Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Download resulted in PCUTilitiesPros Optimizer and more


  • This topic is locked This topic is locked
4 replies to this topic

#1 sandhill

sandhill

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York State
  • Local time:10:25 PM

Posted 18 April 2014 - 05:49 PM

I tried to update Keepass and ended up receiving PCUtilizitiesPro Optimizer, Search Protect, Ask Toolbar and several other PUPs that Malawarebytes Antimalwayre found and deleted.  Malwarebytes is up to date and I've run it several times.  Downloaded and ran SuperAntispyware and it found additional PUP.  Tried to "Restore" to 3 earlier dates and the attempts failed.  Attempts to access Windows "Help" give error "directory not found".  When system loads I receive an error regarding the inability to access memory at a specific address related to "MsMpEng.exe" which according to what I could find is part of Micrsoft Security Essentials.  I regularly run Security Essential and occassionally run Antimalware.  In order to run Superantispyware, and Restore I had to switch to "Safe Mode".  However, I am trying to post this in Normal mode.

 

At present the system does not respond to mouse commands to open a program for a very long time - several minutes.  The desktop reset.  One of my e-mail accounts in Outlook disappeared. 

 

I am using Windows XP SP3.  I keep things pretty well up to date.

 

I would appreciate some suggestions on how to proceed.

 

Sandhill



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:25 PM

Posted 18 April 2014 - 06:56 PM

Hello -

You will find these programs can get into XP systems a lot now that support has ended.

Please download these programs to desktop, and Copy and Paste the logs.

 

 

First -

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If a security program requests permission to access the Internet, allow it to do so.

 

 

Next -

Please download MiniToolBox to desktop and run it.
Checkmark the following boxes:

* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

 

 

Next -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

NOTE - If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. RKill.txt log will also be present on your desktop.

 

Important :Do not reboot your computer, but run this program next.

 

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

Look to see if there are any programs that should not be removed (very rare)

NOW -
* Click on the Clean button (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Next -

Scan with ESET Online Scan
1. Please go to HERE to run the online scannner from ESET.
2. Temporarily Disable Your Anti-virus while performing the online scan
3. Tick the box next to YES, I accept the Terms of Use.
4. Click Start
5. When asked, allow the ActiveX control to install
6. Click Start
7. Under scan settings, check "Scan Archives" and "Remove found threats"
8. Click on Advanced Settings and ensure these options are ticked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

9, Click Scan
10. Wait for the scan to finish. This can take quite a while to download the program and then updates for a first scan.
11. If any threats were found, click the 'List of found threats' , then click Export to text file....
12. Save it to your desktop, then please copy and paste that log as a reply to this topic.



#3 sandhill

sandhill
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York State
  • Local time:10:25 PM

Posted 22 April 2014 - 07:47 PM

I hope I followed your directions OK.  I got myself into trouble because I use an "Administrator" and a "User" to try and keep things separate.

 

Thank you for your help

 

Sandhill

 

 

MiniToolBox by Farbar  Version: 23-01-2014

Ran by Jeff (administrator) on 22-04-2014 at 20:31:16

Running from "C:\Documents and Settings\Jeff\My Documents\Downloads"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

***************************************************************************

 

========================= Flush DNS: ===================================

 

 

Windows IP Configuration

 

 

Successfully flushed the DNS Resolver Cache.

 

========================= IE Proxy Settings: ==============================

 

Proxy is not enabled.

No Proxy Server is set.

 

"Reset IE Proxy Settings": IE Proxy Settings were reset.

 

========================= FF Proxy Settings: ==============================

 

 

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

 

========================= Hosts content: =================================

 

127.0.0.1       localhost

 

 

========================= Event log errors: ===============================

 

Application errors:

==================

Error: (04/22/2014 08:27:41 AM) (Source: COM+) (User: )

Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070424: InitEventCollector failed

 

Error: (04/21/2014 10:49:19 PM) (Source: MPSampleSubmission) (User: )

Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.5.216.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

 

Error: (04/21/2014 10:46:03 PM) (Source: COM+) (User: )

Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070424: InitEventCollector failed

 

Error: (04/21/2014 08:52:08 PM) (Source: COM+) (User: )

Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070424: InitEventCollector failed

 

Error: (04/18/2014 06:31:33 PM) (Source: Application Error) (User: )

Description: Faulting application MsMpEng.exe, version 4.5.216.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.

Error in creating result PEAP-TLV in response to received PEAP-TLV (MsMpEng.exe!ld!)

 

Error: (04/18/2014 06:31:30 PM) (Source: Application Error) (User: )

Description: Faulting application MsMpEng.exe, version 4.5.216.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.

Error in creating result PEAP-TLV in response to received PEAP-TLV (MsMpEng.exe!ld!)

 

Error: (04/18/2014 06:31:27 PM) (Source: Application Error) (User: )

Description: Faulting application MsMpEng.exe, version 4.5.216.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.

Error in creating result PEAP-TLV in response to received PEAP-TLV (MsMpEng.exe!ld!)

 

Error: (04/18/2014 06:31:20 PM) (Source: Application Error) (User: )

Description: Faulting application MsMpEng.exe, version 4.5.216.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.

Error in creating result PEAP-TLV in response to received PEAP-TLV (MsMpEng.exe!ld!)

 

Error: (04/18/2014 06:31:14 PM) (Source: Application Error) (User: )

Description: Faulting application MsMpEng.exe, version 4.5.216.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.

Error in creating result PEAP-TLV in response to received PEAP-TLV (MsMpEng.exe!ld!)

 

Error: (04/18/2014 06:27:48 PM) (Source: Application Error) (User: )

Description: Faulting application MsMpEng.exe, version 4.5.216.0, faulting module mpengine.dll, version 1.1.10501.0, fault address 0x003d684d.

Error in creating result PEAP-TLV in response to received PEAP-TLV (MsMpEng.exe!ld!)

 

 

System errors:

=============

Error: (04/22/2014 08:27:38 PM) (Source: Service Control Manager) (User: )

Description: Timeout (30000 milliseconds) waiting for a transaction response from the nvsvc service.

 

Error: (04/22/2014 08:37:30 AM) (Source: Microsoft Antimalware) (User: )

Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

 

Error: (04/22/2014 08:29:21 AM) (Source: PlugPlayManager) (User: )

Description: The device Root\LEGACY_MPKSL76611351\0000 disappeared from the system without first being prepared for removal.

 

Error: (04/22/2014 08:29:09 AM) (Source: Microsoft Antimalware) (User: )

Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

 

Error: (04/22/2014 08:27:55 AM) (Source: Service Control Manager) (User: )

Description: The SAS Core Service service failed to start due to the following error:

%%2

 

Error: (04/22/2014 08:27:32 AM) (Source: Microsoft Antimalware) (User: )

Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

 

Error: (04/22/2014 08:27:25 AM) (Source: 0) (User: )

Description: Cdr4vsd.SYS

 

Error: (04/21/2014 10:55:54 PM) (Source: Microsoft Antimalware) (User: )

Description: The support for your operating system has expired. Running %%860 on an out of support operating system is not an adequate solution to protect against threats.

 

Error: (04/21/2014 10:46:56 PM) (Source: Service Control Manager) (User: )

Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

 

Error: (04/21/2014 10:46:21 PM) (Source: Service Control Manager) (User: )

Description: The SAS Core Service service failed to start due to the following error:

%%2

 

 

Microsoft Office Sessions:

=========================

Error: (04/22/2014 08:27:41 AM) (Source: COM+)(User: )

Description: Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070424: InitEventCollector failed

 

Error: (04/21/2014 10:49:19 PM) (Source: MPSampleSubmission)(User: )

Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.5.216.0unspecifiedunspecifiedunspecifiedNILNILNIL

 

Error: (04/21/2014 10:46:03 PM) (Source: COM+)(User: )

Description: Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070424: InitEventCollector failed

 

Error: (04/21/2014 08:52:08 PM) (Source: COM+)(User: )

Description: Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070424: InitEventCollector failed

 

Error: (04/18/2014 06:31:33 PM) (Source: Application Error)(User: )

Description: MsMpEng.exe4.5.216.0mpengine.dll1.1.10501.0003d684d

 

Error: (04/18/2014 06:31:30 PM) (Source: Application Error)(User: )

Description: MsMpEng.exe4.5.216.0mpengine.dll1.1.10501.0003d684d

 

Error: (04/18/2014 06:31:27 PM) (Source: Application Error)(User: )

Description: MsMpEng.exe4.5.216.0mpengine.dll1.1.10501.0003d684d

 

Error: (04/18/2014 06:31:20 PM) (Source: Application Error)(User: )

Description: MsMpEng.exe4.5.216.0mpengine.dll1.1.10501.0003d684d

 

Error: (04/18/2014 06:31:14 PM) (Source: Application Error)(User: )

Description: MsMpEng.exe4.5.216.0mpengine.dll1.1.10501.0003d684d

 

Error: (04/18/2014 06:27:48 PM) (Source: Application Error)(User: )

Description: MsMpEng.exe4.5.216.0mpengine.dll1.1.10501.0003d684d

 

 

=========================== Installed Programs ============================

 

ABBYY FineReader 6.0 Sprint (Version: 6.00.1568.4089)

Adobe AIR (Version: 13.0.0.83)

Adobe Flash Player 12 ActiveX (Version: 12.0.0.77)

Adobe Flash Player 12 Plugin (Version: 12.0.0.77)

Adobe Help Center 2.0 (Version: 2.0.0)

Adobe Photoshop Elements 7.0 (Version: 7.0)

Adobe Photoshop Elements 7.0 (Version: 7.0.0.3)

Adobe Photoshop.com Inspiration Browser (Version: 2.83)

Adobe Reader XI (11.0.05) (Version: 11.0.05)

Adobe Shockwave Player 12.0 (Version: 12.0.4.144)

Amazon Games & Software Downloader (Version: 2.0.2.0)

AnswerWorks 5.0 English Runtime (Version: 008.000.0003)

AnswerWorks 5.0 English Runtime (Version: 5.0.7)

AOLIcon (Version: 1.00.0000)

Apple Application Support (Version: 2.3.6)

Apple Mobile Device Support (Version: 7.0.0.117)

Apple Software Update (Version: 2.1.3.127)

Bonjour (Version: 3.0.0.10)

BufferChm (Version: 70.0.170.000)

Camera Window DS (Version: 5.0)

Camera Window DVC (Version: 5.0)

Camera Window MC (Version: 5.0)

Canon Camera Support Core Library (Version: 7.1.0.11)

Canon Camera Window DS for ZoomBrowser EX (Version: 5.0)

Canon Camera Window DVC for ZoomBrowser EX (Version: 5.0)

Canon Camera Window for ZoomBrowser EX (Version: 5.0)

Canon MovieEdit Task for ZoomBrowser EX (Version: 1.2.0.21)

Canon RAW Image Task for ZoomBrowser EX (Version: 1.2)

Canon RemoteCapture Task for ZoomBrowser EX (Version: 1.1)

CCleaner (Version: 2.36)

Chaos 8 (Version: )

ChaosSync for Google

Cisco WebEx Meetings

Citrix Online Launcher (Version: 1.0.122)

CleanUp!

Color Matching System

Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)

Conexant D850 56K V.9x DFVc Modem

CP_CalendarTemplates1 (Version: 70.0.170.000)

cp_OnlineProjectsConfig (Version: 70.0.170.000)

CP_Package_Basic1 (Version: 70.0.170.000)

CP_Panorama1Config (Version: 70.0.170.000)

cp_PosterPrintConfig (Version: 70.0.170.000)

Critical Update for Windows Media Player 11 (KB959772)

CueTour (Version: 70.0.170.000)

Dell CinePlayer (Version: 3.0)

Dell Driver Reset Tool (Version: 1.02.0000)

Dell Support Center (Support Software) (Version: 2.2.09085)

Dell System Restore (Version: 2.00.0000)

Destinations (Version: 70.0.170.000)

DeviceManagementQFolder (Version: 1.00.0000)

Digital Content Portal (Version: 1.00.0000)

Digital Line Detect (Version: 1.10)

DocProc (Version: 8.0.0.0)

DocProcQFolder (Version: 1.00.0000)

Documentation & Support Launcher (Version: 1.00.0000)

EarPower30

E-HealthKEY

EPSON Print CD (Version: 1.50.000)

EPSON Printer Software

EPSON SP1400 Reference Guide

EPSON Web-To-Page

ERUNT 1.1j

eSupportQFolder (Version: 1.00.0000)

File Type Assistant

FullDPAppQFolder (Version: 1.00.0000)

Google Earth (Version: 7.1.2.2041)

Google SketchUp 6 (Version: 6.0.00211)

Google SketchUp 6 (Version: 6.0.312)

Google Update Helper (Version: 1.3.23.9)

Google Updater (Version: 2.4.2432.1652)

GoToAssist Corporate (Version: 9.1.0.615)

High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)

HiJackThis (Version: 1.0.0)

HP Imaging Device Functions 7.0 (Version: 7.0)

HP Photosmart Premier Software 6.5 (Version: 6.5)

HP Product Assistant (Version: 100.000.001.000)

HP Scanjet G4000 series 8.0 (Version: 8.0)

HP Solution Center 7.0 (Version: 7.0)

HP Update (Version: 5.003.001.001)

hpG4000 (Version: 8.3.0.0)

hpg4000QFolder (Version: 1.00.0000)

HPProductAssistant (Version: 70.0.170.000)

HPSSupply (Version: 100.0.172.000)

InstallConverter bundle uninstaller (Version: 2.0.0.5)

InstantShareDevices (Version: 70.0.170.000)

Intel® PRO Network Connections (Version: )

Intel® Rapid Storage Technology (Version: 10.1.0.1008)

InterVideo MediaOne Gallery

iTunes (Version: 11.1.3.8)

Java 7 Update 40 (Version: 7.0.400)

Java Auto Updater (Version: 2.1.9.8)

Learn2 Player (Uninstall Only)

Malwarebytes Anti-Malware version 2.0.1.1004 (Version: 2.0.1.1004)

MapSource - North American City Select v5 (Version: 5.00)

Microsoft .NET Framework 1.0 Hotfix (KB2572066)

Microsoft .NET Framework 1.0 Hotfix (KB2604042)

Microsoft .NET Framework 1.0 Hotfix (KB2656378)

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.0 Hotfix (KB979904)

Microsoft .NET Framework 1.0 Security Update (KB2698035)

Microsoft .NET Framework 1.0 Security Update (KB2742607)

Microsoft .NET Framework 1.0 Security Update (KB2833951)

Microsoft .NET Framework 1.0 Security Update (KB2904878)

Microsoft .NET Framework 1.1 (Version: 1.1.4322)

Microsoft .NET Framework 1.1 Security Update (KB2698023)

Microsoft .NET Framework 1.1 Security Update (KB2833941)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)

Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft Application Error Reporting (Version: 12.0.6012.5000)

Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)

Microsoft Office Live Meeting 2007 (Version: 8.0.6362.215)

Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)

Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)

Microsoft Outlook Personal Folders Backup (Version: 1.10.0.0)

Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)

Microsoft Security Client (Version: 4.5.0216.0)

Microsoft Security Essentials (Version: 4.5.216.0)

Microsoft Silverlight (Version: 5.1.30214.0)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)

Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)

Microsoft WinUsb 1.0

Microsoft WorldWide Telescope (Version: 2.5.32)

Microsoft XML Parser (Version: 8.20.8730.4)

Modem Helper (Version: 2.40)

Mozilla Firefox 28.0 (x86 en-US) (Version: 28.0)

Mozilla Maintenance Service (Version: 28.0)

Mozilla Thunderbird 24.3.0 (x86 en-US) (Version: 24.3.0)

MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)

MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)

MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)

MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)

MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)

MSXML 4.0 SP3 Parser (KB2758694) (Version: 4.30.2117.0)

MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)

MSXML 6.0 Parser (KB925673) (Version: 6.00.3888.0)

NetWaiting (Version: 2.5.12)

Nikon Message Center (Version: 0.91.000)

NVIDIA Display Control Panel (Version: 6.14.12.5896)

NVIDIA Display Control Panel (Version: 6.14.12.6658)

NVIDIA Drivers (Version: 1.10.61.39)

NVIDIA Graphics Driver 266.58 (Version: 266.58)

NVIDIA Install Application (Version: 2.265.36.0)

NVIDIA nView 135.50 (Version: 135.50)

NVIDIA PhysX (Version: 9.10.0224)

OCR Software by I.R.I.S 8.0 (Version: 8.0)

Palm Desktop for Garmin iQue (Version: 4.1)

PanoStandAlone (Version: 70.0.170.000)

PCsync (Version: 5.02.2000)

Peterson North American Birds

PhotoGallery (Version: 70.0.170.000)

PhotoshopdotcomInspirationBrowser (Version: 0.0.0)

Picasa 3 (Version: 3.9)

Punch! Super Home Suite

Quicken 2009 (Version: 18.1.1.29)

QuickTime (Version: 7.74.80.86)

RandMap (Version: 70.0.170.000)

RAW Image Task 1.2 (Version: 1.2)

RealDownloader (Version: 1.3.3)

RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)

RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)

RealPlayer (Version: 16.0.3)

RealUpgrade 1.1 (Version: 1.1.0)

RemoteCapture Task 1.1 (Version: 1.1)

Scan (Version: 8.1.0.0)

ScannerCopy (Version: 8.0.0.0)

SearchAssist

Secunia PSI (3.0.0.9016) (Version: 3.0.0.9016)

Shop for HP Supplies (Version: 10.0)

Sibelius Scorch (Firefox, Opera, Netscape only) (Version: 6.2.0)

Sierra Garden Planner

Sierra LandDesigner 3D

Sierra Utilities

SkinsHP1 (Version: 70.0.170.000)

SlideShow (Version: 70.0.170.000)

SolutionCenter (Version: 70.0.170.000)

Sonic Activation Module (Version: 1.0)

Sonic Encoders (Version: 1.00)

Sonic Update Manager (Version: 3.0.0)

Sonic_PrimoSDK (Version: 70.0.170.000)

SUPERAntiSpyware (Version: 5.7.1018)

swMSM (Version: 12.0.0.1)

System Requirements Lab

Time and Chaos (Version: v7)

TurboTax 2008

TurboTax 2008 WinPerFedFormset (Version: 008.000.0330)

TurboTax 2008 WinPerProgramHelp (Version: 008.000.0216)

TurboTax 2008 WinPerReleaseEngine (Version: 008.000.0186)

TurboTax 2008 WinPerTaxSupport (Version: 008.000.0988)

TurboTax 2008 WinPerUserEducation (Version: 008.000.0422)

TurboTax 2008 wnyiper (Version: 008.000.0119)

TurboTax 2008 wrapper (Version: 008.000.0063)

TurboTax 2009

TurboTax 2009 WinPerFedFormset (Version: 009.000.2163)

TurboTax 2009 WinPerReleaseEngine (Version: 009.000.0328)

TurboTax 2009 WinPerTaxSupport (Version: 009.000.0238)

TurboTax 2009 wnyiper (Version: 009.000.0815)

TurboTax 2009 wrapper (Version: 009.000.0145)

TurboTax 2010

TurboTax 2010 WinPerFedFormset (Version: 010.000.5821)

TurboTax 2010 WinPerReleaseEngine (Version: 010.000.0501)

TurboTax 2010 WinPerTaxSupport (Version: 010.000.0222)

TurboTax 2010 wnyiper (Version: 010.000.1549)

TurboTax 2010 wrapper (Version: 010.000.0157)

TurboTax 2011

TurboTax 2011 WinPerFedFormset (Version: 011.000.2999)

TurboTax 2011 WinPerReleaseEngine (Version: 011.000.0474)

TurboTax 2011 WinPerTaxSupport (Version: 011.000.0214)

TurboTax 2011 wnyiper (Version: 011.000.1628)

TurboTax 2011 wrapper (Version: 011.000.0121)

TWC Client ActiveX Controls (Version: 11)

TWC Customer Controls (Version: 7)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)

Update for Windows Internet Explorer 8 (KB971180) (Version: 1)

Update for Windows Internet Explorer 8 (KB976662) (Version: 1)

Update for Windows Internet Explorer 8 (KB976749) (Version: 1)

Update for Windows Internet Explorer 8 (KB980182) (Version: 1)

Update for Windows Internet Explorer 8 (KB982632) (Version: 1)

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB2141007) (Version: 1)

Update for Windows XP (KB2345886) (Version: 1)

Update for Windows XP (KB2467659) (Version: 1)

Update for Windows XP (KB2541763) (Version: 1)

Update for Windows XP (KB2607712) (Version: 1)

Update for Windows XP (KB2616676) (Version: 1)

Update for Windows XP (KB2641690) (Version: 1)

Update for Windows XP (KB2661254-v2) (Version: 2)

Update for Windows XP (KB2718704) (Version: 1)

Update for Windows XP (KB2736233) (Version: 1)

Update for Windows XP (KB2749655) (Version: 1)

Update for Windows XP (KB2863058) (Version: 1)

Update for Windows XP (KB2904266) (Version: 1)

Update for Windows XP (KB2934207) (Version: 1)

Update for Windows XP (KB951072-v2) (Version: 2)

Update for Windows XP (KB951978) (Version: 1)

Update for Windows XP (KB955759) (Version: 1)

Update for Windows XP (KB955839) (Version: 1)

Update for Windows XP (KB967715) (Version: 1)

Update for Windows XP (KB968389) (Version: 1)

Update for Windows XP (KB971029) (Version: 1)

Update for Windows XP (KB971737) (Version: 1)

Update for Windows XP (KB973687) (Version: 1)

Update for Windows XP (KB973815) (Version: 1)

Update Rollup 2 for Windows XP Media Center Edition 2005

WebEx Event Manager for Firefox or Chrome (Version: 28.12.1.16851)

WebFldrs XP (Version: 9.50.7523)

WebReg (Version: 70.0.170.000)

Windows Easy Transfer

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (Version: 1.0)

Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Installer Clean Up (Version: 3.00.00.0000)

Windows Internet Explorer 7 (Version: 20061107.210142)

Windows Internet Explorer 8 (Version: 20090308.140743)

Windows Media Format 11 runtime

Windows Media Player 10 (Version: 9.00.3636)

Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]

Windows Media Player Firefox Plugin (Version: 1.0.0.8)

Windows PowerShell™ 1.0 (Version: 2)

Windows Presentation Foundation (Version: 3.0.6920.0)

Windows XP Media Center Edition 2005 KB2502898

Windows XP Media Center Edition 2005 KB2619340

Windows XP Media Center Edition 2005 KB2628259

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB925766

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3 (Version: 20080414.031525)

WinPatrol (Version: 30.5.2014)

WOT for Internet Explorer (Version: 11.11.7.0)

WOT for Internet Explorer (Version: 12.8.2.0)

Xiph QuickTime Components

 

========================= Memory info: ===================================

 

Percentage of memory in use: 31%

Total physical RAM: 3069.84 MB

Available physical RAM: 2117.43 MB

Total Pagefile: 4440.79 MB

Available Pagefile: 3634.48 MB

Total Virtual: 2047.88 MB

Available Virtual: 1980.8 MB

 

========================= Partitions: =====================================

 

2 Drive c: () (Fixed) (Total:293.39 GB) (Free:227.07 GB) NTFS

 

========================= Users: ========================================

 

User accounts for \\COMPUTER_2

 

Administrator            ASPNET                   Guest                    

HelpAssistant            Jeff                     Jim Gumaer              

SUPPORT_388945a0         Terry Tomaszewska       

 

 

**** End of log ****

 

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\551vird4.default\prefs.js ]


[ File : C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\pc3qdo20.default\prefs.js ]

Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);

[ File : C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\tdp7glm7.default\prefs.js ]


[ File : C:\Documents and Settings\Jim Gumaer\Application Data\Mozilla\Firefox\Profiles\qip7ebls.default\prefs.js ]

Line Deleted : user_pref("browser.startup.homepage", "hxxp://apod.nasa.gov/apod/astropix.html|hxxp://www.nytimes.com/|hxxps://mail.google.com/mail/u/0/#inbox");
Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);

[ File : C:\Documents and Settings\Terry Tomaszewska\Application Data\Mozilla\Firefox\Profiles\ijwyqwoq.default\prefs.js ]

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2014 BleepingComputer.com

More Information about Rkill can be found at this link:

 http://www.bleepingcomputer.com/forums/topic308364.html

 

Program started at: 04/22/2014 08:36:54 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * No malware processes found to kill.

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * ALERT: ZEROACCESS rootkit symptoms found!

 

     * C:\WINDOWS\Installer\{9203e341-fb12-f172-5eb6-c0965e6d78b8}\ [ZA Dir]

     * C:\WINDOWS\Installer\{9203e341-fb12-f172-5eb6-c0965e6d78b8}\L\ [ZA Dir]

     * C:\WINDOWS\Installer\{9203e341-fb12-f172-5eb6-c0965e6d78b8}\U\ [ZA Dir]

 

 * Reparse Point/Junctions Found (Most likely legitimate)!

 

     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\2.1.72.22__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.22_x-ww_a742e49 [Dir]

     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.0.335.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d [Dir]

     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.1.31.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.1.31.0_x-ww_8b778a47 [Dir]

     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2.1.72.22__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.22_x-ww_c5eae641 [Dir]

     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.0.335.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605 [Dir]

     * C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.1.31.0__540d4816ead86321 => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.1.31.0_x-ww_46ee423f [Dir]

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv4\v4.0_4.0.66.0__3ff6b78e2989595a => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv4_3ff6b78e2989595a_4.0.66.0_x-ww_7acf93b2 [Dir]

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\v4.0_4.0.66.0__3ff6b78e2989595a => C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_3ff6b78e2989595a_4.0.66.0_x-ww_d938aa2c [Dir]

 

Checking Windows Service Integrity:

 

 * helpsvc [Missing Service]

 

Searching for Missing Digital Signatures:

 

 * No issues found.

 

Checking HOSTS File:

 

 * HOSTS file entries found:

 

  127.0.0.1       localhost

 

Program finished at: 04/22/2014 08:38:09 PM

Execution time: 0 hours(s), 1 minute(s), and 14 seconds(s)

*************************

AdwCleaner[R0].txt - [5685 octets] - [21/04/2014 22:34:24]
AdwCleaner[S0].txt - [5317 octets] - [21/04/2014 22:43:43]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5377 octets] ##########

 

 

# AdwCleaner v3.103 - Report created 21/04/2014 at 22:43:43
# Updated 21/04/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Jeff - COMPUTER_2
# Running from : C:\Documents and Settings\Jeff\My Documents\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\File Type Assistant
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Documents and Settings\Jeff\Local Settings\Application Data\FileTypeAssistant
Folder Deleted : C:\Documents and Settings\Jim Gumaer\Local Settings\Application Data\FileTypeAssistant
Folder Deleted : C:\Documents and Settings\Jim Gumaer\Application Data\Viewpoint
File Deleted : C:\Documents and Settings\Terry Tomaszewska\Application Data\Mozilla\Firefox\Profiles\ijwyqwoq.default\.autoreg

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\Documents and Settings\All Users\Start Menu\Programs\InstallConverter bundle uninstaller\InstallConverter bundle uninstaller.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6E4C89CF-3061-4EE4-B22A-B7A8AAEA5CB3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\File Type Assistant\tsassist.exe]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\ImInstaller
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\551vird4.default\prefs.js ]


[ File : C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\pc3qdo20.default\prefs.js ]

Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);

[ File : C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\tdp7glm7.default\prefs.js ]


[ File : C:\Documents and Settings\Jim Gumaer\Application Data\Mozilla\Firefox\Profiles\qip7ebls.default\prefs.js ]

Line Deleted : user_pref("browser.startup.homepage", "hxxp://apod.nasa.gov/apod/astropix.html|hxxp://www.nytimes.com/|hxxps://mail.google.com/mail/u/0/#inbox");
Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);

[ File : C:\Documents and Settings\Terry Tomaszewska\Application Data\Mozilla\Firefox\Profiles\ijwyqwoq.default\prefs.js ]

C:\AdwCleaner\Quarantine\C\Program Files\File Type Assistant\tsassist.exe.vir      a variant of Win32/FileTypeAssistant.A potentially unwanted application       deleted - quarantined

C:\Documents and Settings\Jeff\Local Settings\Temp\setup.exe          multiple threats            cleaned by deleting - quarantined

C:\Documents and Settings\Jeff\My Documents\Downloads\Shockwave_Installer_Slim.exe            Win32/Bundled.Toolbar.Google.D potentially unsafe application     deleted - quarantined

C:\Documents and Settings\Jim Gumaer\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\20\244b6454-634c0bee           a variant of Java/Exploit.Agent.OQJ trojan           cleaned by deleting - quarantined

C:\Documents and Settings\Jim Gumaer\Local Settings\Application Data\{40C584B6-AF0D-11E1-8270-B8AC6F996F26}\manager.js      JS/Redirector.NCG trojan       cleaned by deleting - quarantined

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP761\A0049945.dll        probably a variant of Win32/SProtector.E potentially unwanted application        deleted - quarantined

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP761\A0049956.exe       a variant of Win32/AdWare.SpeedingUpMyPC.D application      cleaned by deleting - quarantined

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP761\A0049963.exe       a variant of Win32/SpeedingUpMyPC application      deleted - quarantined

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP769\A0061415.exe       a variant of Win32/FileTypeAssistant.A potentially unwanted application        deleted - quarantined



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:25 PM

Posted 23 April 2014 - 01:52 AM

SORRY to inform you -

 

ALERT : ZEROACCESS rootkit symptoms found ! - - - -

This needs further work from the Experts Only and not here.
 


  • Please fully read and follow follow the instructions in the Preparation Guide starting at Step #6.

     

  • When you have done that, start a new topic and post the 2 required DDS logs to  Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.



  • If you are unable to complete any step, just post the topic and leave a full description of your problems
  • Please Use Copy / Paste for your responses, and Do Not Attach them unless your helper requests this.

  •  

  • After doing this, please reply back in this thread with a link to the new topic so we can close this one.

  • Good Luck with your new topic -



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:25 AM

Posted 25 April 2014 - 06:12 AM

As you have posted a new thread here: http://www.bleepingcomputer.com/forums/t/532215/zeroaccess-rootkit-found-by-helper/ I will now close this one.

 

Please post all your updates in your new thread from now on to avoid confusion.

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users