Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiverse of malware! Please check it out and help if you can!


  • Please log in to reply
6 replies to this topic

#1 aSILENTfire

aSILENTfire

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 20 March 2013 - 11:02 PM

Win Patrol pops up every 3 minutes alerting that it found a new autostart program... but there is no information except the path, which doesn't exist...

C:\PROGRA~1\Eraser\Eraser.exe --atRestart

 

I had this a few months back but I thought WinPatrol removed it when I told it to delete on startup.. now its back with the detection date of 15 days ago.

 

From WinPatrol when I select the Eraser entry the status bar says, "Startup Location: * Disabled * HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" If I right click the entry I cannot view the file properties or open the location, but I can open an info box.

 

Within the info box I can scroll left and right and there are 10 hidden* entries here:

 

image.jpg

image.jpg

image.jpg

image.jpg

image.jpg

image.jpg

image.jpg

image.jpg

image.jpg

image.jpg

 

I originally just wanted to remove the eraser autostartup, but I these other entries look suspicious as well... can I get some help?



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 AM

Posted 22 March 2013 - 01:37 PM

Hello, Lets start here.

 


MiniToolBox
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

 

 

>>>>>

ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.
•Close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Delete.
•Confirm each time with Ok.
•You will be prompted to restart your computer. A text file will open after the restart.
•Please post the contents of that logfile with your next reply.
•You can find the logfile at C:\AdwCleaner[S1].txt as well.

 


>>>>

Now I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 aSILENTfire

aSILENTfire
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 23 March 2013 - 12:38 AM

Thanks, here are the logs:

 

MiniToolBox by Farbar Version:05-03-2013
Ran by SILENT (administrator) on 22-03-2013 at 17:41:37
Running from "C:\Users\SILENT\Desktop"
Windows 8 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1    localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com

There are 15288 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Qualcomm Atheros AR9485 Wireless Network Adapter = Wi-Fi (Connected)
VirtualBox Host-Only Ethernet Adapter = VirtualBox Host-Only Network (Connected)
Realtek PCIe GBE Family Controller = Ethernet (Media disconnected)
TAP-Win32 Adapter V9 = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 9" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 11" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="other_0" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
add address name="VirtualBox Host-Only Network" address=192.168.56.1 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : UFO
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : PK5001Z

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-5E-4B-A5-14
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 1E-85-DE-98-74-28
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 08-60-6E-0A-DB-84
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : PK5001Z
Description . . . . . . . . . . . : Qualcomm Atheros AR9485 Wireless Network Adapter
Physical Address. . . . . . . . . : DC-85-DE-98-74-28
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.31(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, March 22, 2013 5:35:28 PM
Lease Expires . . . . . . . . . . : Saturday, March 23, 2013 5:35:27 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 8.26.56.26
8.20.247.20
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VirtualBox Host-Only Network:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-00-7C-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ac4f:a478:63d7:af54%22(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 872939559
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-39-5C-B8-DC-85-DE-98-74-28
DNS Servers . . . . . . . . . . . : 8.26.56.26
156.154.70.22
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.PK5001Z:

Connection-specific DNS Suffix . : PK5001Z
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.31%15(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.26.56.26
8.20.247.20
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{0C2634B1-38E9-4E7B-9BA7-17263CB10CE1}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: ns1.recursive.dns.com
Address: 8.26.56.26

Name: google.com.PK5001Z
Addresses: fe80:1::225:90ff:fe19:4b12
     92.242.144.50


Pinging google.com [173.194.34.135] with 32 bytes of data:
General failure.
General failure.

Ping statistics for 173.194.34.135:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Server: ns1.recursive.dns.com
Address: 8.26.56.26

Name: yahoo.com.PK5001Z
Addresses: fe80:1::225:90ff:fe19:4b12
     92.242.144.50


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
General failure.
General failure.

Ping statistics for 98.138.253.109:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Pinging 127.0.0.1 with 32 bytes of data:
General failure.
General failure.

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
===========================================================================
Interface List
18...00 ff 5e 4b a5 14 ......TAP-Win32 Adapter V9
14...1e 85 de 98 74 28 ......Microsoft Wi-Fi Direct Virtual Adapter
13...08 60 6e 0a db 84 ......Realtek PCIe GBE Family Controller
12...dc 85 de 98 74 28 ......Qualcomm Atheros AR9485 Wireless Network Adapter
22...08 00 27 00 7c 07 ......VirtualBox Host-Only Ethernet Adapter
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.31 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.31 281
192.168.0.31 255.255.255.255 On-link 192.168.0.31 281
192.168.0.255 255.255.255.255 On-link 192.168.0.31 281
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 192.168.0.31 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 192.168.0.31 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
22 276 fe80::/64 On-link
15 281 fe80::5efe:192.168.0.31/128
On-link
22 276 fe80::ac4f:a478:63d7:af54/128
On-link
1 306 ff00::/8 On-link
22 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\NLAapi.dll [55296] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [21504] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [50688] (Microsoft Corporation)
Catalog9 01 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 02 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 03 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 04 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 05 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 06 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 07 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 08 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 12 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 13 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 14 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 15 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 16 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 17 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 18 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 19 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 20 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll [260384] (Avira Operations GmbH & Co. KG)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [66560] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [72192] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [53760] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [64000] (Microsoft Corporation)
x64-Catalog9 01 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 02 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 03 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 04 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 05 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 06 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 07 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 08 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 13 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 14 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 15 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 16 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 17 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 18 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 19 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 20 C:\Program Files (x86)\Avira\AntiVir Desktop\avsda64.dll [233760] (Avira Operations GmbH & Co. KG)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/22/2013 02:26:11 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/21/2013 06:40:03 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: UFO)
Description: App Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic did not launch within its allotted time.

Error: (03/21/2013 02:25:38 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.


Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application


Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog


Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog


Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)

Error: (03/21/2013 02:25:30 PM) (Source: Windows Search Service) (User: )
Description: The plug-in manager <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application


Details:
    (HRESULT : 0x8e5e0210) (0x8e5e0210)

Error: (03/21/2013 02:25:30 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.


Details:
    The content index catalog is corrupt. 0xc0041801 (0xc0041801)

Error: (03/21/2013 02:25:30 PM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index {id=4810 - enduser\mssearch2\search\ytrip\common\util\jetutil.cpp (167)}. The service will attempt to automatically correct this problem by rebuilding the index.


Details:
     0x8e5e0210 (0x8e5e0210)


System errors:
=============
Error: (03/21/2013 02:48:33 PM) (Source: Service Control Manager) (User: )
Description: The COMODO IceDragon Update Service service failed to start due to the following error:
%%2

Error: (03/21/2013 02:25:31 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (03/21/2013 02:25:31 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with the following service-specific error:
%%2147749126

Error: (03/21/2013 02:25:12 PM) (Source: Service Control Manager) (User: )
Description: The COMODO IceDragon Update Service service failed to start due to the following error:
%%2

Error: (03/21/2013 02:25:07 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 2:10:50 PM on ?3/?21/?2013 was unexpected.

Error: (03/21/2013 00:32:06 PM) (Source: Service Control Manager) (User: )
Description: The Avira Web Protection service terminated unexpectedly. It has done this 3 time(s).

Error: (03/21/2013 00:31:35 PM) (Source: Service Control Manager) (User: )
Description: The Avira Web Protection service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (03/21/2013 00:29:31 PM) (Source: Service Control Manager) (User: )
Description: The Avira Web Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (03/20/2013 11:25:41 PM) (Source: Service Control Manager) (User: )
Description: The COMODO IceDragon Update Service service failed to start due to the following error:
%%2

Error: (03/20/2013 11:24:51 PM) (Source: DCOM) (User: UFO)
Description: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}


Microsoft Office Sessions:
=========================
Error: (03/22/2013 02:26:11 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\ProgramData\Ableton\Live 8 Beta\Program\Ableton Live 8 Beta.exe

Error: (03/21/2013 06:40:03 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: UFO)
Description: Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic

Error: (03/21/2013 02:25:38 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\ProgramData\Ableton\Live 8 Beta\Program\Ableton Live 8 Beta.exe

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application


Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog


Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)

Error: (03/21/2013 02:25:31 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog


Details:
    The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06) (0x80040d06)
Search.TripoliIndexer

Error: (03/21/2013 02:25:30 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application


Details:
    (HRESULT : 0x8e5e0210) (0x8e5e0210)
Search.TripoliIndexer

Error: (03/21/2013 02:25:30 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    The content index catalog is corrupt. 0xc0041801 (0xc0041801)
The catalog is corrupt

Error: (03/21/2013 02:25:30 PM) (Source: Windows Search Service)(User: )
Description:
Details:
     0x8e5e0210 (0x8e5e0210)
4810 - enduser\mssearch2\search\ytrip\common\util\jetutil.cpp (167)


CodeIntegrity Errors:
===================================
Date: 2013-03-22 17:34:57.744
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 23:17:12.034
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 18:38:08.914
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 15:47:22.988
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 14:50:34.594
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 14:27:15.195
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 14:26:26.438
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 14:16:07.033
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 14:09:47.954
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-21 13:27:01.003
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
Ableton Live 8 Beta (Version: 8.0.0.0)
Adobe Flash Player 11 Plugin (Version: 11.6.602.168)
AMD Accelerated Video Transcoding (Version: 12.5.100.20808)
AMD APP SDK Runtime (Version: 10.0.938.2)
AMD Catalyst Install Manager (Version: 8.0.881.0)
AMD Quick Stream (Version: 3.3.26.0)
AMD VISION Engine Control Center (Version: 2012.0808.1024.16666)
Amnesia - The Dark Descent (Version: 1.0.0)
AntiLogger Free version 1.5.2.806 (Version: 1.5.2.806)
ASUS InstantOn (Version: 3.0.2)
ASUS Live Update (Version: 3.1.8)
ASUS Power4Gear Hybrid (Version: 2.0.4)
ASUS Smart Gesture (Version: 1.0.35)
ASUS Tutor (Version: 1.0.6)
ASUS USB Charger Plus (Version: 2.1.4)
ATK Package (Version: 1.0.0022)
Avira Free Antivirus (Version: 13.0.0.3185)
Catalyst Control Center Graphics Previews Common (Version: 2012.0808.1024.16666)
Catalyst Control Center InstallProxy (Version: 2012.0808.1024.16666)
Catalyst Control Center Localization All (Version: 2012.0808.1024.16666)
CCC Help Chinese Standard (Version: 2012.0808.1023.16666)
CCC Help Chinese Traditional (Version: 2012.0808.1023.16666)
CCC Help Czech (Version: 2012.0808.1023.16666)
CCC Help Danish (Version: 2012.0808.1023.16666)
CCC Help Dutch (Version: 2012.0808.1023.16666)
CCC Help English (Version: 2012.0808.1023.16666)
CCC Help Finnish (Version: 2012.0808.1023.16666)
CCC Help French (Version: 2012.0808.1023.16666)
CCC Help German (Version: 2012.0808.1023.16666)
CCC Help Greek (Version: 2012.0808.1023.16666)
CCC Help Hungarian (Version: 2012.0808.1023.16666)
CCC Help Italian (Version: 2012.0808.1023.16666)
CCC Help Japanese (Version: 2012.0808.1023.16666)
CCC Help Korean (Version: 2012.0808.1023.16666)
CCC Help Norwegian (Version: 2012.0808.1023.16666)
CCC Help Polish (Version: 2012.0808.1023.16666)
CCC Help Portuguese (Version: 2012.0808.1023.16666)
CCC Help Russian (Version: 2012.0808.1023.16666)
CCC Help Spanish (Version: 2012.0808.1023.16666)
CCC Help Swedish (Version: 2012.0808.1023.16666)
CCC Help Thai (Version: 2012.0808.1023.16666)
CCC Help Turkish (Version: 2012.0808.1023.16666)
ccc-utility64 (Version: 2012.0808.1024.16666)
CCleaner (Version: 3.26)
ChaosPro 3.3 (Version: 3.3 (Build 215))
Comodo Dragon (Version: 25.0.2.0)
COMODO Internet Security (Version: 6.0.64131.2674)
CyberGhost VPN
DAEMON Tools Lite (Version: 4.46.1.0328)
Debut Video Capture Software
EMET (Version: 3.0.0)
FileASSASSIN (Version: 1.06)
foobar2000 v1.2 (Version: 1.2)
GameRanger
Geeks3D.com FurMark 1.10.3
Google Chrome (Version: 25.0.1364.172)
Half-Life 2
HitmanPro 3.7 (Version: 3.7.2.190)
HxD Hex Editor version 1.7.7.0 (Version: 1.7.7.0)
Last.fm Scrobbler 2.1.35
LibreOffice 4.0.1.2 (Version: 4.0.1.2)
Logitech Gaming Software (Version: 8.40.83)
Logitech Gaming Software 8.40 (Version: 8.40.83)
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 19.0.2 (x86 en-US) (Version: 19.0.2)
Nero 7 Ultra Edition (Version: 7.02.9753)
neroxml (Version: 1.0.0)
Nitro Reader 3 (Version: 3.1.1.3)
Oblivion (Version: 1.00.0000)
Oracle VM VirtualBox 4.2.6 (Version: 4.2.6)
PunkBuster for Battlefield 1942
Qualcomm Atheros Client Installation Program (Version: 10.0)
Realtek Ethernet Controller Driver (Version: 8.3.730.2012)
Realtek High Definition Audio Driver (Version: 6.0.1.6690)
Revo Uninstaller 1.94 (Version: 1.94)
Secunia PSI (3.0.0.6001) (Version: 3.0.0.6001)
Sniper Elite V2
Speccy (Version: 1.19)
SpeedCrunch 0.10
SumatraPDF (Version: 2.2.1)
SUPERAntiSpyware (Version: 5.6.1012)
Tixati
VLC media player 2.0.5 (Version: 2.0.5)
Voobly Game Data (Version: Voobly Game Datas)
Winamp (Version: 5.63 )
Windows Driver Package - ASUS (ATP) Mouse (10/29/2012 1.0.0.148) (Version: 10/29/2012 1.0.0.148)
WinFlash (Version: 2.41.1)
WinPatrol (Version: 26.1.2013.0)

========================= Memory info: ===================================

Percentage of memory in use: 40%
Total physical RAM: 3540.27 MB
Available physical RAM: 2105.54 MB
Total Pagefile: 7124.27 MB
Available Pagefile: 5148.18 MB
Total Virtual: 4095.88 MB
Available Virtual: 3953.08 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:186.3 GB) (Free:47.78 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:258.44 GB) (Free:75.9 GB) NTFS

========================= Users: ========================================

**** End of log ****

 

# AdwCleaner v2.115 - Logfile created 03/22/2013 at 17:51:47
# Updated 17/03/2013 by Xplode
# Operating system : Windows 8 (64 bits)
# User : SILENT - UFO
# Boot Mode : Normal
# Running from : C:\Users\SILENT\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\Users\SILENT\AppData\Roaming\Mozilla\Firefox\Profiles\e4wrnl6n.default\jetpack

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\PIP

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16519

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Users\SILENT\AppData\Roaming\Mozilla\Firefox\Profiles\e4wrnl6n.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\SILENT\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1197 octets] - [22/03/2013 17:51:47]

########## EOF - C:\AdwCleaner[S1].txt - [1257 octets] ##########

 

ESET:

 

C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll    a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe    a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\SILENT\Downloads\avira_free_antivirus_en.exe    a variant of Win32/Bundled.Toolbar.Ask application

 

Couldn't delete the files listed above with DEL /F /Q /A or FileASSASIN



#4 aSILENTfire

aSILENTfire
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 23 March 2013 - 04:57 PM

The ask toolbar software is probably from Avira antivirus, as it is required as an alternative for payment to receive web protection.. Although I thought I got web protection without the undesirable software... Either way this is not the issue, I am concerned about the Eraser auto startup problem seen in WinPatrol, as well as the other programs listed with it; many of which have been problems/suspicious in the past.. such as Flash and Windows Update websites being redirected and giving me untrusted warnings across FF/Chrome/Opera/IE, even many normal Windows sites had bad certificates. Sometimes, (although rare in the last couple weeks) Windows 8 will start up with internet traffic maxed out, and some of all antivirus/security software not viewable in tray or task manager...
 

But for starters, how can I stop Eraser from automatically starting?


Edited by aSILENTfire, 23 March 2013 - 04:58 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 AM

Posted 23 March 2013 - 07:05 PM

Hi.. In the future you can Un check those boxes that say you need to add a Toolbar ,Browser etc.. when installing.. As you see you do not and is not the issue.
 
I see you gave both Avira and Comodo Suite installed. Having  2 active Antivirus apps will cause conflicts and/or slowness and false positives.
One should be disabled or removed.
 
This is still not the problem.
Lets disable Eraser at startup.
 
Disable – Enable Startup Items In Windows 8 
 
Let me know.

Edited by boopme, 23 March 2013 - 08:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 aSILENTfire

aSILENTfire
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 24 March 2013 - 01:44 PM

Thanks, but there is no startup entry in the task manager for Eraser..

 

Its as if it doesn't want to be found :(



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 AM

Posted 24 March 2013 - 04:46 PM

We'll find but we'll need to get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.


Include this link back to here...

 

http://www.bleepingcomputer.com/forums/t/489297/multiverse-of-malware-please-check-it-out-and-help-if-you-can/#entry3011153


Edited by boopme, 24 March 2013 - 04:47 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users