Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot find dubmnaxxx.scr


  • This topic is locked This topic is locked
21 replies to this topic

#1 General Public

General Public

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 25 December 2012 - 12:58 PM

Happy holidays:

I'm helping my parents out with an older computer that has WinXP SP3. I am not sure whether their system is infected. The system is setup with two users, Admin and a user, g-brea. They use the g-brea to log in, which has a custom local policy to keep it from generally installing programs (it only works sometimes, but I've found it helps mitigate some issues).

Last month, it had a popup on startup, when logging in as the user, g-brea:
Title: C:\DOCUME~1\G-Brea\LOCALS~1\Temp\dubmnaxxx.scr
Content: "Windows cannot find 'C:\DOCUME~1\G-Brea\LOCALS~1\Temp\dubmnaxxx.scr'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. OK"

Logging in as admin does not create said popup, only as the user.

I rebooted to safe-mode with networking, then installed and ran malewarebytes as administrator, and also tdskiller. The system already had MS security essentials, which was up to date, but I ran it anyway. Rebooting back and logging in as the user, the popup persisted. From memory, the programs did not result in anything unusual.

Searching the registry for "dubmnaxxx" reveals the following key, which I am unable to delete or modify:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
The string is labled "load" with value, "C:\DOCUME~1\G-Brea\LOCALS~1\Temp\dubmnaxxx.scr"

I did a simultaneous login as admin (windows-key L), found the string and was still unable to modify or delete it.

The computer runs slower than expected with certain tasks; they have a second, identical computer, which runs snappier for the hardware present on the system.

What should I do to determine wether this system infected?

I appreciate any help and happy holidays.

John

Edited by General Public, 25 December 2012 - 01:00 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:15 PM

Posted 25 December 2012 - 07:10 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 General Public

General Public
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 25 December 2012 - 08:26 PM

Will do, however, one question: do I run them as admin or the specific user? If the user, should I change the policy so that the user is an admin?

Thank you,
John

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:15 PM

Posted 25 December 2012 - 08:44 PM

Admin will be better.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 General Public

General Public
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 25 December 2012 - 10:30 PM

Okay. I kept the machine logged in as the user, but did windows-L as and ran as admin. The aswMBR program didn't scan that user's docs & settings? Here are the pastes of each item recommended:


======= Security Check =======

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Please wait while WMIC is being installed.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
M
i
c
r
o
s
o
f
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
E
s
e
n
t
i
a
l
s
ECHO is off.
M
i
c
r
o
s
o
f
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
E
s
e
n
t
i
a
l
s
ECHO is off.
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 7 Adobe Reader out of Date!
Mozilla Thunderbird (3.1.14) Thunderbird out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````


======= FSS =======


Farbar Service Scanner Version: 23-12-2012
Ran by Administrator (administrator) on 25-12-2012 at 18:45:45
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000056000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****


======= MiniToolBox =======


MiniToolBox by Farbar Version: 25-11-2012
Ran by Administrator (administrator) on 25-12-2012 at 18:47:55
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : G-D38ZQYC1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : oc.cox.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : oc.cox.net

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-1A-A0-1C-DA-C3

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.102

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.105.28.12

68.105.29.12

68.105.28.11

Lease Obtained. . . . . . . . . . : Tuesday, December 25, 2012 6:35:08 PM

Lease Expires . . . . . . . . . . : Wednesday, December 26, 2012 6:35:08 PM

Server: cdns2.cox.net
Address: 68.105.28.12

Name: google.com
Addresses: 74.125.227.69, 74.125.227.70, 74.125.227.71, 74.125.227.72
74.125.227.73, 74.125.227.78, 74.125.227.64, 74.125.227.65, 74.125.227.66
74.125.227.67, 74.125.227.68



Pinging google.com [74.125.227.137] with 32 bytes of data:



Reply from 74.125.227.137: bytes=32 time=54ms TTL=52

Reply from 74.125.227.137: bytes=32 time=44ms TTL=52



Ping statistics for 74.125.227.137:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 44ms, Maximum = 54ms, Average = 49ms

Server: cdns2.cox.net
Address: 68.105.28.12

Name: yahoo.com
Addresses: 98.139.183.24, 72.30.38.140, 98.138.253.109



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:



Reply from 98.139.183.24: bytes=32 time=185ms TTL=52

Reply from 98.139.183.24: bytes=32 time=206ms TTL=52



Ping statistics for 98.139.183.24:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 185ms, Maximum = 206ms, Average = 195ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a a0 1c da c3 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.102 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.102 192.168.1.102 20
192.168.1.102 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.102 192.168.1.102 20
224.0.0.0 240.0.0.0 192.168.1.102 192.168.1.102 20
255.255.255.255 255.255.255.255 192.168.1.102 192.168.1.102 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/25/2012 09:26:38 AM) (Source: ESENT) (User: )
Description: wuauclt (1320) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf8).

Error: (12/25/2012 09:26:38 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (1320) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error: (12/25/2012 09:26:38 AM) (Source: ESENT) (User: )
Description: wuauclt (1320) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (12/25/2012 09:26:28 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (1320) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error: (12/25/2012 09:26:28 AM) (Source: ESENT) (User: )
Description: wuauclt (1320) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (12/20/2012 09:52:26 AM) (Source: Microsoft Office 10) (User: )
Description: Rejected Safe Mode action : Microsoft Word.

Error: (11/16/2012 08:41:16 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 0x80070670, P2 patchapplication, P3 am bdd, P4 11.1.3927.0, P5 mpsigstub.exe, P6 4.1.522.0, P7 microsoft security essentials, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (11/12/2012 04:57:09 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/12/2012 04:57:09 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/07/2012 00:06:00 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (12/25/2012 06:35:25 PM) (Source: Service Control Manager) (User: )
Description: The SSPORT service failed to start due to the following error:
%%2

Error: (12/25/2012 06:35:25 PM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (12/25/2012 09:30:11 AM) (Source: Service Control Manager) (User: )
Description: The SSPORT service failed to start due to the following error:
%%2

Error: (12/25/2012 09:30:11 AM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (12/25/2012 09:11:01 AM) (Source: Service Control Manager) (User: )
Description: The SSPORT service failed to start due to the following error:
%%2

Error: (12/25/2012 09:11:01 AM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (12/25/2012 09:10:55 AM) (Source: Print) (User: NT AUTHORITY)
Description: Document 00007-121212091622035.pdf was corrupted and has been deleted. The associated driver is: HP LaserJet 4.

Error: (12/19/2012 08:03:46 AM) (Source: Service Control Manager) (User: )
Description: The SSPORT service failed to start due to the following error:
%%2

Error: (12/19/2012 08:03:46 AM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (12/18/2012 08:02:34 AM) (Source: Service Control Manager) (User: )
Description: The SSPORT service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (12/25/2012 09:26:38 AM) (Source: ESENT)(User: )
Description: wuauclt1320C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (12/25/2012 09:26:38 AM) (Source: ESENT)(User: )
Description: wuaueng.dll1320SUS20ClientDataStore: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)

Error: (12/25/2012 09:26:38 AM) (Source: ESENT)(User: )
Description: wuauclt1320C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (12/25/2012 09:26:28 AM) (Source: ESENT)(User: )
Description: wuaueng.dll1320SUS20ClientDataStore: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)

Error: (12/25/2012 09:26:28 AM) (Source: ESENT)(User: )
Description: wuauclt1320C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (12/20/2012 09:52:26 AM) (Source: Microsoft Office 10)(User: )
Description: Microsoft WordWord failed to start correctly last time. Starting Word in safe mode will help you correct or isolate a startup problem in order to successfully start the program. Some functionality may be disabled in this mode.

Do you want to start Word in safe mode?

Error: (11/16/2012 08:41:16 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry0x80070670patchapplicationam bdd11.1.3927.0mpsigstub.exe4.1.522.0microsoft security essentialsNILNILNIL

Error: (11/12/2012 04:57:09 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (11/12/2012 04:57:09 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (11/07/2012 00:06:00 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000


=========================== Installed Programs ============================

Adobe Flash Player 10 ActiveX (Version: 10.3.181.26)
Adobe Reader 7.0.8 (Version: 7.0.8)
Broadcom Management Programs (Version: 9.03.01)
Citrix XenApp Web Plugin (Version: 11.0.0.5357)
Dell B2360d-dn Laser Printer Uninstaller
Dell CinePlayer (Version: 3.0)
Dell Printer Software Uninstall
Dell Support 3.2.1 (Version: 5.5.2087)
Dell System Restore (Version: 2.00.0000)
getPlus®_ocx
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Malwarebytes Anti-Malware version 1.65.1.1000 (Version: 1.65.1.1000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Digital Image Library 9 - Blocker (Version: 9.00.0000)
Microsoft Digital Image Standard 2006 (Version: 11.0.0422)
Microsoft Digital Image Standard 2006 Editor (Version: 11.0.0422)
Microsoft Digital Image Standard 2006 Library (Version: 11.0.0422)
Microsoft Encarta Encyclopedia Standard 2006 (Version: 2006)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006 (Version: 15)
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2007 (Version: 8.0.6362.70)
Microsoft Plus! Digital Media Edition Installer (Version: 1.1.0.3514)
Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)
Microsoft Security Client (Version: 4.1.0522.0)
Microsoft Security Essentials (Version: 4.1.522.0)
Microsoft Streets & Trips 2006 (Version: 13.00.09.0200)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Word 2002 (Version: 10.0.2627.01)
Microsoft Works (Version: 08.05.0818)
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word (Version: 8.0.0.0000)
Mozilla Thunderbird (3.1.14) (Version: 3.1.14 (en-US))
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MyPublisher
NVIDIA Drivers
Qualxserve Service Agreement (Version: 1.11.0000)
RemoteScan ASP
Samsung SCX-6x45 Series
Sonic Activation Module (Version: 1.0)
UniPrint Client 4.0 (Version: 4.0.8)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0036.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format Runtime
Windows Media Player 10 (Version: 9.00.3636)
Windows Media Player 10 Hotfix - KB894476
Windows XP Service Pack 3 (Version: 20080414.031525)
Works Upgrade (Version: 8.0.0.0000)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 76%
Total physical RAM: 446.42 MB
Available physical RAM: 104.86 MB
Total Pagefile: 1055.03 MB
Available Pagefile: 697.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.05 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:71.27 GB) (Free:55.03 GB) NTFS

========================= Users: ========================================

User accounts for \\G-D38ZQYC1

Administrator G-Brea Guest
HelpAssistant SUPPORT_388945a0


**** End of log ****


======= MBAM =======


Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.26.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: G-D38ZQYC1 [administrator]

12/25/2012 6:53:04 PM
mbam-log-2012-12-25 (18-53-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220850
Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



======= aswMBR =======


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-25 19:05:30
-----------------------------
19:05:30.328 OS Version: Windows 5.1.2600 Service Pack 3
19:05:30.328 Number of processors: 2 586 0x6B01
19:05:30.328 ComputerName: G-D38ZQYC1 UserName:
19:05:35.796 Initialize success
19:07:48.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
19:07:48.593 Disk 0 Vendor: ST3808110AS 3.ADJ Size: 76293MB BusType: 3
19:07:48.640 Disk 0 MBR read successfully
19:07:48.640 Disk 0 MBR scan
19:07:48.640 Disk 0 unknown MBR code
19:07:48.656 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
19:07:48.671 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72982 MB offset 80325
19:07:48.687 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3263 MB offset 149549085
19:07:48.687 Disk 0 scanning sectors +156232125
19:07:48.750 Disk 0 scanning C:\WINDOWS\system32\drivers
19:07:53.578 Service scanning
19:07:56.500 Service MpKsl3583787d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49DCC4A9-E317-4232-82D6-9DD5820CAFFE}\MpKsl3583787d.sys **LOCKED** 32
19:08:00.312 Modules scanning
19:08:06.812 Disk 0 trace - called modules:
19:08:06.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
19:08:06.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a3c1e0]
19:08:06.828 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\0000005f[0x84b49c00]
19:08:06.828 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\0000005d[0x84a3b030]
19:08:06.828 Scan finished successfully
19:08:35.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\bleeping computer\MBR.dat"
19:08:35.656 The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\bleeping computer\aswMBR - step 5.txt"


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-25 19:09:37
-----------------------------
19:09:37.328 OS Version: Windows 5.1.2600 Service Pack 3
19:09:37.328 Number of processors: 2 586 0x6B01
19:09:37.328 ComputerName: G-D38ZQYC1 UserName:
19:09:37.609 Initialize success
19:11:59.437 AVAST engine defs: 12122501
19:12:07.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
19:12:07.421 Disk 0 Vendor: ST3808110AS 3.ADJ Size: 76293MB BusType: 3
19:12:07.468 Disk 0 MBR read successfully
19:12:07.468 Disk 0 MBR scan
19:12:08.531 Disk 0 unknown MBR code
19:12:08.546 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
19:12:09.593 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72982 MB offset 80325
19:12:10.453 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3263 MB offset 149549085
19:12:10.750 Disk 0 scanning sectors +156232125
19:12:11.250 Disk 0 scanning C:\WINDOWS\system32\drivers
19:12:55.078 Service scanning
19:13:09.328 Service MpKsl3583787d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49DCC4A9-E317-4232-82D6-9DD5820CAFFE}\MpKsl3583787d.sys **LOCKED** 32
19:13:26.453 Modules scanning
19:13:33.296 Disk 0 trace - called modules:
19:13:33.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
19:13:33.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a3c1e0]
19:13:33.343 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\0000005f[0x84b49c00]
19:13:33.343 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\0000005d[0x84a3b030]
19:13:34.125 AVAST engine scan C:\WINDOWS
19:13:58.187 AVAST engine scan C:\WINDOWS\system32
19:18:48.500 AVAST engine scan C:\WINDOWS\system32\drivers
19:19:20.546 AVAST engine scan C:\Documents and Settings\Administrator
19:20:33.406 AVAST engine scan C:\Documents and Settings\All Users
19:21:20.453 Scan finished successfully
19:21:33.562 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\bleeping computer\MBR.dat"
19:21:33.562 The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\bleeping computer\aswMBR - step 5.txt"

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:15 PM

Posted 25 December 2012 - 10:37 PM

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:

Posted Image

Upload the file(s) here: http://uploadmb.com/
Copy the link inside the Direct Link box and post it in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 General Public

General Public
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 25 December 2012 - 11:17 PM

Thank you again. Here is the file:

http://www.uploadmb.com/dw.php?id=1356495379

EDIT:
The above was run as admin. I ran it as the user, g-brea, and had a slightly different result. Not sure whether it is important.

http://www.uploadmb.com/dw.php?id=1356495654

Edited by General Public, 25 December 2012 - 11:22 PM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:15 PM

Posted 25 December 2012 - 11:21 PM

Log in as affected user and post another Autoruns log from there.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 General Public

General Public
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 25 December 2012 - 11:32 PM

Yes, this:
http://www.uploadmb.com/dw.php?id=1356495654

Sorry, our posts crossed :)

Edited by General Public, 25 December 2012 - 11:38 PM.


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:15 PM

Posted 26 December 2012 - 11:33 AM

Re-run Autoruns from the same account, click on "Logon" tab and UN-check:
+ "C:\DOCUME~1\G-Brea\LOCALS~1\Temp\dubmnaxxx.scr"

Restart computer into same account and see if the error is gone.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 General Public

General Public
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 26 December 2012 - 11:59 AM

Re-run Autoruns from the same account, click on "Logon" tab and UN-check:
+ "C:\DOCUME~1\G-Brea\LOCALS~1\Temp\dubmnaxxx.scr"

Restart computer into same account and see if the error is gone.


Hello! From the same account I re-ran Autoruns and in the "Logon" tab I tried to UN-check the entry.

It did not uncheck and instead poped up and error which said:

"Error changing item state: Access is denied."


Thank you again!

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:15 PM

Posted 26 December 2012 - 12:13 PM

Re-run MBAM from that account.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 General Public

General Public
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 26 December 2012 - 01:24 PM

I reran MBA from that account. It found 4 items. I checked them all and selected remove. It saved the log which I have pasted below, then asked me to reboot.

I loged in as the user after rebooting but the error looking for the file C:\DOCUME~1\G-Brea\LOCALS~1\Temp\dubmnaxxx.scr still pops up and then a second popup comes up suggesting to remove the registry entry.

I reran MBAM again after reboot and it is showing only one now, the Registry Value for dubmnaxxx.scr which it said it would delete on reboot, but seems to have trouble doing so.

Here is the MBAM log from the first run:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.26.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
G-Brea :: G-D38ZQYC1 [limited]

12/26/2012 9:39:17 AM
mbam-log-2012-12-26 (09-39-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 154009
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A00A96F3-913E-4814-92DE-8CF82CD7CAB9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|load (Trojan.Ransom) -> Data: C:\DOCUME~1\G-Brea\LOCALS~1\Temp\dubmnaxxx.scr -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:15 PM

Posted 26 December 2012 - 02:14 PM

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 General Public

General Public
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 26 December 2012 - 06:30 PM

Hello: I am sorry, we have to temporarily put this on hold for travel but will return in a couple days. Bad timing on our part, sorry!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users