Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infections; Need some help..


  • Please log in to reply
14 replies to this topic

#1 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 01:33 PM

Hello there BC Community,

I seem to be having some issues here today with my parents Laptop, I suspect a rootkit infection but I do not have enough knowledge to run ComboFix or gMER.
Which of course; is why I am turning to bleepingcomputer!

The other night, my parent received a 'cold call' from a fake Microsoft Employee, my parent gave the phone to me, and I knew at once it was fake.. But this is sort of making me think there is an infection because how else could they have received the number?

For the past 5-ish days there has been many BSOD's, they are all located in C:/Windows for mini-dump files. Today the computer just randomly froze while browsing the internet and on e-mail.

I honestly think it is a rootkit or the computer is starting to die because after-all it is a laptop, and I'm sure the RAM inside it will break one day.

Running:
Windows Vista x64
Avast! Antivirus 6.0.1
Spy-Bot Search and Destroy

 
I have preformed TDSSKiller, Yet it found nothing. Just adding that as information...

Thanks in Advance for any assistance in this matter!
-balon

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:07 PM

Posted 19 February 2012 - 02:49 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 02:59 PM

Results of screen317's Security Check version 0.99.31
Windows Vista x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
I do not use Internet Explorer; It is never opened up on the computer.
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Java™ 6 Update 31
Adobe Flash Player 11.1.102.55
Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Spybot Teatimer.exe is disabled!
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````


Getting next log...

#4 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 03:01 PM

Farbar Service Scanner Version: 14-02-2012
Ran by balon (administrator) on 19-02-2012 at 15:00:27
Running from "E:\"
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\Windows\System32\nsisvc.dll
[2008-01-20 21:49] - [2008-01-20 21:49] - 0024576 ____A (Microsoft Corporation) ACB62BAA1C319B17752553DF3026EEEB

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2008-01-20 21:50] - [2008-01-20 21:50] - 0268288 ____A (Microsoft Corporation) FDAA0EDFCFB70CD529589AD654651B40

C:\Windows\System32\drivers\afd.sys
[2011-09-19 17:27] - [2011-04-21 08:42] - 0407552 ____A (Microsoft Corporation) 9BB97042FA331A0FB4BDD98B9280A50A

C:\Windows\System32\drivers\tdx.sys
[2008-01-20 21:49] - [2008-01-20 21:49] - 0094208 ____A (Microsoft Corporation) 8C39C72E0E853DE04748C0337D9B9216

C:\Windows\System32\Drivers\tcpip.sys
[2011-09-19 17:29] - [2010-06-16 11:40] - 1420176 ____A (Microsoft Corporation) 7D86275FB640011B372FD566C0EAFA8D

C:\Windows\System32\dnsrslvr.dll
[2011-09-19 17:24] - [2011-03-02 10:10] - 0117760 ____A (Microsoft Corporation) DAF05293C1264E251D3A25E7E24B2DDF

C:\Windows\System32\mpssvc.dll
[2008-01-20 21:49] - [2008-01-20 21:49] - 0601088 ____A (Microsoft Corporation) 8A670648C755867A3AA38DA50BA569AA

C:\Windows\System32\bfe.dll
[2008-01-20 21:50] - [2008-01-20 21:50] - 0458240 ____A (Microsoft Corporation) BC4737AAFFA5964E4F8827C9B8C0EB8E

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2008-01-20 21:47] - [2008-01-20 21:47] - 0128000 ____A (Microsoft Corporation) 4FF71B076A7760FE75EA5AE2D0EE0018

C:\Windows\System32\vssvc.exe
[2008-01-20 21:50] - [2008-01-20 21:50] - 1432576 ____A (Microsoft Corporation) 186BD53F8A408AD20F5A056C05678629

C:\Windows\System32\wscsvc.dll
[2008-01-20 21:47] - [2008-01-20 21:47] - 0074752 ____A (Microsoft Corporation) CB8EA6D95949384925CCFCA21CC6DFD8

C:\Windows\System32\wbem\WMIsvc.dll
[2008-01-20 21:50] - [2008-01-20 21:50] - 0221696 ____A (Microsoft Corporation) AC98F38FEAB066A8F983D54FF3F4FD4C

C:\Windows\System32\wuaueng.dll
[2011-09-18 19:07] - [2009-08-06 21:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D

C:\Windows\System32\qmgr.dll
[2008-01-20 21:50] - [2008-01-20 21:50] - 1082368 ____A (Microsoft Corporation) D896A0D43F8AB81ECB1FC6C24DECFD58

C:\Windows\System32\es.dll
[2011-09-19 17:27] - [2008-04-17 23:42] - 0361984 ____A (Microsoft Corporation) 6B1A97BF9FEFBDC83F3C7C7D0F826C66

C:\Windows\System32\cryptsvc.dll
[2008-01-20 21:49] - [2008-01-20 21:49] - 0165376 ____A (Microsoft Corporation) 4374F784121D8B3BB466B03F5E5EBD33

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2011-09-19 17:26] - [2009-03-02 23:57] - 0718336 ____A (Microsoft Corporation) 52CDADE8289FF21F1F2215FF51A5F36C



**** End of log ****

Going to next step...

#5 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 03:05 PM

MiniToolBox by Farbar Version: 18-01-2012
Ran by balon (administrator) on 19-02-2012 at 15:03:06
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

Dell Wireless 1510 Wireless-N WLAN Mini-Card = Wireless Network Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : balon-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ri.cox.net
System Quarantine State . . . . . : Not Restricted


Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : ri.cox.net
Description . . . . . . . . . . . : Dell Wireless 1510 Wireless-N WLAN Mini-Card
Physical Address. . . . . . . . . : 00-23-4D-D9-95-7E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4c6b:b577:7c85:7efa%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, February 19, 2012 1:41:56 PM
Lease Expires . . . . . . . . . . : Sunday, February 26, 2012 1:41:55 PM
Default Gateway . . . . . . . . . : fe80::16d6:4dff:fe26:92bc%10
192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.ri.cox.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 74.125.224.199
74.125.224.200
74.125.224.201
74.125.224.202
74.125.224.203
74.125.224.204
74.125.224.205
74.125.224.206
74.125.224.207
74.125.224.192
74.125.224.193
74.125.224.194
74.125.224.195
74.125.224.196
74.125.224.197
74.125.224.198



Pinging google.com [74.125.224.225] with 32 bytes of data:

Reply from 74.125.224.225: bytes=32 time=102ms TTL=49

Reply from 74.125.224.225: bytes=32 time=117ms TTL=49



Ping statistics for 74.125.224.225:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 102ms, Maximum = 117ms, Average = 109ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 209.191.122.70
98.139.127.62
98.139.183.24



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:

Reply from 98.139.183.24: bytes=32 time=113ms TTL=51

Reply from 98.139.183.24: bytes=32 time=44ms TTL=51



Ping statistics for 98.139.183.24:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 44ms, Maximum = 113ms, Average = 78ms

Server: UnKnown
Address: 192.168.0.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Request timed out.

Request timed out.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
10 ...00 23 4d d9 95 7e ...... Dell Wireless 1510 Wireless-N WLAN Mini-Card
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.ri.cox.net
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.102 281
192.168.0.102 255.255.255.255 On-link 192.168.0.102 281
192.168.0.255 255.255.255.255 On-link 192.168.0.102 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.102 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.102 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
10 281 ::/0 fe80::16d6:4dff:fe26:92bc
1 306 ::1/128 On-link
10 281 fe80::/64 On-link
10 281 fe80::4c6b:b577:7c85:7efa/128
On-link
1 306 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [61440] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [62976] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [27648] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/19/2012 02:55:54 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Invalid Xml syntax.

Error: (02/19/2012 01:42:09 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/19/2012 01:05:10 PM) (Source: System Restore) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\svchost.exe -k netsvcs; Descripton = Windows Update; Hr = 0x8004230c).

Error: (02/19/2012 01:00:09 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/18/2012 05:30:22 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe_EventSystem, version 6.0.6001.18000, time stamp 0x47919291, faulting module netprofm.dll, version 6.0.6001.18000, time stamp 0x4791ad84, exception code 0xc0000005, fault offset 0x0000000000013820,
process id 0x428, application start time 0xsvchost.exe_EventSystem0.

Error: (02/18/2012 05:29:53 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/18/2012 02:10:43 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error CreateService(swprv,Microsoft Software Shadow Copy Provider,SERVICE_CHANGE_CONFIG,SERVICE_WIN32_OWN_PROCESS,SERVICE_ERROR_NORMAL,%SystemRoot%\System32\svchost.exe -k swprv,RPCSS). hr = 0x80070430.

Error: (02/18/2012 02:10:31 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {038f7c1c-3ed3-409d-bdc1-f14d0afce76f}

Error: (02/18/2012 02:00:11 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {038f7c1c-3ed3-409d-bdc1-f14d0afce76f}

Error: (02/18/2012 01:22:55 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (02/19/2012 02:54:02 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:53:33 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:52:33 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:52:13 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:51:05 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:51:04 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:49:32 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:49:27 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:46:57 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (02/19/2012 02:46:54 PM) (Source: DCOM) (User: LOCAL SERVICE)
Description: machine-defaultLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX 64-bit (Version: 11.1.102.55)
ATI Catalyst Install Manager (Version: 3.0.682.0)
Dell Wireless WLAN Card Utility (Version: 4.170.77.13)
Integrated Webcam Driver (1.02.02.0603)
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 31 (64-bit) (Version: 6.0.310)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
TeamSpeak 3 Client
Ventrilo Client for Windows x64 (Version: 3.0.8.0)
WinRAR 4.10 beta 2 (64-bit) (Version: 4.10.2)

========================= Memory info: ===================================

Percentage of memory in use: 38%
Total physical RAM: 4053.98 MB
Available physical RAM: 2510.75 MB
Total Pagefile: 8283.27 MB
Available Pagefile: 6672.61 MB
Total Virtual: 4095.88 MB
Available Virtual: 3999.12 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:294.13 GB) (Free:209.48 GB) NTFS
3 Drive e: (CPT BALON) (Removable) (Total:0.95 GB) (Free:0.88 GB) FAT

========================= Users: ========================================

User accounts for \\BALON-PC

Administrator balon Guest


**** End of log ****

Going to the next..

#6 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 03:12 PM

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.19.04

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 7.0.6001.18000
balon :: BALON-PC [administrator]

Protection: Enabled

2/19/2012 3:07:07 PM
mbam-log-2012-02-19 (15-07-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 178396
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 03:27 PM

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-19 15:14:15
-----------------------------
15:14:15.428 OS Version: Windows x64 6.0.6001 Service Pack 1
15:14:15.428 Number of processors: 2 586 0x170A
15:14:15.428 ComputerName: BALON-PC UserName: balon
15:14:19.254 Initialize success
15:14:20.487 AVAST engine defs: 12021900
15:14:50.869 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:14:50.872 Disk 0 Vendor: WDC_WD3200BEVT-75ZCT2 11.01A11 Size: 305245MB BusType: 3
15:14:50.897 Disk 0 MBR read successfully
15:14:50.901 Disk 0 MBR scan
15:14:50.906 Disk 0 Windows VISTA default MBR code
15:14:50.922 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 301189 MB offset 2048
15:14:50.928 Disk 0 Partition - 00 05 Extended 4054 MB offset 616839166
15:14:50.962 Disk 0 Partition 2 00 82 Linux swap 4054 MB offset 616839168
15:14:50.968 Service scanning
15:15:27.510 Modules scanning
15:15:27.522 Disk 0 trace - called modules:
15:15:27.579 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:15:27.585 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005b64790]
15:15:27.594 3 CLASSPNP.SYS[fffffa6000fd1b3a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004bbd830]
15:15:30.244 AVAST engine scan C:\Windows
15:15:34.323 AVAST engine scan C:\Windows\system32
15:18:57.399 AVAST engine scan C:\Windows\system32\drivers
15:19:07.022 AVAST engine scan C:\Users\balon
15:24:01.540 AVAST engine scan C:\ProgramData
15:24:40.197 Scan finished successfully
15:25:57.957 Disk 0 MBR has been saved successfully to "C:\Users\balon\Desktop\MBR.dat"
15:25:57.965 The log file has been saved successfully to "C:\Users\balon\Desktop\aswMBR.txt"

That's all of what was requested.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:07 PM

Posted 19 February 2012 - 03:44 PM

All looks clean so far.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 03:50 PM

Thank you sir, going to work on those right now.

#10 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 06:07 PM

C:\Users\balon\Downloads\Grand Theft Auto San Andreas -- Balon.rar probably a variant of Win32/Agent.LPHFBGW trojan


That is not a virus :P

Any clue What the BOSDS and freezes are from?

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:07 PM

Posted 19 February 2012 - 06:22 PM

Is it still happening?

Meanwhile make sure all Windows updates are current, including Service Pack 2 installation.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 19 February 2012 - 07:40 PM

Is it still happening?

Meanwhile make sure all Windows updates are current, including Service Pack 2 installation.


Everything seems clear... Ill PM you if something else turns up?

Other then that Thanks Broni, appreciate it.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:07 PM

Posted 19 February 2012 - 10:53 PM

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

5. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

6. Run Temporary File Cleaner (TFC) weekly.

7. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

8. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

9. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

10. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

11. Except for MBAM and TFC, which are keepers you can simply delete all other tools we used as they don't install.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#14 balon

balon
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Haven, CT
  • Local time:09:07 PM

Posted 22 February 2012 - 01:02 PM

No luck on this anymore, the computer BSODS every day lol xD

Just convinced my parent to get a new laptop; I strongly suspect a rootkit or dieing hardware

Thanks for the help thou!

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:07 PM

Posted 22 February 2012 - 01:16 PM

You're welcome :)

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users