Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Several Nasty Items


  • Please log in to reply
8 replies to this topic

#1 MaracTA

MaracTA

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 29 September 2013 - 06:32 PM

Hi,

 

First time poster, but I have used the info on this site before to help clean up some previous infections.  But this time, it looks like I picked up an infection (or more) that the existing instructions don't seem to be able to fix!

 

This concerns my desktop PC, which is running Windows XP Professional.  McAfee is my anti-virus, and I also run SuperAntiSpyware (on a real-time basis) and use Malwarebytes MBAM periodically (the free version).  I noticed a few days ago that McAfee seemed to not be updating and ran scans using SuperAntiSpyware and MBAM.  SuperAntiSpyware indicated that I had a DisabledSecurityCenter registry key and Trojan.Agent/Gen-Nullo[Short].  SuperAntiSpyware said it quarantined the Trojan and repaired the registry key.  I then ran MBAM and it found PUP.Optional.PCPerformer.A and PUP.Optional.OpenCandy, both of which were quarantined. 

 

Both SuperAntiSpyware and MBAM both find no further infections.

 

McAfee still didn't work, and McAfee Virtual Technician also couldn't fix the issues, so I tried to re-install McAfee.  The re-install failed to completely install everything and then my computer's internet connections were disabled.  I disconnected the computer from the internet to ensure that the malware doesn't send any info out and further infections aren't downloaded.  Although the McAfee reinstall failed, Security Center still fires up when the computer is started.  But, McAfee continues to have real-time scanning disabled and it will not initiate any scans of the computer.

 

I did a search on PUP.Optional and found an existing thread here in which BC Advisor had another person infected with the PUP.optional malware post logs from various diagnostic tools and then run several tools to clean the infection.  I ran through the steps in that post, but had no luck.  I also tried to restart DHCP and DNS services (which are turned off, but they will not restart due to dependent processes not operating). 

 

So, to give you some more detailed info to try to determine what is wrong, I am posting the results of my logs for SecurityCheck, FSS, and MiniToolbox.  

 

SecurityCheck Log:

 

 Results of screen317's Security Check version 0.99.73 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
McAfee Anti-Virus and Anti-Spyware  
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware Free Edition  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java™ 6 Update 31 
 Java 7 Update 25 
 Java™ 6 Update 5 
 Java™ 6 Update 7 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbam.exe 
 mcafee VIRUSS~1 mcvsshld.exe 
 SecurityCheck.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

FSS Log (Note: I removed personal info such as user names, etc.):

Farbar Service Scanner Version: 13-09-2013
Ran by XXXXXXXXXXX (administrator) on 29-09-2013 at 19:23:23
Running from "F:\Malware Stuff"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
There is no connection to network.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) mfetdi2k(9) NetBT(5) PSched(7) Tcpip(3) Tcpip6(10)
0x0A0000000400000001000000020000000300000009000000080000000500000006000000070000000A000000
IpSec Tag value is correct.

**** End of log ****

 

MiniToolbox Log:

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by XXXXXXXXXXX (administrator) on 29-09-2013 at 19:23:55
Running from "F:\Malware Stuff"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Connected)

# ----------------------------------
# Interface IP Configuration        
# ----------------------------------
pushd interface ip

 

popd
# End of interface IP configuration

Windows IP ConfigurationAn internal error occurred: The request is not supported. Please contact Microsoft Product Support Services for further help.Additional information: Unable to query host name.Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.Unable to contact IP driver, error code 2,========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 22 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/29/2013 06:21:05 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (09/29/2013 06:20:54 PM) (Source: SQLBrowser) (User: )
Description: The SQLBrowser service was unable to establish SQL instance and connectivity discovery.

Error: (09/29/2013 06:20:54 PM) (Source: SQLBrowser) (User: )
Description: The SQLBrowser service port is unavailable for listening, or invalid.

Error: (09/29/2013 06:20:49 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 1

Error: (09/29/2013 06:20:44 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 1

Error: (09/29/2013 06:20:44 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (09/29/2013 06:20:43 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (09/29/2013 04:15:51 PM) (Source: SQLBrowser) (User: )
Description: The SQLBrowser service was unable to establish SQL instance and connectivity discovery.

Error: (09/29/2013 04:15:51 PM) (Source: SQLBrowser) (User: )
Description: The SQLBrowser service port is unavailable for listening, or invalid.

Error: (09/29/2013 04:15:46 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 1

System errors:
=============
Error: (09/29/2013 04:16:12 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%2

Error: (09/29/2013 04:16:12 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service failed to start due to the following error:
%%2

Error: (09/29/2013 04:16:11 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%2

Error: (09/29/2013 04:16:11 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service failed to start due to the following error:
%%2

Error: (09/29/2013 04:15:51 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
mfeapfk
NetBT
Tcpip
Tcpip6

Error: (09/29/2013 04:15:41 PM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
%%2

Error: (09/29/2013 04:15:41 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (09/29/2013 04:15:41 PM) (Source: Service Control Manager) (User: )
Description: The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error:
%%31

Error: (09/29/2013 04:15:41 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31

Error: (09/29/2013 04:15:41 PM) (Source: Service Control Manager) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Microsoft Office Sessions:
=========================
Error: (10/29/2012 11:15:27 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6662.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 1006 seconds with 660 seconds of active time.  This session ended with a crash.

Error: (07/12/2012 03:46:50 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1958 seconds with 1740 seconds of active time.  This session ended with a crash.

Error: (03/04/2011 05:43:24 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 121 seconds with 60 seconds of active time.  This session ended with a crash.

=========================== Installed Programs ============================

2007 Microsoft Office system (Version: 12.0.6612.1000)
4300 (Version: 71.0.215.000)
4300_Help (Version: 71.0.215.000)
4300Trb (Version: 71.0.215.000)
Adobe Acrobat  8 Standard (Version: 8.3.1)
Adobe Acrobat 8.3.1 - CPSID_83708
Adobe Acrobat 8.3.1 Standard (Version: 8.3.1)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) (Version: 8.1.2)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.174)
Adobe Shockwave Player 11.5 (Version: 11.5.6.606)
AiO_Scan_CDA (Version: 71.0.215.000)
AiOSoftwareNPI (Version: 71.0.215.000)
AnswerWorks 5.0 English Runtime (Version: 5.0.7)
Apple Application Support (Version: 1.4.1)
Apple Software Update (Version: 2.1.3.127)
Avery LabelPro 3.0
Broadcom ASF Management Applications (Version: 10.16.02)
Broadcom Management Programs (Version: 10.20.03)
Browser Address Error Redirector (Version: 1.00.0000)
BufferChm (Version: 70.0.170.000)
Citrix Presentation Server Client - Web Only (Version: 10.150.58643)
Confidence Online™ for Web Applications
Corel Uninstaller
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder (Version: 1.00.0000)
Destinations (Version: 70.0.170.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 7.0.0.0)
DocumentViewer (Version: 70.0.170.000)
DocumentViewerQFolder (Version: 1.00.0000)
EOOS (Version: 4.0)
EOOS (Version: 4.1)
eSupportQFolder (Version: 1.00.0000)
Fax_CDA (Version: 71.0.215.000)
FileZilla Client 3.3.1 (Version: 3.3.1)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4413.1752)
Help Workshop
Hewlett-Packard ACLM.NET v1.1.0.0 (Version: 1.00.0000)
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
HP Customer Participation Program 7.0 (Version: 7.0)
HP Document Viewer 7.0 (Version: 7.0)
HP Imaging Device Functions 7.0 (Version: 7.0)
hp LaserJet 1160/1320 series (Version: 1.00.0000)
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant (Version: 100.000.001.000)
HP Product Detection (Version: 11.14.0001)
HP Solution Center 7.0 (Version: 7.0)
HP Update (Version: 5.005.000.002)
HPPhotoSmartExpress (Version: 70.0.170.000)
HPProductAssistant (Version: 70.0.170.000)
InstantShareAlert (Version: 1.00.0000)
InstantShareDevicesMFC (Version: 70.0.170.000)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iSEEK AnswerWorks English Runtime (Version: 010.000.0101)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Java™ 6 Update 31 (Version: 6.0.310)
Java™ 6 Update 5 (Version: 1.6.0.50)
Java™ 6 Update 7 (Version: 1.6.0.70)
Juniper Networks Cache Cleaner 5.5.0 (Version: 5.5.0.12129)
Juniper Networks Host Checker (Version: 5.5.0.12129)
Juniper Networks Network Connect 5.5.0 (Version: 5.5.0.12129)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
MarketResearch (Version: 70.0.170.000)
McAfee Total Protection (Version: 11.6.511)
McAfee Virtual Technician (Version: 7.1.0.2483)
MediaFACE II
MFCLOC (Version: 1.00.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Forefront UAG endpoint components v4.0.0
Microsoft FrontPage 2000 (Version: 9.00.2720)
Microsoft Office 2003 Web Components (Version: 11.0.8173.0)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Live Meeting 2007 (Version: 8.0.6362.187)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Professional Hybrid 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Small Business Connectivity Components (Version: 2.0.7024.0)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Software Update for Web Folders  (English) 12 (Version: 12.0.6612.1000)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) (Version: 9.4.5000.00)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Web Publishing Wizard 1.53
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
NewCopy_CDA (Version: 71.0.215.000)
OCR Software by I.R.I.S 7.0 (Version: 7.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PanoStandAlone (Version: 70.0.170.000)
PowerDVD (Version: 7.0)
PrintScreen (Version: 5.40.10.000)
ProductContextNPI (Version: 71.0.215.000)
Quicken 2013 (Version: 22.1.12.7)
Quicken WillMaker Plus 2013 (Version: 1.0.0.0)
QuickTime (Version: 7.69.80.9)
Rand McNally TripMaker 98
Readme (Version: 71.0.215.000)
RealDownloader (Version: 1.3.3)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealPlayer (Version: 16.0.3)
RealUpgrade 1.1 (Version: 1.1.0)
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6 (Version: 4.47)
Scan (Version: 7.0.0.0)
ScannerCopy (Version: 7.0.0.0)
Screen Shot Deluxe 3.0
SearchAssist
Shared C Run-time for x86 (Version: 10.0.0)
SolutionCenter (Version: 70.0.170.000)
Stamps.com
Stamps.com (Version: 9.6.1.2323)
Stamps.com Application Support for Microsoft Word 2000-2010 (Version: 8.7.0.1506)
Stamps.com support for Microsoft Word 2000-2007
Stamps.com support for Microsoft Word 2000-2010
Status (Version: 70.0.170.000)
SUPERAntiSpyware Free Edition (Version: 4.32.0.1000)
Toolbox (Version: 70.0.170.000)
TrayApp (Version: 70.0.170.000)
Unload (Version: 7.0.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2825641) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB971930) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
VB HelpWriter for Windows 95
VisFT (Version: 2.5.4)
WebEx
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 70.0.170.000)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows XP Service Pack 3 (Version: 20080414.031525)
WinZip (Version:  9.0 SR-1 (6224))
WMatch Version 2.0.0

========================= Devices: ================================

========================= Memory info: ===================================

Percentage of memory in use: 40%
Total physical RAM: 2036.89 MB
Available physical RAM: 1219.04 MB
Total Pagefile: 3928.53 MB
Available Pagefile: 3162.26 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:40.01 GB) (Free:14.01 GB) NTFS
3 Drive d: () (Fixed) (Total:34.44 GB) (Free:19.73 GB) NTFS
5 Drive f: () (Removable) (Total:0.95 GB) (Free:0.72 GB) FAT

========================= Users: ========================================

User accounts for \\MSEMAIN2

Administrator            Guest                    HelpAssistant           
SUPPORT_388945a0         XXXXXXXXXXXX           

**** End of log ****

 

 

NOTE:  The HelpAssistant and SUPPORT_388945a0 are unrecognized user accounts, and I can't see then on my computer!!

 

Thanks for any assistance you can provide!

 

 

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:57 AM

Posted 29 September 2013 - 11:39 PM

Hello and we hope that we can help .

 

McAfee is my anti-virus < I must assume this is a paid version or free from your ISP or company.

 

Please print these instructions if they are too long -

First Delete all of these from Control Panel > Add / Remove, as they are outdated and can be vunerable.
 Java™ 6 Update 31
 Java 7 Update 25
 Java™ 6 Update 5
 Java™ 6 Update 7
Now install the latest version from This Java Site

Next  - Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
Go Start > Programs > Accessories > System Tools > Disk Defragmenter to defrag your main disk

 

 

Read This - How To Temporarily Disable Your Anti-virus as you will need it
Please download Junkware Removal Tool by thisisu to your desktop
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Leave your Antivirus and SAS disabled for this scan -

Scan your machine with ESET OnlineScan
1. Hold down Control and click HERE to open ESET OnlineScan in a new window.
2.Click the ESET Online Scanner button.
3. NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

- 1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
- 2. Double click on the ESET Online Scanner icon on your desktop.

 

 4. Check "YES, I accept the Terms of Use."
 5. Click the Start button.
 6. Accept any security warnings from your browser.
 7. Under scan settings, check "Scan Archives" and "Remove found threats"
8. Click Advanced settings and select the following:

 

Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

 

 9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time to download the program for a first time, and then download updated data base (note, 2  hours is not unusual)
10. When the scan completes, click List Threats
11. Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12. Click the Back button.
13. Click the Finish button
Or you can find a report at  C:\Program Files\esetonlinescanner\log.txt.

 

 

Be sure to enable all active protection now -

 

 

Clear Cache / Temp Files
Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

 

Thank You -



#3 MaracTA

MaracTA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 01 October 2013 - 07:58 AM

Hi,

 

Thanks for your help!

 

Yes, I am a registered user of both McAfee and SAS.

 

I deleted the old Java items and defragged my drive.  I then ran JRT and it came up clean.  The log is below:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.3 (09.27.2013:1)
OS: Microsoft Windows XP x86
Ran by XXXXXXXX on Tue 10/01/2013 at  8:34:48.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 10/01/2013 at  8:38:25.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Unfortunately, I can't run ESET scanner yet, because my internet connection on the PC is still non-functional (DHCP and DNS are turned off, as noted in the original scans).  Similarly, I can't install the latest Java for the same reason.  I assume there isn't a way to download the latest version (onto a PC connected to the internet) and then transfer it to the infected machine?



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:57 AM

Posted 01 October 2013 - 08:29 PM

I assume there isn't a way to download the latest version (onto a PC connected to the internet) and then transfer it to the infected machine?

Yes these can be done with a USB Flash drive and transferred to the infected machine.

You must have used this method for MinitoolBox and the other programs.

 

Thank You -



#5 MaracTA

MaracTA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 07 October 2013 - 06:38 PM

Hi,

 

I was away on travel for a few days and haven't had a chance to update this thread.

 

ESET scanner requires an internet connection (which I had lost), so that posed a challenge. I should have tried booting in safe mode with networking capability earlier.  Doing so enabled me to acess the internet again.  I then tried booting from the last good configuration and that allowed me internet access with full Windows operability..

 

I ran the ESET scanner and it came up clean. I also updated MBAM and Super Antispyware and these also ran clean.

 

I next tried to re-install McAfee and was unsuccessful installing from my on-line account (installation kept failing).  I was alel to go back to my original install CD and get that to run.

 

Once McAfee was installed, I updated it and did a complete scan (clean). I then did another complete scan with MBAM and it picked up two registry data values for "Disabled.SecurityCenter".  MBAM said it corrected those. I then ran new complete scans with McAfee, MBAM, ESET and SuperAntiSpyware.  Everything came up clean on each.

 

So, I think I am rid of whatever caused the initial problems.  But, if there are any other scans that should be done (to be sure something isn't lurking somewhere), please advise.

 

Thanks for the help!



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:57 AM

Posted 07 October 2013 - 07:34 PM

Hello again -

I noticed a few items that I may have missed last time, or were just due to no internet.

Now that you have connection, can you please run this again ?

 

Delete the old icon if it is still on your desktop, and use a fresh copy.

Download Security Check by Screen317
* Save it to your Desktop.
* Double-click SecurityCheck.exe - Right click and select Run as Administrator for Vista and above
* Follow the onscreen instructions inside the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

 

Tell me if you have any problems with running it.

 

Also do you recall if MBAM listed "PUM" Disabled.SecurityCenter ? It would be in your logs history.

 

Thanks -



#7 MaracTA

MaracTA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 07 October 2013 - 07:57 PM

Hi,

 

No problem.  Below is the SecurityCheck log:

 

 Results of screen317's Security Check version 0.99.73 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
McAfee Anti-Virus and Anti-Spyware  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware Free Edition  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 40 
 Java version out of Date!
````````Process Check: objlist.exe by Laurent```````` 
 SecurityCheck.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

Note that I had just updated Java. Ithought I was on the latest version, but I'll check again.

 

On MBAM, yes it had detected PUM.Disabled.SecurityCenter on an earlier scan, but not on the latest one.

 

Thanks for your continued help!



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:57 AM

Posted 07 October 2013 - 09:46 PM

That looks a lot better -

Generally ignore the Java update reading, as it can often be out.

 

Chances are you never installed a SolidStateDrive, so I would just run Defrag -

Start > Programs > Accessories > System Tools > Disk Defragmenter and run that

Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
 

PUM = PotentiallyUnwantedModification, as your Firewall was disabled (at the time).

 

I also run SuperAntiSpyware (on a real-time basis) < < SUPERAntiSpyware Free Edition is still listed. Did you mean you ran the Trial Version ?

If not it is not registered yet .



#9 MaracTA

MaracTA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 08 October 2013 - 06:13 AM

Hi,

 

Glad to hear things look OK!
 

On the SAS, I have a lifetime subscription. I started with the free version, then registered. So, perhaps the process info wasn't updated to reflect the upgrade. On the Control Panel "Add/Remove Programs" list, it shows as SAS Professional, for example.)

 

I'll re-run defrag (I had done so at the start of this process, but the un-install/re-install of McAfee and Java probably fragmented things again)

 

I appreciate all the help you provided along the way!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users