Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Mile High

Mile High

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 29 April 2013 - 08:26 PM

Hello I need help, I have an XPS 1530 running Vista Ultimate with SP2. Here's whats been going on, about a month ago I suspected a virus. Start-up was asking and is still ask for a chk disk that takes 20 mins to scan, ok that could be normal. But then my sidebar will not popup, my files on thdesktop will not align and proccessing has slowed to more then 50%. but here is the kicker if my computer is plug in and then goes to standby the whole system freeze, it was at a point whether plug-in or not when it went to standby and was reopened it would freeze now its only when it is plugged in. I have Norton Internet security 2013 which can't find anything, have run hijack this 3-4 times, combofix 3-4 times, run in safe combofix 3 times, but still the problem. Also if the it is on battery power and dies and I have to re start the chk disk always is activated. don't know what else to do, please help

 



BC AdBot (Login to Remove)

 


#2 Mile High

Mile High
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 01 May 2013 - 04:43 PM

ComboFix 13-04-29.01 - Andrew 04/30/2013  17:04:19.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.1.1033.18.3581.2893 [GMT -6:00]
Running from: c:\users\Andrew\Downloads\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-30  )))))))))))))))))))))))))))))))
.
.
2013-04-30 23:17 . 2013-04-30 23:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-04-30 23:17 . 2013-04-30 23:17 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2013-04-30 23:17 . 2013-04-30 23:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-29 18:31 . 2013-04-29 18:31 -------- d-----w- C:\found.015
2013-04-23 20:37 . 2013-03-03 19:07 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-16 03:20 . 2013-04-20 21:55 -------- d-----w- c:\windows\system32\drivers\NIS\1403010.016
2013-04-16 00:06 . 2013-04-16 00:06 -------- d-----w- C:\found.014
2013-04-10 13:51 . 2013-03-11 13:25 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 13:51 . 2013-03-11 13:25 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 13:51 . 2013-03-09 03:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 13:51 . 2013-03-09 01:28 64000 ----a-w- c:\windows\system32\smss.exe
2013-04-10 13:51 . 2013-03-08 03:52 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 13:51 . 2013-03-08 03:53 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-04-10 13:51 . 2013-03-05 01:40 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 19:15 . 2013-04-04 19:15 -------- d-----w- C:\found.013
2013-04-03 01:04 . 2013-04-03 01:04 -------- d-----w- C:\found.012
2013-04-02 16:15 . 2013-04-02 16:15 -------- d-----w- C:\found.011
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-12 04:29 . 2012-04-13 14:40 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-12 04:29 . 2011-06-11 00:36 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 01:57 . 2013-03-21 18:36 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-05-20 184320]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-13 3563520]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-02-16 405504]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-02-28 1679360]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2012-12-26 67128]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2012-10-30 00:22 1573576 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 21:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-07-11 22:33 138096 ----atw- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 20:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 10:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 00:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 17:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 04:29]
.
2013-04-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-659585881-3045812653-2201673256-1000Core.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-29 22:33]
.
2013-04-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-659585881-3045812653-2201673256-1000UA.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-29 22:33]
.
2013-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-659585881-3045812653-2201673256-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-15 04:29]
.
2013-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-659585881-3045812653-2201673256-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-15 04:29]
.
2013-04-30 c:\windows\Tasks\NUSchedule.job
- c:\program files\Norton Utilities 15\nu.exe [2012-12-11 21:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\accounts
Trusted Zone: intuit.com\ttlc
Trusted Zone: usaa.com\www
TCP: DhcpNameServer = 192.168.0.1 205.171.2.25
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-30 17:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.3.1.22\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-04-30  17:19:36
ComboFix-quarantined-files.txt  2013-04-30 23:19
ComboFix2.txt  2013-04-30 22:44
ComboFix5.txt  2013-04-30 22:23
.
Pre-Run: 270,126,698,496 bytes free
Post-Run: 270,059,044,864 bytes free
.
- - End Of File - - EBF49D759114BC52345A1361883AAB41
 



#3 Mile High

Mile High
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 01 May 2013 - 06:11 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:10:40 PM, on 5/1/2013
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrvProxy.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrvProxy.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\20.3.1.22\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\20.3.1.22\IPS\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\20.3.1.22\coIEPlg.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Wondershare Helper Compact.exe] C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Add to Wish List - {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files\Amazon\Add to Wish List IE Extension\run.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V10 (AdobeActiveFileMonitor10.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Norton Disk Doctor Service (DiskDoctorService) - Symantec Corporation - C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Norton SpeedDisk Service (SpeedDiskService) - Symantec Corporation - C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 9485 bytes



#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:21 PM

Posted 04 May 2013 - 06:33 PM

Hey Mile High, :)

 

I will be assisting you with your computer issue. Please give me some time to research your logs, and I will return.

 

In the meantime, please run the following scans:

 

Download Security Check by screen317 from

http://screen317.spywareinfoforum.org/SecurityCheck.exe

 or  http://screen317.changelog.fr/SecurityCheck.exe

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

==========

 

Please download aswMBR ( 511KB ) to your desktop.

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

 


Best Regards,
oneof4.


#5 Mile High

Mile High
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 05 May 2013 - 03:28 PM

From Security Check:

 

 Results of screen317's Security Check version 0.99.63 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
Norton Internet Security  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 29 
 Java version out of Date!
 Adobe Flash Player  11.6.602.180 
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome 26.0.1410.43 
 Google Chrome 26.0.1410.64 
 Google Chrome plugins... 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````

 

From ASWMBR:

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-05 14:24:17
-----------------------------
14:24:17.894    OS Version: Windows 6.0.6002 Service Pack 2
14:24:17.895    Number of processors: 2 586 0x1706
14:24:17.896    ComputerName: BUBBA  UserName:
14:24:21.078    Initialize success
14:25:08.040    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
14:25:08.043    Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
14:25:08.164    Disk 0 MBR read successfully
14:25:08.170    Disk 0 MBR scan
14:25:08.175    Disk 0 Windows VISTA default MBR code
14:25:08.182    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       94 MB offset 63
14:25:08.193    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10240 MB offset 194560
14:25:08.208    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS       464043 MB offset 21166080
14:25:08.216    Disk 0 Partition - 00     0F Extended LBA              2560 MB offset 971528192
14:25:08.255    Disk 0 Partition 4 00     DD              MSDOS5.0     2559 MB offset 971530240
14:25:08.266    Disk 0 scanning sectors +976771072
14:25:08.337    Disk 0 scanning C:\Windows\system32\drivers
14:25:24.378    Service scanning
14:25:45.365    Modules scanning
14:25:52.569    Disk 0 trace - called modules:
14:25:52.613    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
14:25:52.626    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d392e0]
14:25:52.638    3 CLASSPNP.SYS[8c7c68b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x862a3030]
14:25:52.650    Scan finished successfully
14:26:33.556    Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Documents\MBR.dat"
14:26:33.571    The log file has been saved successfully to "C:\Users\Andrew\Documents\aswMBR.txt"

 



#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:21 PM

Posted 08 May 2013 - 05:39 AM

Hi :)

 

It looks like you may have a hard drive issue instead of a virus/malware issue.  Let's do the following to verify that:

 

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the "Windows Orb" Start button, then click Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.

A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

  • Click the "Windows Orb" Start button -> type "eventvwr" without the quotes -> press the <ENTER> key.
  • The Event Viewer window will open.
  • In the left pane, expand "Windows Logs" and then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Wininit", with an entry corresponding to the date and time of the disk check.
  • Click on that Wininit entry to select it.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.

 


Best Regards,
oneof4.


#7 Mile High

Mile High
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 08 May 2013 - 05:48 PM

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          5/8/2013 11:24:25 AM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Bubba
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.                        
Cleaning up instance tags for file 0xdd14.
  578368 file records processed.                                 

  2384 large file records processed.                           

  0 bad file records processed.                             

  2 EA records processed.                                   

  60 reparse records processed.                              

Unable to locate the file name attribute of index entry fveupdate.exe
of index $I30 with parent 0x1f5 in file 0x2955.
Deleting index entry fveupdate.exe in index $I30 of file 501.
Unable to locate the file name attribute of index entry System.RunTime.Serialization.Resources.dll
of index $I30 with parent 0x1f711 in file 0x1f710.
Deleting index entry System.RunTime.Serialization.Resources.dll in index $I30 of file 128785.
  783118 index entries processed.                                

CHKDSK is recovering lost files.
Recovering orphaned file fveupdate.exe (10581) into directory file 501.
  3 unindexed files processed.                              

Recovering orphaned file System.RunTime.Serialization.Resources.dll (128784) into directory file 128785.
  578368 security descriptors processed.                         

Cleaning up 57 unused index entries from index $SII of file 0x9.
Cleaning up 57 unused index entries from index $SDH of file 0x9.
Cleaning up 57 unused security descriptors.
  102376 data files processed.                                   

CHKDSK is verifying Usn Journal...
  34652024 USN bytes processed.                                    

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc00000b5 at offset 0xa6de4000 for 0x10000 bytes.
Read failure with status 0xc00000b5 at offset 0xa6df3000 for 0x1000 bytes.
Windows replaced bad clusters in file 31
of name \$Extend\$RmMetadata\$TxfLog\$Tops.
Read failure with status 0xc0000010 at offset 0x38f52bf000 for 0x10000 bytes.
Read failure with status 0xc0000010 at offset 0x38f52c5000 for 0x1000 bytes.
Windows replaced bad clusters in file 244237
of name \Users\Andrew\DOCUME~1\TUITIO~1.PDF.
Read failure with status 0xc00000b5 at offset 0x5b4dc000 for 0x8000 bytes.
Read failure with status 0xc00000b5 at offset 0x5b4e3000 for 0x1000 bytes.
Windows replaced bad clusters in file 499314
of name \PROGRA~1\iTunes\ITUNES~1.RE~\fr.lproj\IPODLI~1.RTF.
  578352 files processed.                                        

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  82943491 free clusters processed.                                

Free space verification is complete.
Adding 3 bad clusters to the Bad Clusters File.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

 475181051 KB total disk space.
 142400608 KB in 438182 files.
    298572 KB in 102378 indexes.
        12 KB in bad sectors.
    707895 KB in use by the system.
     65536 KB occupied by the log file.
 331773964 KB available on disk.

      4096 bytes in each allocation unit.
 118795262 total allocation units on disk.
  82943491 allocation units available on disk.

Internal Info:
40 d3 08 00 99 3f 08 00 0c 89 10 00 00 00 00 00  @....?..........
f5 01 00 00 3c 00 00 00 00 00 00 00 00 00 00 00  ....<...........
42 00 00 00 a2 73 b9 77 f0 8b 1a 00 f0 83 1a 00  B....s.w........

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-08T17:24:25.000Z" />
    <EventRecordID>1499390</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Bubba</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.                        
Cleaning up instance tags for file 0xdd14.
  578368 file records processed.                                 

  2384 large file records processed.                           

  0 bad file records processed.                             

  2 EA records processed.                                   

  60 reparse records processed.                              

Unable to locate the file name attribute of index entry fveupdate.exe
of index $I30 with parent 0x1f5 in file 0x2955.
Deleting index entry fveupdate.exe in index $I30 of file 501.
Unable to locate the file name attribute of index entry System.RunTime.Serialization.Resources.dll
of index $I30 with parent 0x1f711 in file 0x1f710.
Deleting index entry System.RunTime.Serialization.Resources.dll in index $I30 of file 128785.
  783118 index entries processed.                                

CHKDSK is recovering lost files.
Recovering orphaned file fveupdate.exe (10581) into directory file 501.
  3 unindexed files processed.                              

Recovering orphaned file System.RunTime.Serialization.Resources.dll (128784) into directory file 128785.
  578368 security descriptors processed.                         

Cleaning up 57 unused index entries from index $SII of file 0x9.
Cleaning up 57 unused index entries from index $SDH of file 0x9.
Cleaning up 57 unused security descriptors.
  102376 data files processed.                                   

CHKDSK is verifying Usn Journal...
  34652024 USN bytes processed.                                    

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc00000b5 at offset 0xa6de4000 for 0x10000 bytes.
Read failure with status 0xc00000b5 at offset 0xa6df3000 for 0x1000 bytes.
Windows replaced bad clusters in file 31
of name \$Extend\$RmMetadata\$TxfLog\$Tops.
Read failure with status 0xc0000010 at offset 0x38f52bf000 for 0x10000 bytes.
Read failure with status 0xc0000010 at offset 0x38f52c5000 for 0x1000 bytes.
Windows replaced bad clusters in file 244237
of name \Users\Andrew\DOCUME~1\TUITIO~1.PDF.
Read failure with status 0xc00000b5 at offset 0x5b4dc000 for 0x8000 bytes.
Read failure with status 0xc00000b5 at offset 0x5b4e3000 for 0x1000 bytes.
Windows replaced bad clusters in file 499314
of name \PROGRA~1\iTunes\ITUNES~1.RE~\fr.lproj\IPODLI~1.RTF.
  578352 files processed.                                        

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  82943491 free clusters processed.                                

Free space verification is complete.
Adding 3 bad clusters to the Bad Clusters File.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

 475181051 KB total disk space.
 142400608 KB in 438182 files.
    298572 KB in 102378 indexes.
        12 KB in bad sectors.
    707895 KB in use by the system.
     65536 KB occupied by the log file.
 331773964 KB available on disk.

      4096 bytes in each allocation unit.
 118795262 total allocation units on disk.
  82943491 allocation units available on disk.

Internal Info:
40 d3 08 00 99 3f 08 00 0c 89 10 00 00 00 00 00  @....?..........
f5 01 00 00 3c 00 00 00 00 00 00 00 00 00 00 00  ....&lt;...........
42 00 00 00 a2 73 b9 77 f0 8b 1a 00 f0 83 1a 00  B....s.w........

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>



#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:21 PM

Posted 09 May 2013 - 05:38 AM

Are you still having the lock-ups?


Best Regards,
oneof4.


#9 Mile High

Mile High
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 09 May 2013 - 02:37 PM

hello:

 

Surprisingly no, after doing the error check laptop went back it is normal speed, and it has stopped locking up when the power supply is plugged in. First off thank you very much for your help on this, Second what was going on?



#10 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:21 PM

Posted 09 May 2013 - 09:08 PM

Well, you actually DO have some bad sectors on your hard drive, so that was probably the source of the lock-ups.  Running Check Disk with the "repair" option as we did, may have bought you some time, but probably temporarily.  I would advise you to back up all critical files (docs, photos, etc.), and consider replacing the hard drive.  Since your running Vista, which is a few years old, I'm assuming your warranty has long expired, but if you did purchase an extended care package, then now would be a good time to pursue that.


Best Regards,
oneof4.


#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:21 PM

Posted 17 May 2013 - 07:52 AM

Are you still with us?  Do you have any further questions?


Best Regards,
oneof4.


#12 Mile High

Mile High
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 17 May 2013 - 07:58 AM

I'm still with you, questions no. like you said it was a bandaid fix.It started again so I re-ran the error check and it started to work better again. I have to wait to for the end of the semester before replacing the harddrive. thank you again for all your help in this problem, I never even considered that my harddrive was failing.



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,611 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:21 PM

Posted 18 May 2013 - 03:58 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users