Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adobe Flash Installer Virus


  • Please log in to reply
18 replies to this topic

#1 ww2b

ww2b

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 02:36 PM

Hello, and thanks in advance for reading this.

I'm also having a problem with an Adobe Flash Player 11.1 installer popping up every few minutes. I ran both quick and full scans of MBAM; I'm also in the process of running TrojanHunter. Neither have solved the problem so far.

Many thanks,
Pearl

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:27 AM

Posted 18 March 2012 - 03:46 PM

Any particular reason why you don't want to update Flash?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 ww2b

ww2b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 04:06 PM

I use Chrome, which has Flash built in, and I'm reasonably sure this is a virus because it won't go away. TrojanHunter apparently found 1 trojan, but I can't clean it because I'm only using the trial version.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:27 AM

Posted 18 March 2012 - 04:13 PM

Flash is being constantly updated so it's not like you install Flash and you're done.

Let's see what you have...

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 ww2b

ww2b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 04:52 PM

Thank you! From what I understand, I don't have Flash itself installed on my computer; any updates are done within Chrome and not by my doing.

When I ran both Security Check and MiniToolbox, I got the following error:
netsh.exe - Entry Point Not Found
The procedure entry point MigrateWinsockConfiguration could not be located in the dynamic link library MSWSOCK.dll.

MiniToolbox also gave me this error, which I clicked through three times:
nslookup.exe - Ordinal Not Found
The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll

The aswMBR log will be in my next post, as I'm going to restart my computer after running the MBAM scan.


SECURITY CHECK LOG:


Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SpywareBlaster 4.6
Java™ 6 Update 29
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
WinPatrol winpatrol.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
BillP Studios WinPatrol winpatrol.exe
``````````End of Log````````````

 

FSS LOG:

Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 18-03-2012 at 17:19:18
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2010-07-07 02:12] - [2011-08-17 09:41] - 0138496 ____A () FBE6E65AD75FA7C0D946A6103E07A96C

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll
[2010-07-07 02:08] - [2010-07-07 02:08] - 0330752 ____A (Microsoft Corporation) A43F36201F68C96DA6CB7B1B0B788C60

C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll
[2010-07-07 02:08] - [2010-07-07 02:08] - 0253952 ____A (Microsoft Corporation) F17F6226BDC0CD5F0BEF0DAF84D29BEC

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(7) IPSec(5) irda(3) NetBT(6) PSched(8) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

 

MINITOOLBOX LOG:


MiniToolBox by Farbar Version: 18-01-2012
Ran by Administrator (administrator) on 18-03-2012 at 17:21:45
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Broadcom 802.11b/g WLAN = Wireless Network Connection (Connected)
Broadcom NetXtreme Gigabit Ethernet = 本地连接 (Media disconnected)
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.


Windows IP Configuration



Host Name . . . . . . . . . . . . : PEARL

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : home



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN

Physical Address. . . . . . . . . : 00-14-A5-73-73-04

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Sunday, March 18, 2012 2:31:39 PM

Lease Expires . . . . . . . . . . : Monday, March 19, 2012 2:31:39 PM



Ethernet adapter

Pinging google.com [72.14.204.102] with 32 bytes of data:



Reply from 72.14.204.102: bytes=32 time=16ms TTL=252

Reply from 72.14.204.102: bytes=32 time=16ms TTL=252



Ping statistics for 72.14.204.102:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 16ms, Maximum = 16ms, Average = 16ms



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=59ms TTL=248

Reply from 209.191.122.70: bytes=32 time=64ms TTL=248



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 59ms, Maximum = 64ms, Average = 61ms



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 14 a5 73 73 04 ...... Broadcom 802.11g 网络适配器 - Packet Scheduler Miniport
0x30003 ...00 0f b0 fc c0 36 ...... Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.3 192.168.1.3 20
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 25
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 25
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 25
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
255.255.255.255 255.255.255.255 192.168.1.3 30003 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/18/2012 04:26:36 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 04:26:36 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 04:11:42 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 04:11:42 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 02:31:34 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 02:31:34 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 02:31:33 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 02:31:33 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 01:36:26 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (03/18/2012 01:36:26 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.


System errors:
=============
Error: (03/18/2012 05:21:51 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:50 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:49 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:49 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:49 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:48 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:48 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:48 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:47 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/18/2012 05:21:47 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127


Microsoft Office Sessions:
=========================
Error: (03/18/2012 04:26:36 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

Error: (03/18/2012 04:26:36 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {7B849a69-220F-451E-B3FE-2CB811AF94AE}

Error: (03/18/2012 04:11:42 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

Error: (03/18/2012 04:11:42 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {7B849a69-220F-451E-B3FE-2CB811AF94AE}

Error: (03/18/2012 02:31:34 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

Error: (03/18/2012 02:31:34 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {7B849a69-220F-451E-B3FE-2CB811AF94AE}

Error: (03/18/2012 02:31:33 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

Error: (03/18/2012 02:31:33 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {7B849a69-220F-451E-B3FE-2CB811AF94AE}

Error: (03/18/2012 01:36:26 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

Error: (03/18/2012 01:36:26 PM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: {7B849a69-220F-451E-B3FE-2CB811AF94AE}


=========================== Installed Programs ============================

Adobe Reader X (10.1.2) (Version: 10.1.2)
Adobe Shockwave Player 11.6 (Version: 11.6.3.633)
Agere Systems AC'97 Modem
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
ASPCA Reminder by We-Care.com v5.0.5.1 (Version: 5.0.5.1)
Bonjour (Version: 3.0.0.10)
Broadcom 802.11 Wireless LAN Adapter
Chinese Simplified Fonts Support For Adobe Reader X (Version: 10.0.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Google Chrome (Version: 17.0.963.79)
Google Talk Plugin (Version: 2.7.5.6365)
Google Update Helper (Version: 1.3.21.99)
icbc_netbank_client_controls (Version: 2009.11.0.0)
Intel® Graphics Media Accelerator Driver
iTunes (Version: 10.5.2.11)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - CHS (Version: 2.1.21022)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - CHS (Version: 3.1.21022)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 Language Pack - chs (Version: 3.5.21022)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 3.5 语言包 - 简体中文
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mozilla Firefox 9.0.1 (x86 en-US) (Version: 9.0.1)
MSXML 6.0 Parser (KB925673) (Version: 6.00.3888.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00 (Version: 4.7.00.12140)
Picasa 3 (Version: 3.8)
QuickTime (Version: 7.71.80.42)
SpywareBlaster 4.6 (Version: 4.6.0)
swMSM (Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 7.12.7.0)
Teclast USB2.0 UVC PC Camera (Version: 2009.03.18)
Texas Instruments PCIxx21/x515/xx12 drivers. (Version: 1.20.0000)
TI Connect 1.6 (Version: 1.6)
TIPCI (Version: 1.20.0000)
TrojanHunter 5.5 (Version: 5.5)
TUGZip 3.5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB955704) (Version: 1)
Update for Windows XP (KB961503) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
WinPatrol (Version: 20.5.2011.0)
XML Paper Specification Shared Components Pack 1.0
μTorrent (Version: 3.1.2)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 75%
Total physical RAM: 1527.36 MB
Available physical RAM: 379.52 MB
Total Pagefile: 2905.09 MB
Available Pagefile: 1744.64 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.57 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:19.53 GB) (Free:0.17 GB) NTFS
2 Drive d: () (Fixed) (Total:17.72 GB) (Free:3.52 GB) NTFS

========================= Users: ========================================

User accounts for \\PEARL

Administrator Guest HelpAssistant
JJJ&J SUPPORT_388945a0


**** End of log ****

 

MALWAREBYTES ANTI-MALWARE LOG:


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Administrator :: PEARL [administrator]

3/18/2012 5:25:10 PM
mbam-log-2012-03-18 (17-25-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212854
Time elapsed: 24 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#6 ww2b

ww2b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 06:27 PM

aswMBR LOG:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-18 18:01:42
-----------------------------
18:01:42.546 OS Version: Windows 5.1.2600 Service Pack 3
18:01:42.546 Number of processors: 1 586 0xD08
18:01:42.546 ComputerName: PEARL UserName:
18:01:43.453 Initialize success
18:08:31.421 AVAST engine defs: 12031700
18:18:18.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:18:18.671 Disk 0 Vendor: HTS541040G9AT00 MB2OA60A Size: 38154MB BusType: 3
18:18:18.703 Disk 0 MBR read successfully
18:18:18.703 Disk 0 MBR scan
18:18:19.296 Disk 0 Windows XP default MBR code
18:18:19.312 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 20000 MB offset 63
18:18:19.328 Disk 0 Partition - 00 0F Extended LBA 18146 MB offset 40960080
18:18:19.390 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 18146 MB offset 40960143
18:18:19.437 Disk 0 scanning sectors +78125040
18:18:19.609 Disk 0 scanning C:\WINDOWS\system32\drivers
18:19:21.062 Service scanning
18:19:52.343 Service MpKsl62b7c84a c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF91260B-E26B-4F97-A195-48B85E9DADEA}\MpKsl62b7c84a.sys **LOCKED** 32
18:20:20.046 Modules scanning
18:20:28.515 Module: C:\WINDOWS\System32\drivers\afd.sys **SUSPICIOUS**
18:20:40.234 Disk 0 trace - called modules:
18:20:40.296 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89267fd0]<<
18:20:40.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89a56ab8]
18:20:40.328 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> [0x8983c030]
18:20:40.359 \Driver\00001162[0x897f91f0] -> IRP_MJ_CREATE -> 0x89267fd0
18:20:50.093 AVAST engine scan C:\WINDOWS
18:21:36.515 AVAST engine scan C:\WINDOWS\system32
18:28:46.218 AVAST engine scan C:\WINDOWS\system32\drivers
18:29:25.062 AVAST engine scan C:\Documents and Settings\Administrator
18:46:17.500 AVAST engine scan C:\Documents and Settings\All Users
18:46:58.859 Scan finished successfully
19:27:05.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
19:27:05.843 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:27 AM

Posted 18 March 2012 - 06:33 PM

We have several issues there.
Let's start with infected/corrupted system file.

Please run Farbar Service Scanner FSS).
Paste the following in the edit box after "Search:".

afd.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 ww2b

ww2b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 06:43 PM

Thanks again!

FSS log:

Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 18-03-2012 at 19:41:26
Microsoft Windows XP Professional Service Pack 3 (X86)

************************************************
======== Search: "afd.sys" =========

C:\WINDOWS\system32\drivers\afd.sys
[2010-07-07 02:12] - [2011-08-17 09:41] - 0138496 ____A () FBE6E65AD75FA7C0D946A6103E07A96C

C:\WINDOWS\system32\dllcache\afd.sys
[2010-07-07 02:12] - [2011-08-17 09:41] - 0138496 ___AC (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2011-10-13 03:02] - [2011-02-16 09:25] - 0138496 ____C (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2011-06-17 03:08] - [2010-07-07 02:12] - 0138496 ____C (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

====== End Of Search ======

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:27 AM

Posted 18 March 2012 - 07:08 PM

Download following batch file: http://www.bleepstatic.com/fhost/uploads/0/fix.bat
Restart computer in Safe Mode.
Double click on downloaded file to run the fix.
Command prompt window will open.
You should see following message:
"1 file(s) copied"
In that case press any key to close command prompt window.
If you see any error message let me know.

NOTE. Disregard any Windows warnings.

Restart in normal mode and post new FSS log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#10 ww2b

ww2b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 07:54 PM

New FSS log:

Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 18-03-2012 at 20:50:58
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2010-07-07 02:12] - [2011-02-16 09:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll
[2010-07-07 02:08] - [2010-07-07 02:08] - 0330752 ____A (Microsoft Corporation) A43F36201F68C96DA6CB7B1B0B788C60

C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll
[2010-07-07 02:08] - [2010-07-07 02:08] - 0253952 ____A (Microsoft Corporation) F17F6226BDC0CD5F0BEF0DAF84D29BEC

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(7) IPSec(5) irda(3) NetBT(6) PSched(8) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:27 AM

Posted 18 March 2012 - 08:01 PM

Good job :)

Now, we have couple of registry keys missing affecting your Security Center.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/



Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip downloaded file.
You'll find several files inside.
Double-click wscsvc.reg and confirm the prompt.
Double-click legacy_wscsvc.reg and confirm the prompt.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

Restart computer.
Post new FSS log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 ww2b

ww2b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 08:18 PM

Thanks! Here's the new log:

Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 18-03-2012 at 21:12:36
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll
[2010-07-07 02:08] - [2010-07-07 02:08] - 0330752 ____A (Microsoft Corporation) A43F36201F68C96DA6CB7B1B0B788C60

C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll
[2010-07-07 02:08] - [2010-07-07 02:08] - 0253952 ____A (Microsoft Corporation) F17F6226BDC0CD5F0BEF0DAF84D29BEC

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(7) IPSec(5) irda(3) NetBT(6) PSched(8) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:27 AM

Posted 18 March 2012 - 08:34 PM

Good :)

Next, we have "hosts" file missing.

Please, go here: http://support.microsoft.com/kb/972034#FixItForMeAlways and click on "Fix it" button to reset your "hosts" file.
Follow all prompts.

*********************

Re-run MiniToolbox.
Checkmark following boxes:
  • List content of Hosts
Click Go and post the result.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#14 ww2b

ww2b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 18 March 2012 - 09:31 PM

Continuing thanks :)

MiniToolbox Log:


MiniToolBox by Farbar Version: 18-01-2012
Ran by Administrator (administrator) on 18-03-2012 at 22:30:51
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================

127.0.0.1 localhost
127.0.0.1 localhost


**** End of log ****

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:27 AM

Posted 18 March 2012 - 09:54 PM

Good :)

How is computer doing?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users