Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Shield 2011 on XP-Home


  • Please log in to reply
3 replies to this topic

#1 MisterrFixIt

MisterrFixIt

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:36 AM

Posted 19 February 2012 - 09:54 PM

PC is an older P4 running XP-Home SP3. AVG and Malwarebytes are up to date.
User Opened an email and ever since has "Security Shield 2011" complaining about pseudo infections.
Only option is to run Safe Mode so that's where all of the logs were produced.
Mawarebytes full scan produced no problems.
Ran Security Check, Mini-Toolbox, ASWMBR, BootkitRemover and List parts.........

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG Free 9.0
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Java™ 6 Update 17
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 17
Java 2 Runtime Environment, SE v1.4.2_03
Java DB 10.4.2.1
Out of date Java installed!
Adobe Flash Player 11.1.102.55
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgemc.exe
``````````End of Log````````````

-------------------------------------------------------------------------------------------------
MiniToolBox by Farbar Version: 18-01-2012
Ran by Owner (administrator) on 19-02-2012 at 19:33:28
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Nerwork
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8139/810x Family Fast Ethernet NIC = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : TBOX-SR

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.il.comcast.net.



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : hsd1.il.comcast.net.

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-0C-76-C4-F3-D9

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.176

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

Lease Obtained. . . . . . . . . . : Sunday, February 19, 2012 7:00:00 PM

Lease Expires . . . . . . . . . . : Monday, February 20, 2012 7:00:00 PM

Server: UnKnown
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.225.71, 74.125.225.74, 74.125.225.77, 74.125.225.73
74.125.225.67, 74.125.225.64, 74.125.225.66, 74.125.225.70, 74.125.225.68
74.125.225.72, 74.125.225.76, 74.125.225.78, 74.125.225.69, 74.125.225.79
74.125.225.75, 74.125.225.65



Pinging google.com [74.125.225.101] with 32 bytes of data:



Reply from 74.125.225.101: bytes=32 time=11ms TTL=55

Reply from 74.125.225.101: bytes=32 time=11ms TTL=55



Ping statistics for 74.125.225.101:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 11ms, Maximum = 11ms, Average = 11ms

Server: UnKnown
Address: 192.168.2.1

Name: yahoo.com
Addresses: 98.139.183.24, 209.191.122.70, 98.139.127.62



Pinging yahoo.com [98.139.127.62] with 32 bytes of data:



Reply from 98.139.127.62: bytes=32 time=74ms TTL=51

Reply from 98.139.127.62: bytes=32 time=74ms TTL=51



Ping statistics for 98.139.127.62:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 74ms, Maximum = 74ms, Average = 74ms

Server: UnKnown
Address: 192.168.2.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 76 c4 f3 d9 ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.176 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.176 192.168.2.176 20
192.168.2.176 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.176 192.168.2.176 20
224.0.0.0 240.0.0.0 192.168.2.176 192.168.2.176 20
255.255.255.255 255.255.255.255 192.168.2.176 192.168.2.176 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/19/2012 06:27:52 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:27:48 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:27:48 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:27:47 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:27:23 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:27:01 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:27:01 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:27:00 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (02/19/2012 06:24:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (02/19/2012 06:24:29 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


System errors:
=============
Error: (02/19/2012 07:31:14 PM) (Source: DCOM) (User: Owner)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (02/19/2012 07:04:51 PM) (Source: DCOM) (User: Owner)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (02/19/2012 07:01:21 PM) (Source: DCOM) (User: Owner)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (02/19/2012 07:01:08 PM) (Source: DCOM) (User: Owner)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (02/19/2012 06:59:59 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.71 for the Network Card with network address 000C76C4F3D9 has been
denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).

Error: (02/19/2012 06:56:34 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgLdx86
AvgMfx86
Fips
intelppm
Lbd

Error: (02/19/2012 06:56:34 PM) (Source: Service Control Manager) (User: )
Description: The WPS Wi-Fi Scanner Service service depends on the following nonexistent service: wpsnuio

Error: (02/19/2012 06:56:04 PM) (Source: DCOM) (User: Owner)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (02/19/2012 06:55:37 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (02/19/2012 06:41:39 PM) (Source: DCOM) (User: Owner)
Description: The server {641B9FB0-C2B1-41BD-8563-5F484E3BE84A} did not register with DCOM within the required timeout.


Microsoft Office Sessions:
=========================
Error: (05/18/2010 07:36:51 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 37784 seconds with 660 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 10 ActiveX (Version: 10.3.181.26)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Photoshop Album Starter Edition (Version: 1.0)
Adobe Reader 9.5.0 (Version: 9.5.0)
Adobe Shockwave Player 11.5 (Version: 11.5)
AiO_Scan (Version: 5.31.1.27)
AIOMinimal (Version: 5.31.1.27)
AiOSoftware (Version: 5.31.1.27)
AnswerWorks 4.0 Runtime - English (Version: 4.0.101)
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
ArcSoft Print Creations (Version: 2.6.255.207)
AVG Free 9.0
Bird_07 Screensaver
Bonjour (Version: 3.0.0.10)
Bounce Symphony from Compaq (remove only)
BufferChm (Version: 60.0.155.000)
Camera Driver
CameraDrivers (Version: 3.1.0)
CameraDrivers (Version: 6.0.0.204)
CameraUserGuides (Version: 6.0.0.204)
CCleaner (Version: 3.15)
CCScore (Version: 8.02.0000.0001)
Compaq Connections
Compaq Instant Support
Compaq Organize
Copy (Version: 5.35.0.065)
Coupon Printer for Windows (Version: 5.0.0.0)
CreativeProjects (Version: 5.35.0.059)
Critical Update for Windows Media Player 11 (KB959772)
Destinations (Version: 60.0.155.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 3.5.0.0)
Download Updater (AOL LLC)
Enhanced Multimedia Keyboard Solution
ESSBrwr (Version: 8.02.0000.0001)
ESSCDBK (Version: 8.02.0000.0001)
ESScore (Version: 8.02.0000.0001)
ESSgui (Version: 8.02.0000.0001)
ESSini (Version: 8.02.0000.0001)
ESSPCD (Version: 8.02.0000.0001)
ESSPDock (Version: 6.03.0001.0004)
ESSTOOLS (Version: 5.00.0000.0004)
essvatgt (Version: 8.00.0000.0001)
eSupportQFolder (Version: 1.00.0000)
Excavation from Compaq (remove only)
Fax (Version: 5.31.1.27)
Five Card Frenzy from Compaq (remove only)
Google Chrome (Version: 17.0.963.56)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.2.2427.2330)
Google Update Helper (Version: 1.3.21.99)
GoToMeeting 5.0.0.799 (Version: 5.0.0.799)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard (Version: 1.1.1905.1)
HP Deskjet Preloaded Printer Drivers (Version: 8.3.3.0)
HP Image Zone 3.5 (Version: 3.5)
HP Imaging Device Functions 6.0 (Version: 6.0)
hp officejet v series
HP Photo & Imaging 3.5 - HP Devices (Version: 3.0)
HP Photosmart Cameras 6.0 (Version: 6.0)
HP Photosmart Essential (Version: 1.8.0.26)
HP Product Assistant (Version: 100.000.001.000)
HP PSC & OfficeJet 3.0 (Version: 3.0)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center and Imaging Support Tools 6.0 (Version: 6.0)
HP Update (Version: 5.003.001.001)
hpg2436 (Version: 3.5.0.0)
hpg3970 (Version: 3.5.0.0)
hpg4600 (Version: 3.5.0.0)
hpg5530 (Version: 3.5.0.0)
hpg8200 (Version: 3.5.0.0)
hpiCamDrvQFolder (Version: 6.0.0)
hpmdtab (Version: 2.0.470.1598)
HPProductAssistant (Version: 60.0.155.000)
HpSdpAppCoreApp (Version: 2.00.0000)
HPSystemDiagnostics (Version: 1.5.0.0)
Hrt10 Screen Saver
InstantShare (Version: 3.5.0.21)
InstantShareAlert (Version: 1.00.0000)
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
iTunes (Version: 10.5.3.3)
Java 2 Runtime Environment, SE v1.4.2_03 (Version: 1.4.2_03)
Java DB 10.4.2.1 (Version: 10.4.2.1)
Java™ 6 Update 17 (Version: 6.0.170)
Java™ 6 Update 5 (Version: 1.6.0.50)
Java™ 6 Update 7 (Version: 1.6.0.70)
Java™ SE Development Kit 6 Update 17 (Version: 1.6.0.170)
Kodak EasyShare software
Logitech QuickCam (Version: 11.80.1065)
Logitech QuickCam Driver Package
Logitech Updater (Version: 1.70)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Memories Disc Creator 2.0 (Version: 2.0.481.1611)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Basic 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Plus! Digital Media Edition (Version: 1.1.0.2423)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6425.1000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works 7.0 (Version: 07.02.0808)
MobileMe Control Panel (Version: 3.1.8.0)
Mozilla Firefox 10.0.2 (x86 en-US) (Version: 10.0.2)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
netbrdg (Version: 7.01.0000.0001)
NVIDIA GART Driver
OfotoXMI (Version: 8.02.1000.0001)
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
PC-Doctor for Windows
PhotoGallery (Version: 5.35.0.059)
Photosmart 140,240,7200,7600,7700,7900 Series (Version: 2.0)
Polar Bowler from Compaq (remove only)
PrintScreen (Version: 5.35.0.035)
PS2
PSShortcutsP (Version: 1.00.0000)
Python 2.2 combined Win32 extensions
Python 2.2.1 (Version: 2.2.1)
QuickProjects (Version: 5.35.0.047)
QuickTime (Version: 7.71.80.42)
Readme (Version: 5.31.1.27)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer
RealUpgrade 1.1 (Version: 1.1.0)
RecordNow! (Version: 6.5.1)
Safari (Version: 5.34.52.7)
Scan (Version: 3.5.0.0)
SFR (Version: 8.01.0000.0001)
SHASTA (Version: 7.01.0000.0001)
skin0001 (Version: 8.02.0000.0001)
SkinsHP1 (Version: 5.35.0.043)
SkinsHP2 (Version: 5.35.0.043)
SKINXSDK (Version: 8.02.0000.0001)
Skype Click to Call (Version: 5.8.8855)
Skype™ 5.5 (Version: 5.5.124)
Slyder from Compaq (remove only)
SmartWebPrinting (Version: 140.0.186.000)
SolAce EMC Client at spiclaims01.eicbo.info
SolutionCenter (Version: 60.0.155.000)
Sonic Update Manager (Version: 2.9)
Spelling Dictionaries Support For Adobe Reader 9 (Version: 9.0.0)
staticcr (Version: 8.02.0000.0001)
Status (Version: 60.0.155.000)
STICKIDS
TrayApp (Version: 60.0.155.000)
Turbo Tax Audit Support Center 3.0
Unload (Version: 6.1.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597998) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Windows Internet Explorer 8 (KB968220) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
VPRINTOL (Version: 8.02.0000.0001)
WebEx
WebFldrs XP (Version: 9.50.6513)
WebReg (Version: 60.0.155.000)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
WIRELESS (Version: 8.02.0000.0001)
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Login
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

========================= Memory info: ===================================

Percentage of memory in use: 25%
Total physical RAM: 759.48 MB
Available physical RAM: 565.4 MB
Total Pagefile: 3717.8 MB
Available Pagefile: 3628.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.07 MB

========================= Partitions: =====================================

2 Drive c: (PRESARIO) (Fixed) (Total:33.11 GB) (Free:5.15 GB) NTFS
3 Drive d: (PRESARIO_RP) (Fixed) (Total:4.14 GB) (Free:0.62 GB) FAT32
4 Drive e: () (Removable) (Total:0.24 GB) (Free:0.12 GB) FAT
6 Drive g: (FLASHBLU) (Removable) (Total:3.73 GB) (Free:2.15 GB) FAT32

========================= Users: ========================================

User accounts for \\TBOX-SR

Administrator ASPNET Guest
HelpAssistant Owner SUPPORT_388945a0
SUPPORT_fddfa904


**** End of log ****
-----------------------------------------------------------------------------------------
aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-19 19:37:49
-----------------------------
19:37:49.078 OS Version: Windows 5.1.2600 Service Pack 3
19:37:49.078 Number of processors: 1 586 0x209
19:37:49.078 ComputerName: TBOX-SR UserName: Owner
19:37:49.359 Initialize success
19:38:39.718 AVAST engine defs: 12021901
19:38:44.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:38:44.593 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 38162MB BusType: 3
19:38:44.687 Disk 0 MBR read successfully
19:38:44.718 Disk 0 MBR scan
19:38:44.781 Disk 0 unknown MBR code
19:38:44.796 Disk 0 Partition 1 00 0B FAT32 RECOVERY 4245 MB offset 63
19:38:44.843 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 33909 MB offset 8694000
19:38:44.890 Disk 0 scanning sectors +78140160
19:38:45.000 Disk 0 scanning C:\WINDOWS\system32\drivers
19:39:09.640 Service scanning
19:40:08.906 Modules scanning
19:40:25.468 Disk 0 trace - called modules:
19:40:25.562 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
19:40:27.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83787ab8]
19:40:27.468 3 CLASSPNP.SYS[f7756fd7] -> nt!IofCallDriver -> \Device\0000005c[0x83794968]
19:40:27.562 5 ACPI.sys[f76cd620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83748940]
19:40:27.953 AVAST engine scan C:\WINDOWS
19:40:41.515 AVAST engine scan C:\WINDOWS\system32
19:46:27.718 AVAST engine scan C:\WINDOWS\system32\drivers
19:47:00.062 AVAST engine scan C:\Documents and Settings\Owner
19:56:29.453 AVAST engine scan C:\Documents and Settings\All Users
19:59:59.968 Scan finished successfully
20:00:54.875 Disk 0 MBR has been saved successfully to "C:\NEW\Logs\MBR.dat"
20:00:54.906 The log file has been saved successfully to "C:\NEW\Logs\aswMBR2.txt"
-----------------------------------------------------------------------------------------------------------------------
Bootkit Remover
© 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`0951e000
Boot sector MD5 is: d0092ea8b49beb951c2a605cc98c7847

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
--------------------------------------------------------------------------------------
ListParts by Farbar
Ran by Owner on 19-02-2012 at 20:08:07
Windows XP (X86)
Running From: C:\NEW
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 30%
Total physical RAM: 759.48 MB
Available physical RAM: 531.16 MB
Total Pagefile: 3717.8 MB
Available Pagefile: 3613.27 MB
Total Virtual: 2047.88 MB
Available Virtual: 2003.29 MB

======================= Partitions =========================

2 Drive c: (PRESARIO) (Fixed) (Total:33.11 GB) (Free:5.05 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (PRESARIO_RP) (Fixed) (Total:4.14 GB) (Free:0.62 GB) FAT32 ==>[Drive with boot components (Windows XP)]
4 Drive e: () (Removable) (Total:0.24 GB) (Free:0.12 GB) FAT
6 Drive g: (FLASHBLU) (Removable) (Total:3.73 GB) (Free:2.15 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 37 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 4245 MB 32 KB
Partition 2 Primary 33 GB 4245 MB

Disk: 0
The disk management services could not complete the operation.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C PRESARIO NTFS Partition 33 GB Healthy System (partition with boot components)


****** End Of Log ******

------------------------------------------------------------------------------------------------------

I hope this is enough to get started. By the way, am currently running ESAT Online Scanner in Safe Mode but I don't expect anything really revealing. What I don't like is that entry for MBR "Unknown boot code". Any help is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:36 AM

Posted 19 February 2012 - 10:13 PM

Hello and welcome. Lets start here as you are mising a few steps.

Please follow our Removal Guide here Remove Security Shield or SecurityShield (Uninstall Guide) .
After reading how the malware is misleading you ...
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


>>>
To check for and confirm the MBR (Master Boot Record rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Edited by boopme, 19 February 2012 - 10:14 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MisterrFixIt

MisterrFixIt
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:36 AM

Posted 20 February 2012 - 06:35 PM

OK, first let me be clear that I had previously used the recommended automatic recovery.
The problem is that the major Trojan buster, MBAM, didn't find anything.
I then did everything else. HOSTS was accessible and writable and Proxy Server was NOT checked or specified.
Did not do the initial DSS or GMER since other logs posted above showed better info (in my opinion).

Anyway let ESET run to completion and it found several interesting bad guys

C:\Documents and Settings\Owner\Local Settings\Application Data\ayiqpbx.exe a variant of Win32/Kryptik.AAYI trojan cleaned by deleting - quarantined
C:\My Programs\Mozilla Firefox\components\atww5.1.dll probably a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP518\A0037808.exe a variant of Win32/Kryptik.AAYI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP518\A0037809.dll probably a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\xtfrxccr\ccp_geaifcb.dll probably a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\xtfrxccr\Director_jnypfd.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\xtfrxccr\dprx_pgsigye.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\xtfrxccr\ffe3_buykanx.dll probably a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\xtfrxccr\ffe_uiseqos.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\xtfrxccr\mca_uiseqos.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\xtfrxccr\mcie_bayemik.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\yjaxerv\ccp_ocunbk.dll probably a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\yjaxerv\Director_kptjye.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\yjaxerv\dprx_pinfll.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\yjaxerv\ffe3_dstqfv.dll probably a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\yjaxerv\ffe_cgndid.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\yjaxerv\mca_cgndid.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
C:\WINDOWS\system32\yjaxerv\mcie_dytkqq.dll a variant of Win32/WebWatcher.A application cleaned by deleting - quarantined
----------------------------------------------------------

So then I went back to logging on the normal user account, this time, not in Safemode.
Everything appeared OK, no more popups, etc... so decided to run everything you initially wanted.

-----------------------------------------------------------------------------------------------------------------
Mod Edit: Removed DDS log data ~ Hamluis.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-20 16:55:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6E040L0 rev.NAR61590
Running: x3n9p2ju.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxddipog.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\program files\real\realplayer\update\realsched.exe[2500] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

--------------------------------------------------------
Then did the MBR.EXE as you suggested...................

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6E040L0 rev.NAR61590 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

So no rootkits there......

Then did an RKILL............

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/20/2012 at 16:58:21.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\msfeedssync.exe


Rkill completed on 02/20/2012 at 16:58:38.

Have no idea if this is important or not
And at this time I'm running another full pass of MBAM which should take at least 2 hours.
I do not expect anything to be found and am posting the original log HERE

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.18.03

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Owner :: TBOX-SR [administrator]

2/19/2012 4:12:19 PM
mbam-log-2012-02-19 (16-12-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 329809
Time elapsed: 2 hour(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------------------------
Will post the newest MBAM here when it finishes. Any other suggestions or observations?

Edited by hamluis, 20 February 2012 - 07:00 PM.
Removed DDS log posted, not requested.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:36 AM

Posted 21 February 2012 - 12:23 AM

Ok, post the rest when you can.

WEbwatcher is Parental Control Software

There is no NBR infection or rootkits,thats good.

You have outdated software to remove and replace.. See instructions below.
Java™ 6 Update 17
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 17
Java 2 Runtime Environment, SE v1.4.2_03
Java DB 10.4.2.1
Adobe Reader 9.5.0 (Version: 9.5.0)

I would leave these off
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.2.2427.2330)
Yahoo! Toolbar



Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Select your Platform.
  • Under Which should I choose?, check the box for Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u31-windows-i586.exe (or jre-6u30-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Similarly Update to Adobe Reader X (10.1.0)
Note UN check the box so you do not install the toolbar,unless you really want it..

Free! Google Toolbar search Google from any web page, block pop-ups

Yes, install Google Toolbar - optional

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users