Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUM.UserWLoad, Trojan.Agent, msilca.exe,


  • Please log in to reply
10 replies to this topic

#1 BailNighter

BailNighter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 17 January 2013 - 11:03 PM

Seeking professional advice on a full quarantine of the malware posted in title. On the 15th, I received a startling call from my ISP, telling me I probably had a virus because the abuse department was seeing outgoing spam originating from my IP. I was halfway convinced that some numbnut was trying to trick me or social engineer me, but sure enough, I check the router logs, and see all of this SMTP action. I can post router logs, as well as a wireshark .pcap if anyone has the skill to identify if the(se) trojan(s) are roaming around using my box.

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum, due to the absence of malware logs included in topic. ~ Animal

BC AdBot (Login to Remove)

 


#2 BailNighter

BailNighter
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 17 January 2013 - 11:07 PM

Seeking professional advice on a full quarantine of the malware posted in title. On the 15th, I received a startling call from my ISP, telling me I probably had a virus because the abuse department was seeing outgoing spam originating from my IP. I was halfway convinced that some numbnut was trying to trick me or social engineer me, but sure enough, I check the router logs, and see all of this SMTP action. I can post router logs, as well as a wireshark .pcap if anyone has the skill to identify if the(se) trojan(s) are roaming around using my box.

So far, I have run MBAM, and these are my only problems--

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Owner\LOCALS~1\Temp\msilca.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Agent) -> Data: C:\Users\Owner\LOCALS~1\Temp\msilca.exe -> Delete on reboot.

To add to that, After running Sophos, It also found a Java Trojan in my temporary internet files of a file called airyoleg[1].html
When I securely explored the file, it was blank.

I would like to not scratch this machine, but it's not feeling too secure anymore, and my priorities of network testing may have contributed to weaknesses I created by temporarily disabling firewalls, enabling Java, ect. Any help, or advice would be appreciated. The Reg values seem to stay regardless of MBAM's post. Thanks-- Alan.

Edited by Orange Blossom, 17 January 2013 - 11:25 PM.
Merged topics. ~ OB


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:18 AM

Posted 20 January 2013 - 11:06 PM

Hello, if you haven't yet reboot now. The infection has a few functions see..http://www.threatexpert.com/report.aspx?md5=3556f5fa8f9002b7cc78023566eacf75

There was registered attempt to establish connection with the remote host.
There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes).

So you had an infostealer.. Any passwords should be changed and if you do banking ,have your bank watch your account activity.



Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

>>>

Please Download TDSSkiller
Launch it.
Click on change parameters-Select TDLFS file system
Click on "Scan".
Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results.



ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

>>>>

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.



MiniToolBox
Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 BailNighter

BailNighter
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 21 January 2013 - 01:15 PM

Doing this stuff now, logs will be posted soon. Thanks, boopme. I'll make it up to you ;]

One thing which is slightly odd is that I haven't lost any accounts. That, or my accounts are worthless enough to overlook.

Edit - they will be available a bit later tonight or tomorrow, work becons.

Edited by BailNighter, 21 January 2013 - 05:33 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:18 AM

Posted 21 January 2013 - 01:42 PM

LOL, I'll look back.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 BailNighter

BailNighter
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 22 January 2013 - 01:07 PM

TDSSkiller found nothing.

# AdwCleaner v2.107 - Logfile created 01/22/2013 at 12:05:32
# Updated 21/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\Owner\Downloads\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\ProgramData\~0

***** [Registry] *****

Key Found : HKCU\Software\1ClickDownload
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\sxbf0r67.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.52

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1021 octets] - [22/01/2013 12:05:32]

########## EOF - C:\AdwCleaner[R1].txt - [1081 octets] ##########

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:18 AM

Posted 22 January 2013 - 02:58 PM

Ok, one more quick scan,, as there is nothing so scary there.

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 BailNighter

BailNighter
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 22 January 2013 - 03:05 PM

ESET -

C:\Users\Owner\Downloads\Nero 7.10.1.0 By M3ZKAL\Nero 7.10.1.0 Keygen.exe Win32/Keygen.AJ application
C:\Users\Owner\Downloads\Nero 7.10.1.0 By M3ZKAL\Nero 7.10.1.0.exe Win32/Toolbar.AskSBar application
C:\Users\Owner\Downloads\Alcohol120_trial_2.0.2.3931.exe a variant of Win32/InstallCore.T application
C:\Users\Owner\Downloads\ArcadeWebSetup.exe a variant of Win32/Adware.Gamevance.CF application
C:\Users\Owner\Downloads\bejeweled-blitz.exe a variant of Win32/InstallCore.AZ application
C:\Users\Owner\Downloads\Brothersoft_downloader_For_Nmap.exe a variant of Win32/BSDownloader application
C:\Users\Owner\Downloads\BullVidSetupV1.exe Win32/Toolbar.SearchSuite application
C:\Users\Owner\Downloads\cnet_prio_win32_199_2367_exe.exe a variant of Win32/InstallCore.D application
C:\Users\Owner\Downloads\setup(1).exe Win32/Adware.Bundlore application
C:\Users\Owner\Downloads\SoftonicDownloader_for_winx-dvd-author.exe a variant of Win32/SoftonicDownloader.E application
C:\Users\Owner\Downloads\video_downloader.exe Win32/Adware.Bundlore application
C:\Users\Public\Documents\dls\cnet2_TheSage_Setup_4-0-1774_Donors_Release_exe.exe a variant of Win32/InstallCore.D application

Still haven't done minitoolbox, will do that one and this new one as well

#9 BailNighter

BailNighter
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 22 January 2013 - 04:19 PM

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-22 14:08:32
-----------------------------
14:08:32.563 OS Version: Windows x64 6.1.7601 Service Pack 1
14:08:32.563 Number of processors: 2 586 0x403
14:08:32.563 ComputerName: OWNER-PC UserName: Owner
14:08:34.092 Initialize success
14:12:48.505 AVAST engine defs: 13012200
14:14:39.561 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:14:39.561 Disk 0 Vendor: ST31500341AS CC1H Size: 1430799MB BusType: 3
14:14:39.577 Disk 0 MBR read successfully
14:14:39.577 Disk 0 MBR scan
14:14:39.577 Disk 0 unknown MBR code
14:14:39.592 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:14:39.608 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 1156775 MB offset 498279600
14:14:39.624 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 30719 MB offset 2867359744
14:14:39.624 Disk 0 Partition - 00 05 Extended 243198 MB offset 208894
14:14:39.655 Disk 0 Partition 4 00 83 Linux 233303 MB offset 208896
14:14:39.655 Disk 0 Partition - 00 05 Extended 9894 MB offset 478014075
14:14:39.702 Disk 0 scanning C:\Windows\system32\drivers
14:14:47.080 Service scanning
14:15:02.228 Modules scanning
14:15:02.228 Disk 0 trace - called modules:
14:15:02.244 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
14:15:02.244 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007ca06a0]
14:15:02.244 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa8006df2520]
14:15:02.259 5 ACPI.sys[fffff88000f197a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006dfd060]
14:15:13.351 AVAST engine scan C:\Windows
14:15:16.689 AVAST engine scan C:\Windows\system32
14:17:14.547 AVAST engine scan C:\Windows\system32\drivers
14:17:24.017 AVAST engine scan C:\Users\Owner
14:21:57.672 AVAST engine scan C:\ProgramData
14:22:42.210 Scan finished successfully
15:18:53.597 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
15:18:53.597 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"

#10 BailNighter

BailNighter
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 22 January 2013 - 04:21 PM

MiniToolBox by Farbar Version:10-01-2013
Ran by Owner (administrator) on 22-01-2013 at 15:20:43
Running from "C:\Users\Owner\Downloads"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: 127.0.0.1:8118

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.autoconfig_url", "http://127.0.0.1:8118/"
"network.proxy.ftp_port", 8118
"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 8118
"network.proxy.no_proxies_on", ", stealthy.co"
"network.proxy.socks_port", 8118
"network.proxy.socks_version", 4
"network.proxy.ssl", "127.0.0.1"
"network.proxy.ssl_port", 8118
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter = Wireless Network Connection 2 (Connected)
VMware Virtual Ethernet Adapter for VMnet1 = VMware Network Adapter VMnet1 (Hardware not present)
VMware Virtual Ethernet Adapter for VMnet8 = VMware Network Adapter VMnet8 (Hardware not present)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add address name="VMware Network Adapter VMnet1" address=192.168.52.1 mask=255.255.255.0
add address name="VMware Network Adapter VMnet8" address=192.168.233.1 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Owner-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : tex.cablelynx.com

Wireless LAN adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . : tex.cablelynx.com
Description . . . . . . . . . . . : Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
Physical Address. . . . . . . . . : XX-XX-XX-XX-XX
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : XXXXXXXXXXXXXXX
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, January 22, 2013 12:00:56 PM
Lease Expires . . . . . . . . . . : Wednesday, January 23, 2013 12:01:03 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 469811402
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-33-40-D7-00-08-54-9E-33-BA
DNS Servers . . . . . . . . . . . : 206.255.244.169
206.255.244.170
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:3886:25cd:3100:fb88(Preferred)
Link-local IPv6 Address . . . . . : fe80::3886:25cd:3100:fb88%15(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : tex.cablelynx.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: xxxx.tx.cablelynx.com
Address: 206.255.xxx.xxx

Name: google.com
Addresses: 2001:4860:4002:800::1004
74.125.227.14
74.125.227.0
74.125.227.1
74.125.227.2
74.125.227.3
74.125.227.4
74.125.227.5
74.125.227.6
74.125.227.7
74.125.227.8
74.125.227.9


Pinging google.com [74.125.227.9] with 32 bytes of data:
Reply from 74.125.227.9: bytes=32 time=12ms TTL=55
Reply from 74.125.227.9: bytes=32 time=13ms TTL=55

Ping statistics for 74.125.227.9:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 13ms, Average = 12ms
Server: xxxxxx.tx.cablelynx.com
Address: 206.255.xxx.xxx

Name: yahoo.com
Addresses: 98.138.253.109
98.139.183.24
206.190.36.45


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=70ms TTL=45
Reply from 206.190.36.45: bytes=32 time=159ms TTL=45

Ping statistics for 206.190.36.45:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 70ms, Maximum = 159ms, Average = 114ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
25...xx xx xx xx xx ......Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.103 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.103 281
192.168.1.103 255.255.255.255 On-link 192.168.1.103 281
192.168.1.255 255.255.255.255 On-link 192.168.1.103 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.103 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.103 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 58 ::/0 On-link
1 306 ::1/128 On-link
15 58 2001::/32 On-link
15 306 2001:0:9d38:6ab8:3886:25cd:3100:fb88/128
On-link
25 281 fe80::/64 On-link
15 306 fe80::/64 On-link
15 306 fe80::3886:25cd:3100:fb88/128
On-link
25 281 fe80::ed8e:b510:c504:878d/128
On-link
1 306 ff00::/8 On-link
15 306 ff00::/8 On-link
25 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/22/2013 00:07:59 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/22/2013 00:02:09 PM) (Source: nginx) (User: )
Description: C:\metasploit\apps\pro\engine\arch-lib\win32\nginx\bin\nginxr7.exe:
could not open error log file: CreateFile() "logs/error.log" failed (3: The system cannot find the path specified)
.

Error: (01/22/2013 00:01:05 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/22/2013 00:00:56 PM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (01/22/2013 00:00:05 PM) (Source: PostgreSQL) (User: )
Description: ERROR: canceling statement due to user request

Error: (01/22/2013 11:43:30 AM) (Source: nginx) (User: )
Description: C:\metasploit\apps\pro\engine\arch-lib\win32\nginx\bin\nginxr7.exe:
could not open error log file: CreateFile() "logs/error.log" failed (3: The system cannot find the path specified)
.

Error: (01/22/2013 11:42:36 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/22/2013 11:42:28 AM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (01/22/2013 02:38:38 AM) (Source: PostgreSQL) (User: )
Description: ERROR: canceling statement due to user request

Error: (01/21/2013 11:54:56 AM) (Source: nginx) (User: )
Description: C:\metasploit\apps\pro\engine\arch-lib\win32\nginx\bin\nginxr7.exe:
could not open error log file: CreateFile() "logs/error.log" failed (3: The system cannot find the path specified)
.


System errors:
=============
Error: (01/22/2013 00:03:09 PM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error:
%%1069

Error: (01/22/2013 00:03:09 PM) (Source: Service Control Manager) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:
%%1330

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (01/22/2013 11:57:32 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (01/22/2013 11:44:46 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error:
%%1069

Error: (01/22/2013 11:44:46 AM) (Source: Service Control Manager) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:
%%1330

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (01/22/2013 11:43:13 AM) (Source: WMPNetworkSvc) (User: )
Description: WMPNetworkSvc0x80004005

Error: (01/21/2013 11:56:15 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error:
%%1069

Error: (01/21/2013 11:56:15 AM) (Source: Service Control Manager) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:
%%1330

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (01/20/2013 09:13:32 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error:
%%1069

Error: (01/20/2013 09:13:32 AM) (Source: Service Control Manager) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:
%%1330

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2012-12-23 12:50:33.730
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-12-23 12:50:33.710
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.792
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.792
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.776
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.761
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.745
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.745
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.730
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-05-23 12:35:38.714
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\usbport.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


=========================== Installed Programs ============================

7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
Acunetix Web Vulnerability Scanner 8.0 (Version: 8.0)
Adobe AIR (Version: 3.5.0.880)
Adobe Dreamweaver CS6 (Version: 12)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.2.202.233)
Adobe Flash Player 11 Plugin (Version: 11.3.300.257)
Adobe Help Manager (Version: 4.0.244)
Adobe Reader X (10.1.4) (Version: 10.1.4)
Adobe Widget Browser (Version: 2.0 Build 348)
Adobe Widget Browser (Version: 2.0.348)
Bitcoin (Version: 0.6.2)
BitTorrent (Version: 7.6.1)
Blaze Media Pro (Version: 9.10)
CCleaner (Version: 3.18)
CDBurnerXP (Version: 4.4.1.3099)
CommView for WiFi (Version: 6.3)
Counter-Strike
DVD Decrypter (Remove Only)
DVD43 v4.6.0
EASEUS Partition Master 7.0.1 Professional
EasyBCD 2.1.2 (Version: 2.1.2)
ESET Online Scanner v3
EtherWatch 2.01 (Version: 2.0.1)
Ettercap NG 0.7.3 (Version: 0.7.3)
Evernote v. 4.6 (Version: 4.6.0.7670)
Fiddler (Version: 2.4.2.4)
FLAC 1.2.1b (remove only) (Version: 1.2.1b)
foobar2000 v1.1.18 (Version: 1.1.18)
GnuWin32: OpenSSL-0.9.8h-1 (Version: 0.9.8h-1)
Google Chrome (Version: 24.0.1312.52)
Google Earth (Version: 6.2.2.6613)
Google Earth Plug-in (Version: 6.2.2.6613)
Google Talk (remove only)
Google Talk Plugin (Version: 3.10.2.10212)
Google Update Helper (Version: 1.3.21.123)
Havij 1.15 Free
High-Definition Video Playback 10 (Version: 7.0.11400.29.0)
Html to Word Doc Rtf Converter 3000 7.4
ImgBurn (Version: 2.5.7.0)
inSSIDer (Version: 2.1.4)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
K-Lite Codec Pack 9.2.0 (Basic) (Version: 9.2.0)
Lynx 2.8.7rel.1
MagicTuneLiteMain (Version: 1.0.03)
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
Metasploit (Version: 4.4.0)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Expression Web (Version: 12.0.4518.1014)
Microsoft Expression Web MUI (English) (Version: 12.0.4518.1014)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Primary Interoperability Assemblies 2005 (Version: 8.0.50727.42)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 16.0.2 (x86 en-US) (Version: 16.0.2)
Mozilla Maintenance Service (Version: 16.0.2)
Mozilla Thunderbird 15.0.1 (x86 en-US) (Version: 15.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nero 10 Menu TemplatePack Basic (Version: 10.0.10600.6.0)
Nero 10 Movie ThemePack Basic (Version: 10.0.10600.6.0)
Nero 7 Ultra Edition (Version: 7.02.9753)
Nero BackItUp 10 (Version: 5.4.11600.19.100)
Nero BackItUp 10 Help (CHM) (Version: 1.0.10700)
Nero Burning ROM 10 (Version: 10.0.11100.10.100)
Nero BurningROM 10 Help (CHM) (Version: 1.0.10700)
Nero BurnRights 10 (Version: 4.0.11000.12.100)
Nero BurnRights 10 Help (CHM) (Version: 1.0.10600)
Nero Control Center 10 (Version: 10.0.12000.1.4)
Nero ControlCenter 10 Help (CHM) (Version: 1.0.10700)
Nero Core Components 10 (Version: 2.0.13700.0.1)
Nero CoverDesigner 10 (Version: 5.0.10900.11.100)
Nero CoverDesigner 10 Help (CHM) (Version: 1.0.10600)
Nero DiscSpeed 10 (Version: 6.0.10800.7.100)
Nero DiscSpeed 10 Help (CHM) (Version: 1.0.10600)
Nero Dolby Files 10 (Version: 2.0.11000.0.10)
Nero Express 10 (Version: 10.0.11000.10.100)
Nero Express 10 Help (CHM) (Version: 1.0.10700)
Nero InfoTool 10 (Version: 7.0.10800.8.100)
Nero InfoTool 10 Help (CHM) (Version: 1.0.10600)
Nero MediaHub 10 (Version: 1.0.13400.11.100)
Nero MediaHub 10 Help (CHM) (Version: 1.0.10700)
Nero Multimedia Suite 10 (Version: 10.0.13100)
Nero Recode 10 (Version: 4.6.10900.4.100)
Nero Recode 10 Help (CHM) (Version: 1.0.10600)
Nero RescueAgent 10 (Version: 3.0.10900.9.100)
Nero RescueAgent 10 Help (CHM) (Version: 1.0.10700)
Nero SoundTrax 10 (Version: 4.6.10600.2.100)
Nero SoundTrax 10 Help (CHM) (Version: 1.0.10600)
Nero StartSmart 10 (Version: 10.0.11200.12.100)
Nero StartSmart 10 Help (CHM) (Version: 1.0.10700)
Nero Update (Version: 1.0.0017)
Nero Vision 10 (Version: 7.0.11100.8.100)
Nero Vision 10 Help (CHM) (Version: 1.0.10600)
Nero WaveEditor 10 (Version: 5.6.10600.2.100)
Nero WaveEditor 10 Help (CHM) (Version: 1.0.10600)
neroxml (Version: 1.0.0)
Nexpose (Version: )
Nmap 5.50
NVIDIA 3D Vision Controller Driver 296.10 (Version: 296.10)
NVIDIA 3D Vision Driver 306.97 (Version: 306.97)
NVIDIA Control Panel 306.97 (Version: 306.97)
NVIDIA Graphics Driver 306.97 (Version: 306.97)
NVIDIA HD Audio Driver 1.3.12.0 (Version: 1.3.12.0)
NVIDIA Install Application (Version: 2.1002.85.551)
NVIDIA PhysX (Version: 9.12.0213)
NVIDIA PhysX System Software 9.12.0213 (Version: 9.12.0213)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.13.0697)
NVIDIA Update 1.10.8 (Version: 1.10.8)
NVIDIA Update Components (Version: 1.10.8)
ON_OFF Charge B11.0110.1 (Version: 1.00.0001)
OpenOffice.org 3.4.1 (Version: 3.41.9593)
OpenSSH for Windows (remove only)
PAYDAY: The Heist
PingPlotter Freeware (Version: 1.30.0.11)
Privoxy (remove only)
Puzzle Zones Games Console (Version: 1.1.4)
Realtek Ethernet Controller Driver (Version: 7.38.113.2011)
Realtek High Definition Audio Driver (Version: 6.0.1.6235)
REALTEK Wireless LAN Driver and Utility (Version: 1.00.0145)
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition (Version: v2.24 MSI Master Overclocking Arena 2009 edition)
Samsung_MonSetup (Version: 1.00.0000)
Sophos Virus Removal Tool (Version: 2.3)
Source SDK Base 2007
Spybot - Search & Destroy (Version: 1.6.1.38)
Steam (Version: 1.0.0.0)
TextMaker Viewer
tools-freebsd (Version: 8.8.0.471780)
tools-linux (Version: 8.8.0.471780)
tools-netware (Version: 8.8.0.471780)
tools-solaris (Version: 8.8.0.471780)
tools-windows (Version: 8.8.0.471780)
tools-winPre2k (Version: 8.8.0.471780)
TornTV (Version: 2.1 Build 26473)
UniBall & BRChat
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
VirtualCloneDrive
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
VmciSockets (Version: 9.1.54.1)
VMware Workstation (Version: 8.0.0.18997)
WinPcap 4.1.2 (Version: 4.1.0.2001)
WinX DVD Author 6.2
Wireshark 1.8.3 (64-bit) (Version: 1.8.3)
X-Chat 2.8.6-2 (Version: 2.8.6-2)
XSitePro2 (Version: 2.501)
Xvid Video Codec (Version: 1.3.2)
YPOPs! 0.9.7.3

========================= Memory info: ===================================

Percentage of memory in use: 39%
Total physical RAM: 8189.55 MB
Available physical RAM: 4930.25 MB
Total Pagefile: 16377.3 MB
Available Pagefile: 12784.79 MB
Total Virtual: 4095.88 MB
Available Virtual: 3957.39 MB

========================= Partitions: =====================================

1 Drive a: (New Volume) (Fixed) (Total:30 GB) (Free:29.91 GB) NTFS
2 Drive c: () (Fixed) (Total:1129.66 GB) (Free:816.85 GB) NTFS

========================= Users: ========================================

User accounts for \\OWNER-PC

Administrator Guest Owner
UpdatusUser


**** End of log ****

Edited by BailNighter, 22 January 2013 - 04:25 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:18 AM

Posted 22 January 2013 - 09:52 PM

Please uninstall this thru the Control Panel.
Java™ 6 Update 31 (Version: 6.0.310)


It looks clean now.

There were a lot of system errors and I feel running SFC would be good.

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users