Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot send email. Error messge from spamhaus.com


  • Please log in to reply
54 replies to this topic

#1 fasthorse

fasthorse

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 16 January 2014 - 05:49 AM

Kaspersky says I'm clean, on line scans say same, Fabian Wosar tool says same, could not use this New Topic page last night, my key board would not type text. All key strokes activated drop menus, eg. H opened Help etc. Program icons would not open program, only properties window. Unplugged and removed battery on shut down. Seems ok so far.Attached File  attach.txt   25.62KB   1 downloadsAttached File  dds.txt   17.69KB   3 downloads



BC AdBot (Login to Remove)

 


#2 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 16 January 2014 - 05:15 PM

My humble apologies. I will stay put. :horse:



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:59 AM

Posted 20 January 2014 - 10:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found on your log.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#4 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 20 January 2014 - 12:42 PM

Good morning and thank you!

 

I have received your instructions and will seek out a means of printing them. I'm on an extended stay in Mexico and only have my laptop here. I will be as quick as I can and get on this. I may have to hand write them.

I'm glad to hear you found nothing serious in those logs; such good news. 

 

Thanks again......



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:59 AM

Posted 20 January 2014 - 01:42 PM

Run the AdwCleaner scan your computer.
Then used the Clean button. It's safe enough. If you need to restore a program you can restore it.

As for ComboFix if all is well you do not need to run it.
It was just an added protection.

#6 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 20 January 2014 - 02:11 PM

Hello nasdaq:

 

A little added protections is good.

 

Hand writing also made the concepts sink in better!

 

I ran everything as per instructions and had no problems with any of the tools.

Everything went smoothly. Here are the reports.......... Pasted not Attached.......... (shaken not stirred?)

As for the last one, Security Check, I have re started my firewall.

 

Thanks for all your work and everything......

 

# AdwCleaner v3.017 - Report created 20/01/2014 at 12:06:10

# Updated 12/01/2014 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : John - JOHN-5B07273EBA

# Running from : C:\Documents and Settings\John\Desktop\adwcleaner.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

 

-\\ Mozilla Firefox v26.0 (en-US)

 

[ File : C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\hxtbh523.default\prefs.js ]

 

 

-\\ Google Chrome v32.0.1700.76

 

[ File : C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [950 octets] - [20/01/2014 12:06:10]

 

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1009 octets] ##########

 

 

 

 

 

Report Number Two

 

# AdwCleaner v3.017 - Report created 20/01/2014 at 12:23:59

# Updated 12/01/2014 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : John - JOHN-5B07273EBA

# Running from : C:\Documents and Settings\John\Desktop\adwcleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

 

-\\ Mozilla Firefox v26.0 (en-US)

 

[ File : C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\hxtbh523.default\prefs.js ]

 

 

-\\ Google Chrome v32.0.1700.76

 

[ File : C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [1089 octets] - [20/01/2014 12:06:10]

AdwCleaner[R1].txt - [1150 octets] - [20/01/2014 12:17:35]

AdwCleaner[S0].txt - [1077 octets] - [20/01/2014 12:23:59]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1137 octets] ##########

 

ComboFix Report

 

ComboFix 14-01-16.03 - John 01/20/2014 12:44:16.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1525 [GMT -6:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: Kaspersky PURE 3.0 *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky PURE 3.0 *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\John\WINDOWS

c:\windows\system32\DC120fc7_32.dll

.

.

((((((((((((((((((((((((( Files Created from 2013-12-20 to 2014-01-20 )))))))))))))))))))))))))))))))

.

.

2014-01-20 18:06 . 2014-01-20 18:24 -------- d-----w- C:\AdwCleaner

2014-01-16 04:27 . 2014-01-16 04:27 -------- d-----w- C:\edb6bda49c10839f1bbaf81b7676

2014-01-13 10:01 . 2014-01-13 10:02 -------- d-----w- C:\10a5dd91a672bd2092

2014-01-07 22:06 . 2014-01-07 22:06 -------- d-----w- C:\Binaries

2014-01-05 09:34 . 2014-01-05 09:34 -------- d-----r- C:\Backup

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-11-27 20:21 . 2004-08-04 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2013-11-13 02:59 . 2004-08-04 10:00 150528 ----a-w- c:\windows\system32\imagehlp.dll

2013-11-12 06:18 . 2013-11-12 06:18 44000 ----a-w- c:\windows\system32\drivers\kltdi.sys

2013-11-12 06:18 . 2013-11-12 06:18 24160 ----a-w- c:\windows\system32\drivers\klkbdflt.sys

2013-11-12 06:18 . 2013-11-12 06:18 145040 ----a-w- c:\windows\system32\drivers\kneps.sys

2013-11-12 06:18 . 2013-11-12 06:18 135776 ----a-w- c:\windows\system32\drivers\kl1.sys

2013-11-12 06:18 . 2009-11-03 04:27 24672 ----a-w- c:\windows\system32\drivers\klmouflt.sys

2013-11-07 05:38 . 2004-08-04 10:00 591360 ----a-w- c:\windows\system32\rpcrt4.dll

2013-10-30 02:26 . 2004-08-04 10:00 1879040 ----a-w- c:\windows\system32\win32k.sys

2013-10-29 07:57 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll

2013-10-29 07:57 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-10-29 07:57 . 2004-08-04 10:00 18944 ----a-w- c:\windows\system32\corpol.dll

2013-10-29 07:57 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-10-29 00:45 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec

2013-10-23 23:45 . 2004-08-04 10:00 172032 ----a-w- c:\windows\system32\scrrun.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]

@="{dd230880-495a-11d1-b064-008048ec2fc5}"

[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]

2012-12-21 02:20 459784 ----a-w- c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\shellex.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2007-05-07 405504]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-17 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-17 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-17 138008]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 851968]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe" [2013-11-12 356128]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2013-05-01 421888]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

.

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [1/6/2014 5:09 PM 88632]

R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [1/6/2014 5:10 PM 39736]

R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [11/12/2013 12:18 AM 44000]

R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [11/12/2013 12:18 AM 145040]

R2 CSObjectsSrv;CryptoStorage control service;c:\program files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [9/25/2013 5:42 PM 818888]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 8:34 PM 35672]

R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [11/12/2013 12:18 AM 24160]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 10:27 PM 24672]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-01-18 01:30 1211672 ----a-w- c:\program files\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 01:57]

.

2014-01-20 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Officejet 7500 E910\Bin\HPCustPartic.exe [2010-06-15 00:07]

.

2014-01-20 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Officejet 7500 E910\Bin\HPCustPartic.exe [2010-06-15 00:07]

.

2014-01-15 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Officejet 7500 E910\Bin\HPCustPartic.exe [2010-06-15 00:07]

.

2014-01-18 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Officejet 7500 E910\Bin\HPCustPartic.exe [2010-06-15 00:07]

.

2014-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2014-01-09 01:17]

.

2014-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2014-01-09 01:17]

.

2014-01-16 c:\windows\Tasks\hpwebreg_xxxxxxxxxx.job

- c:\program files\HP\HP Officejet 7500 E910\Bin\hpwebreg.exe [2010-06-15 00:10]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky PURE 3.0\ie_banner_deny.htm

FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\hxtbh523.default\

FF - ExtSQL: 2014-01-05 03:30; KavAntiBanner@Kaspersky.ru; c:\program files\Kaspersky Lab\Kaspersky PURE 2.0\FFExt\KavAntiBanner@Kaspersky.ru

FF - ExtSQL: 2014-01-05 03:31; virtualKeyboard@kaspersky.ru; c:\program files\Kaspersky Lab\Kaspersky PURE 2.0\FFExt\virtualKeyboard@kaspersky.ru

FF - ExtSQL: 2014-01-05 03:31; linkfilter@kaspersky.ru; c:\program files\Kaspersky Lab\Kaspersky PURE 2.0\FFExt\linkfilter@kaspersky.ru

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-QuickTime - c:\windows\unvise32qt.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2014-01-20 12:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2014-01-20 12:52:14

ComboFix-quarantined-files.txt 2014-01-20 18:52

.

Pre-Run: 365,804,314,624 bytes free

Post-Run: 366,706,475,008 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

.

- - End Of File - - D571A5352A30E86E65DE1225AE83A3F4

8F558EB6672622401DA993E1E865C861

 

 

Security Check Log

 

Results of screen317's Security Check version 0.99.79

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

`````````Anti-malware/Other Utilities Check:`````````

Mozilla Firefox (26.0)

Mozilla Thunderbird (24.2.0)

Google Chrome 31.0.1650.63

Google Chrome 32.0.1700.76

````````Process Check: objlist.exe by Laurent````````

Kaspersky Lab Kaspersky PURE 3.0 avp.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:59 AM

Posted 20 January 2014 - 02:21 PM

All clean, looking good.

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#8 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 20 January 2014 - 03:02 PM

Hello nasdaq:

 

You said "All clean, looking good."  Does that mean there were no infections, or there were and the tools got rid of them? Just curious. In any case your advice on pro-active computer care is embarrassingly obvious. I have an agreement with my family doctor: It is not his responsibility to keep me healthy. It is mine.

I see some careless errors and lax behaviour on my part that contributed to this computer problem.

 

thank you so much ...............your work is not in vain....



#9 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 21 January 2014 - 12:18 PM

Hello nasdaq:

 

I have done the suggested clean up, defrag, Malwarebytes scan, etc. and as you said, everything is clean. However, I still have the spamhaus error messages, and still unable to send email. Am I missing something?



#10 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 21 January 2014 - 01:06 PM

PS to the above:

 

I have uninstalled and redownloaded a new copy of my email program which had no effect. the same error message I reported is still there.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:59 AM

Posted 21 January 2014 - 01:27 PM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#12 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 21 January 2014 - 02:22 PM

Hi nasdaq:

 

Thanks for the quick response.

 

here is the log:

 

MiniToolBox by Farbar  Version: 18-12-2013
Ran by John (administrator) on 21-01-2014 at 13:20:03
Running from "C:\Documents and Settings\John\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

Dell Wireless 1505 Draft 802.11n WLAN Mini-Card = Wireless Network Connection (Disconnected)
1394 Net Adapter = 1394 Connection (Connected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : john-5b07273eba

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



        Media State . . . . . . . . . . . : Media disconnected

        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

        Physical Address. . . . . . . . . : 00-1D-09-A3-38-69

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1d 09 a3 38 69 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
  255.255.255.255  255.255.255.255  255.255.255.255               2      1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/21/2014 11:57:20 AM) (Source: Application Hang) (User: )
Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service MSDTC Bridge 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service ServiceModelService 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service ServiceModelOperation 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service ServiceModelEndpoint 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:40:52 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service MSDTC Bridge 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.


System errors:
=============
Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:51 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:51 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:51 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================
Error: (01/21/2014 11:57:20 AM) (Source: Application Hang)(User: )
Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: MSDTC Bridge 3.0.0.0

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0\Performance

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: ServiceModelService 3.0.0.0

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0\Performance

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: ServiceModelOperation 3.0.0.0

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0\Performance

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: ServiceModelEndpoint 3.0.0.0

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0\Performance

Error: (01/20/2014 08:40:52 AM) (Source: LoadPerf)(User: )
Description: MSDTC Bridge 3.0.0.0


**** End of log ****
 



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:59 AM

Posted 21 January 2014 - 02:41 PM


There could still be some malware in the computer.

Download Malwarebytes Anti-Rootkit. Follow the instructions on this page.

How to use Malwarebytes Anti-Rootkit to remove rootkits from a Computer.
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit/

Post the log in you next reply.
===

The run this one also.

Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.list]
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.

#14 fasthorse

fasthorse
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lund BC Canada
  • Local time:11:59 PM

Posted 21 January 2014 - 10:59 PM

Hi nasdaq:

 

This round took me a while and I apologize for the delay. The procedure went OK, life kept interrupting me. I followed your instructions, I read all the suggested guides, downloaded the tools and ran them, I already had Malwarebytes from a previous session, ran it as a quick scan. 

Here are the logs...............

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 1.596000 GHz
Memory total: 2136965120, free: 1121341440

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 1.596000 GHz
Memory total: 2136965120, free: 1184174080

Downloaded database version: v2014.01.21.08
Downloaded database version: v2013.12.18.01
=======================================
Initializing...
------------ Kernel report ------------
     01/21/2014 16:26:04
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
CSCrySec.sys
kl1.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
cercsr6.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igxpmp32.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcm4sbxp.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\klmouflt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\klkbdflt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\Drivers\cdrbsdrv.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\klim5.sys
\SystemRoot\system32\DRIVERS\klflt.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\sthda.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\HSFHWAZL.sys
\SystemRoot\system32\DRIVERS\HSF_DPV.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\kltdi.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\kneps.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\CSVirtualDiskDrv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\igxpgd32.dll
\SystemRoot\System32\igxprd32.dll
\SystemRoot\System32\igxpdv32.DLL
\SystemRoot\System32\igxpdx32.DLL
\SystemRoot\System32\ATMFD.DLL
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\DRIVERS\ipfltdrv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\bcmwl5.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
\WINDOWS\system32\kernel32.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a402ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-e\
Lower Device Object: 0xffffffff8a555940
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a402ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a404c60, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a402ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a555940, DeviceName: \Device\Ide\IdeDeviceP1T0L0-e\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 80

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 96327

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 96390  Numsec = 872425890
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 872522280  Numsec = 104245785

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_96390_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished
 

 

MiniToolBox by Farbar  Version: 18-12-2013
Ran by John (administrator) on 21-01-2014 at 13:20:03
Running from "C:\Documents and Settings\John\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

Dell Wireless 1505 Draft 802.11n WLAN Mini-Card = Wireless Network Connection (Disconnected)
1394 Net Adapter = 1394 Connection (Connected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : john-5b07273eba

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



        Media State . . . . . . . . . . . : Media disconnected

        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

        Physical Address. . . . . . . . . : 00-1D-09-A3-38-69

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1d 09 a3 38 69 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
  255.255.255.255  255.255.255.255  255.255.255.255               2      1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/21/2014 11:57:20 AM) (Source: Application Hang) (User: )
Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service MSDTC Bridge 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service ServiceModelService 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service ServiceModelOperation 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service ServiceModelEndpoint 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf) (User: )
Description: The SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0\Performance key could not be opened or accessed in order to install counter
strings.The Win32 status returned by the call is the first DWORD in Data
section.

Error: (01/20/2014 08:40:52 AM) (Source: LoadPerf) (User: )
Description: Installing the performance counter strings for service MSDTC Bridge 3.0.0.0 (%2) failed. The
Error code is the first DWORD in Data section.


System errors:
=============
Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:52 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:51 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:51 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/21/2014 01:08:51 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================
Error: (01/21/2014 11:57:20 AM) (Source: Application Hang)(User: )
Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: MSDTC Bridge 3.0.0.0

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0\Performance

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: ServiceModelService 3.0.0.0

Error: (01/20/2014 08:43:47 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0\Performance

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: ServiceModelOperation 3.0.0.0

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0\Performance

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: ServiceModelEndpoint 3.0.0.0

Error: (01/20/2014 08:43:46 AM) (Source: LoadPerf)(User: )
Description: SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0\Performance

Error: (01/20/2014 08:40:52 AM) (Source: LoadPerf)(User: )
Description: MSDTC Bridge 3.0.0.0


**** End of log ****
 

 

This one was odd...I located it in MBAM log tab after the scan which located it in C:/Docs and Settings/My Name/Application Data/ Malwarebytes/Logs. I went to look for it there via Windows Explorer and the App Data folder in the My Name folder was not there. It used to be. I've seen it many times.   ???    Copy and paste this and that and here it is ..........

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2014.01.20.08

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

John :: JOHN-5B07273EBA [administrator]

 

Protection: Enabled

 

1/21/2014 8:34:28 PM

mbam-log-2014-01-21 (20-34-28).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 195712

Time elapsed: 6 minute(s), 41 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:59 AM

Posted 22 January 2014 - 08:55 AM

From what I can see is that you possibly have some wrong settings in your DNS.

I suggest you start a new topic in this forum.

Networking forum
http://www.bleepingcomputer.com/forums/forum21.html

Explain you problem and submit a fresh MiniToolBox log.

I will keep this topic open. If you need to return please do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users