid' (Errcode: 13)

For more information, see Help and Support Center at http://www.mysql.com.

Error: (01/24/2012 11:49:56 AM) (Source: Application Hang) (User: )
Description: Hanging application avgtray.exe, version 10.0.0.1410, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/24/2012 11:34:40 AM) (Source: MySQL) (User: )
Description: Can't start server: can't create PID file: Permission denied

For more information, see Help and Support Center at http://www.mysql.com.

Error: (01/24/2012 11:34:40 AM) (Source: MySQL) (User: )
Description: c:\xampp\mysql\bin\mysqld.exe: Can't create/write to file 'C:\xampp\mysql\data\mysql.pid' (Errcode: 13)

For more information, see Help and Support Center at http://www.mysql.com.

Error: (01/24/2012 10:43:05 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt> with error: This network connection does not exist.

Error: (01/24/2012 10:43:05 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt> with error: The connection with the server was terminated abnormally

Error: (01/24/2012 10:40:50 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt> with error: This network connection does not exist.


System errors:
=============
Error: (01/26/2012 01:33:38 PM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (01/26/2012 01:17:48 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/26/2012 01:11:10 PM) (Source: DCOM) (User: Paul)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (01/26/2012 01:09:47 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Avgldx86
Avgmfx86
Fips
intelppm
PCTSD
SASDIFSV
SASKUTIL

Error: (01/26/2012 01:08:35 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/26/2012 01:03:42 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the sdCoreService service.

Error: (01/26/2012 00:27:59 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the sdCoreService service.

Error: (01/25/2012 00:39:46 PM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (01/25/2012 00:37:26 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the sdCoreService service.

Error: (01/25/2012 00:07:10 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the sdCoreService service.


Microsoft Office Sessions:
=========================
Error: (01/24/2012 01:50:24 PM) (Source: MySQL)(User: )
Description: Can't start server: can't create PID file: Permission denied

Error: (01/24/2012 01:50:24 PM) (Source: MySQL)(User: )
Description: c:\xampp\mysql\bin\mysqld.exe: Can't create/write to file 'C:\xampp\mysql\data\mysql.pid' (Errcode: 13)

Error: (01/24/2012 01:43:22 PM) (Source: MySQL)(User: )
Description: Can't start server: can't create PID file: Permission denied

Error: (01/24/2012 01:43:22 PM) (Source: MySQL)(User: )
Description: c:\xampp\mysql\bin\mysqld.exe: Can't create/write to file 'C:\xampp\mysql\data\mysql.pid' (Errcode: 13)

Error: (01/24/2012 11:49:56 AM) (Source: Application Hang)(User: )
Description: avgtray.exe10.0.0.1410hungapp0.0.0.000000000

Error: (01/24/2012 11:34:40 AM) (Source: MySQL)(User: )
Description: Can't start server: can't create PID file: Permission denied

Error: (01/24/2012 11:34:40 AM) (Source: MySQL)(User: )
Description: c:\xampp\mysql\bin\mysqld.exe: Can't create/write to file 'C:\xampp\mysql\data\mysql.pid' (Errcode: 13)

Error: (01/24/2012 10:43:05 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crtThis network connection does not exist.

Error: (01/24/2012 10:43:05 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crtThe connection with the server was terminated abnormally

Error: (01/24/2012 10:40:50 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crtThis network connection does not exist.


=========================== Installed Programs ============================

Acrobat.com (Version: 2.0.0)
Acrobat.com (Version: 2.0.0.0)
Adobe Acrobat 5.0 (Version: 5.0)
Adobe AIR (Version: 1.5.3.9120)
Adobe Flash Player 10 ActiveX (Version: 10.0.32.18)
Adobe Flash Player 10 Plugin (Version: 10.3.183.11)
Adobe Reader 9.4.5 (Version: 9.4.5)
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
Avery Wizard 3.1 (Version: 3.1.5)
AVG 2011 (Version: 10.0.1416)
AVG 2011 (Version: 10.0.2109)
Bonjour (Version: 3.0.0.10)
CCleaner (Version: 3.15)
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
dj_sf_software_req (Version: 90.0.235.000)
Free Audio CD Burner version 1.4.7
Free DVD Video Burner version 3.0.1
Free DVD Video Converter version 1.5.12
Free YouTube to MP3 Converter version 3.10.5.722
GIMP 2.6.11 (Version: 2.6.11)
Google Gmail Notifier
Google Talk Plugin (Version: 2.6.1.5251)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.2.2427.2330)
Google Update Helper (Version: 1.3.21.79)
GoToMeeting 4.5.0.457
HP Deskjet Printer Driver Software 9.0 (Version: 9.0)
Intel® Graphics Media Accelerator Driver
Intel® Network Connections 13.0.44.0 (Version: 13.0.44.0)
iTunes (Version: 10.5.2.11)
Java™ 6 Update 15 (Version: 6.0.150)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office 2003 Primary Interop Assemblies (Version: 11.0.6553.0)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 4.0.60310.0)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Mozilla Firefox (3.6.25) (Version: 3.6.25 (en-US))
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Musicnotes Software Suite 1.5.5 (Version: 1.5.5)
Paint.NET v3.5.7 (Version: 3.57.0)
Palm (Version: 4.1.0420)
Plus! Image (Version: 1.0.1.102)
PowerDVD
QuickBooks (Version: 19.0.4013.705)
QuickBooks Pro 2009 (Version: 19.0.4013.705)
QuickTime (Version: 7.66.73.0)
Roxio Creator Audio (Version: 3.7.0)
Roxio Creator Copy (Version: 3.7.0)
Roxio Creator Data (Version: 3.7.0)
Roxio Creator DE (Version: 10.1)
Roxio Creator DE (Version: 3.7.0)
Roxio Creator Tools (Version: 3.7.0)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Update Manager (Version: 6.0.0)
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy (Version: 1.6.2)
Spyware Doctor (Version: 8.0)
SUPERAntiSpyware (Version: 5.0.1142)
SupportSoft Assisted Service (Version: 15)
Toolbox (Version: 90.0.146.000)
Uninstall 1.0.0.1
Unity Web Player (Version: 2.6.1f3_31223)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
WinX Free DVD Ripper 4.5.12
XAMPP 1.7.4

========================= Memory info: ===================================

Percentage of memory in use: 83%
Total physical RAM: 1013.89 MB
Available physical RAM: 166.01 MB
Total Pagefile: 2439.73 MB
Available Pagefile: 1387.4 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.19 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:201.18 GB) NTFS

========================= Users: ========================================

User accounts for \\PAUL-C5D256C778

Administrator Guest HelpAssistant
Paul SUPPORT_388945a0


**** End of log ****



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.25.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Paul :: PAUL-C5D256C778 [administrator]

1/26/2012 12:00:22 PM
mbam-log-2012-01-26 (12-00-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200568
Time elapsed: 22 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Paul\My Documents\Downloads\7zipap_1320.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.

(end)



Thanks a ton & let em know if I messed up. I had already completed unhide.exe. I have desktop icons back & computer seems to be running ok BUT, start menu programs are empty. Spyware doctor keeps finding stuff. I see a smtmb file with #2 beside it but that's it.

Paul

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:16 PM

Posted 26 January 2012 - 03:46 PM

I still need aswMBR log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 January 2012 - 04:50 PM

my bad....

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-26 16:47:20
-----------------------------
16:47:20.765 OS Version: Windows 5.1.2600 Service Pack 3
16:47:20.765 Number of processors: 2 586 0x604
16:47:20.765 ComputerName: PAUL-C5D256C778 UserName: Paul
16:47:21.718 Initialize success
16:49:05.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:49:05.718 Disk 0 Vendor: WDC_WD25 10.0 Size: 238475MB BusType: 8
16:49:05.765 Disk 0 MBR read successfully
16:49:05.765 Disk 0 MBR scan
16:49:05.765 Disk 0 Windows XP default MBR code
16:49:05.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
16:49:05.828 Disk 0 scanning sectors +488376000
16:49:05.875 Disk 0 scanning C:\WINDOWS\system32\drivers
16:49:14.156 Service scanning
16:49:15.671 Modules scanning
16:49:19.234 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
16:49:20.515 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
16:49:20.515 Disk 0 trace - called modules:
16:49:20.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys iastor.sys hal.dll
16:49:20.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865837c8]
16:49:20.546 3 CLASSPNP.SYS[f762efd7] -> nt!IofCallDriver -> [0x85bf4d08]
16:49:20.546 5 PCTCore.sys[f73146a9] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85ff5028]
16:49:20.546 Scan finished successfully
16:49:53.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Paul\Desktop\MBR.dat"
16:49:53.859 The log file has been saved successfully to "C:\Documents and Settings\Paul\Desktop\aswMBR.txt"

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:16 PM

Posted 26 January 2012 - 05:07 PM

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\System32\drivers\dxgthk.sys
- C:\WINDOWS\system32\ntdll.dll
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 January 2012 - 05:24 PM

hope i'm doing this correct...here's the first one:

SHA256: c36486504c3a596fdca487143f6d3b43c0bee01321f6f1f3071976556533c419
SHA1: 6f9f663cdfbc2592eab4c43fee359effd37d60f2
MD5: a73f5d6705b1d820c19b18782e176efd
File size: 3.3 KB ( 3328 bytes )
File name: dxgthk.sys
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-01-26 22:16:32 UTC ( 1 minute ago )


SHA256: 54df909101aaec63234a5c33b51d6689fef58b943942bffa9606864f43ec1085
SHA1: 66e2618e7aaf0b59e44aea5431893f3a765bb87b
MD5: f8f0d25ca553e39dde485d8fc7fcce89
File size: 701.5 KB ( 718336 bytes )
File name: ntdll.dll
File type: Win32 DLL
Detection ratio: 0 / 42
Analysis date: 2012-01-26 22:22:10 UTC ( 1 minute ago )

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:16 PM

Posted 26 January 2012 - 05:38 PM

That looks good.

Malware-wise all looks clean so far but we have number of other issues....

1. "hosts" file is missing.

Download following "hosts"(zipped) file: http://www.bleepstatic.com/fhost/uploads/0/hosts_xp.zip
Unzip it.
Copy hosts file found inside.
Open Windows Explorer and paste hosts file to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder.

*******************************************************

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


2. We have several registry keys missing....

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/



Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip downloaded file.
You'll find several files inside.
Double-click legacy_wuauserv.reg and confirm the prompt.
Double-click legacy_wscsvc.reg and confirm the prompt.
Double-click wuauserv.reg and confirm the prompt.
Double-click wscsvc.reg and confirm the prompt.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

Restart computer.
See if you can access Security Center and Windows updates.
Post new FSS log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 27 January 2012 - 11:18 AM

I can see security center & updates. Copied are systemlook & FSS. Programs still show empty as well.

SystemLook 30.07.11 by jpshortstuff
Log created at 10:56 on 27/01/2012 by Paul
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\SYSTEM32\DRIVERS\ETC - Parameters: "(none)"

---Files---
hosts --a---- 711 bytes [15:54 27/01/2012] [15:40 19/01/2012]
lmhosts.sam --a---- 3683 bytes [12:00 14/04/2008] [12:00 14/04/2008]
networks --a---- 407 bytes [12:00 14/04/2008] [12:00 14/04/2008]
protocol --a---- 799 bytes [12:00 14/04/2008] [12:00 14/04/2008]
services --a---- 7116 bytes [12:00 14/04/2008] [12:00 14/04/2008]

---Folders---
None found.

-= EOF =-



Farbar Service Scanner Version: 18-01-2012 01
Ran by Paul (administrator) on 27-01-2012 at 11:16:22
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2008-04-14 07:00] - [2008-10-16 09:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) pctgntdi(10) PSched(7) Tcpip(4)
0x0900000005000000010000000200000003000000040000000A000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:16 PM

Posted 27 January 2012 - 03:51 PM

Looks good.

Did you run UnHide?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 27 January 2012 - 03:55 PM

I did in the beginning. Should I do it again?

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:16 PM

Posted 27 January 2012 - 04:16 PM

In that case, you'll have to restore missing items manually.
See my guide HERE

Then....

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 30 January 2012 - 01:14 PM

within smtmp folder there is one with a 2 next to it. System check shortcut is the only thing inside.

Under start, all programs, if I right click on let's say microsoft office, I do not see a target area. There are 3 tabs (general, sharing & customize).

I noticed my local setting file is "hidden", not sure if it's suppose to be

Here is ESET scan. Odd how it got stuff & others are clean!!

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\11\4b7b6dcb-74f4e9c0 Java/Exploit.CVE-2011-3544.AD trojan
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FL7WMW28\uliliwyn_info[1].txt HTML/Iframe.B.Gen virus
C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\31\49294f1f-4e4f4ac3 multiple threats
C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\57\7e8a139-62c7d480 Java/Agent.DD trojan
C:\Documents and Settings\Paul\My Documents\Downloads\ImageViewerSetup.exe a variant of Win32/SweetIM.B application

Thanks

#14 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 30 January 2012 - 01:15 PM

ESET is also asking if I want to remove ESET files from computer??

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:16 PM

Posted 30 January 2012 - 01:34 PM

You changed Eset settings. All those threats should have been removed.
Re-run it.

if I right click on let's say microsoft office, I do not see a target area. There are 3 tabs (general, sharing & customize).

Some programs will have to be reinstalled to recreate those shortcuts.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users