Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack Malware, Windows XP


  • Please log in to reply
20 replies to this topic

#1 jesst940

jesst940

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 25 January 2015 - 08:50 PM

Hello BC,
 
This is my problem(s).
 
Error messages when attempting to download FRST, ESET or any anti-virus utility.
 
 Dell 2400 Dimension, Intel Celeron, cpu 2.40GHz,  2.39GHz, 2.0GB ram. Windows XP, SP3. Version 2002 Home. 32 bit.
 
First infected Mid-Oct 2014. Thought it was eradicated. Problems resurface and worsen.
 
Thank You
.

Edit: Topic moved from Windows XP to the more appropriate forum. ~ Animal

jesst940 :flowers: 


BC AdBot (Login to Remove)

 


#2 ron2014

ron2014

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 25 January 2015 - 09:18 PM

Sounds like the virus is blocking you from downloading. I usually create a boot or rescue disk from Sardu, Hiren or Trinity and scan. Here are links if your interested in creating a disk.

 

http://www.sarducd.it/ for Sardu

 

http://www.hirensbootcd.org/download/ for Hirens

 

http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT_DOWNLOAD for Trinity disk.

 

Or course you probably will have to download on another computer that isn't infected. Hope this works if you haven't already figured it out.

 

Ron



#3 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 25 January 2015 - 09:45 PM

Thanks Ron,

   No, hadn't figured it out completely. Have been looking at repair disks on eBay. Do appreciate the

reccomendations. 

   How long will this thread stay open? Or, how soon do I need to update? 

  I still need the moral support. Not that much of a tech person. Just research, follow instructions,

and hope for the best.

 

Kind regards

Jesst


jesst940 :flowers: 


#4 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:00 AM

Posted 25 January 2015 - 10:00 PM

If you have a USB you can burn a rescue disk to them. I'm curious what the error message is - it may be reversible without a rescue disk.

In any case, feel free to create a topic in the official support forum for guidance if you get stuck. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#5 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 10:19 AM

HI,

You mean to a flash drive. Have one - .5 to 1 G, I think. Got to locate it. Going to call local library this morning or a nearby friend for downloading assistance. I also have a Sony CD-RW - 700Mb (in hand) with only a copy of the Conflicker Virus (remember that one?)removal instructions on it. Is that worth saving? Never had occasion to use it.

 

 The error messages were on the browsers themselves. I posted this in : 

 

http://www.bleepingcomputer.com/forums/t/563654/browsers-hijacked/ 

 

near end of thread (pg 2) If you would like I can copy them here.

 

 Oh, and by the way, Chrome loaded this morning without the add-on searches of Andromenda 

on one tab and Yahoo search on another tab. I prefer Google and have tried to delete the Yahoo

but no go on that. The bad guys were asleep this morning?

 

Thanks

jesst


Edited by jesst940, 26 January 2015 - 10:37 AM.

jesst940 :flowers: 


#6 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 11:44 AM

Error messages from each browser. Happens when link to download page(s) are used:

 

 :-(...

 

   Chrome   =         This webpage is not available  

 -------------------------------------------------   

 

Opera =

This webpage is not available

The connection to kb.eset-la.com was interrupted.
Check your internet connection.

Check any cables and reboot any routers, modems, or other network devices you may be using.

Allow Opera to access the network in your firewall or antivirus settings.

If it is already listed as a program allowed to access the network, try removing it from the list and adding it again.

If you use a proxy server...

Check your proxy settings or contact your network administrator to make sure the proxy server is working. If you don't believe you should be using a proxy server: Go to the Opera menu > Settings > Change proxy settings... > LAN Settings and deselect "Use a proxy server for your LAN".

 

-------------------------------------------------------------------------------------------

 

Firefox =  The connection was reset

 

The connection to the server was reset while the page was loading.

 

    The site could be temporarily unavailable or too busy. Try again in a few moments.

    If you are unable to load any pages, check your computer's network connection.

    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

 

*Same with 'Privacy Window" on Firefox

           -----------------------------------------------------------------------------------------  

 

 

  Internet Explorer cannot display the webpage

 

  What you can try:       Diagnose Connection Problems

 

Excuse the bold print please. next best thing to having someone looking at the same screen that I am ?

(copy/paste)

 

jesst


jesst940 :flowers: 


#7 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:00 AM

Posted 26 January 2015 - 12:07 PM

Okay, please keep us updated on the recovery disk. :)

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#8 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 01:39 PM

Will do. Thanks


jesst940 :flowers: 


#9 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 02:54 PM

Hello,

  Accidently ran across some apps in C/Downloads/Software that I had downloaded in Aug.2013.  There were some of the reccomended utilities that I have been unable to download recently, and had not been uninstalled when I used the Kaspersky page to uninstall old malware utilities.

   I ran Mini Tool Box and Junk Remover Tool and have logs. Will post those & wait for responce

while I check out the rest of C/Downloads/Software. I forgot about this location and have been looking

only in C/My Documents/Downloads, after I have attempted to download something that BC (I think)

reccomended on this last infection.

Do these help? Or is it too late at this stage?

  Regards

-------------------------

SCANS:

------------

MiniToolBox by Farbar  Version: 13-07-2013

Ran by Owner (administrator) on 26-01-2015 at 13:10:09

Running from "C:\Downloads\Software"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Normal

***************************************************************************

 

========================= Flush DNS: ===================================

Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ============================== 

 

Proxy is not enabled.

No Proxy Server is set.

 

"Reset IE Proxy Settings": IE Proxy Settings were reset.

 

========================= FF Proxy Settings: ============================== 

 

 

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

 

========================= Hosts content: =================================

 

 

 

 

127.0.0.1       localhost

 

========================= IP Configuration: ================================

 

Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Connected)

 

 

# ---------------------------------- 

# Interface IP Configuration         

# ---------------------------------- 

pushd interface ip

 

 

# Interface IP Configuration for "Local Area Connection"

 

set address name="Local Area Connection" source=dhcp 

set dns name="Local Area Connection" source=dhcp register=PRIMARY

set wins name="Local Area Connection" source=dhcp

 

 

popd

# End of interface IP configuration

 

 

Windows IP Configuration        Host Name . . . . . . . . . . . . : windows-wv34g89        Primary Dns Suffix  . . . . . . . :         Node Type . . . . . . . . . . . . : Unknown        IP Routing Enabled. . . . . . . . : No        WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection:        Connection-specific DNS Suffix  . :         Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller        Physical Address. . . . . . . . . : 00-12-3F-28-64-17        Dhcp Enabled. . . . . . . . . . . : Yes        Autoconfiguration Enabled . . . . : Yes        IP Address. . . . . . . . . . . . : 192.168.1.3        Subnet Mask . . . . . . . . . . . : 255.255.255.0        Default Gateway . . . . . . . . . : 192.168.1.1        DHCP Server . . . . . . . . . . . : 192.168.1.1        DNS Servers . . . . . . . . . . . : 192.168.1.1        Lease Obtained. . . . . . . . . . : Monday, January 26, 2015 9:06:09 AM        Lease Expires . . . . . . . . . . : Tuesday, January 27, 2015 9:06:09 AMServer:  UnKnown

Address:  192.168.1.1

 

Name:    google.com

Address:  216.58.218.174

 

Pinging google.com [216.58.218.174] with 32 bytes of data:Reply from 216.58.218.174: bytes=32 time=632ms TTL=51Reply from 216.58.218.174: bytes=32 time=630ms TTL=51Ping statistics for 216.58.218.174:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 630ms, Maximum = 632ms, Average = 631msServer:  UnKnown

Address:  192.168.1.1

 

Name:    yahoo.com

Addresses:  206.190.36.45, 98.138.253.109, 98.139.183.24

 

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:Reply from 206.190.36.45: bytes=32 time=625ms TTL=49Reply from 206.190.36.45: bytes=32 time=648ms TTL=49Ping statistics for 206.190.36.45:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 625ms, Maximum = 648ms, Average = 636msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x10003 ...00 12 3f 28 64 17 ...... Broadcom 440x 10/100 Integrated Controller

===========================================================================

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3  20

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1  1

      169.254.0.0      255.255.0.0      192.168.1.3     192.168.1.3  20

      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3  20

      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1  20

    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3  20

        224.0.0.0        240.0.0.0      192.168.1.3     192.168.1.3  20

  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3  1

Default Gateway:       192.168.1.1

===========================================================================

Persistent Routes:

  None

========================= Winsock entries =====================================

 

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)

Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 04 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 05 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

Catalog9 10 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)

Catalog9 11 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)

 

========================= Event log errors: ===============================

 

Application errors:

==================

Error: (01/26/2015 10:38:50 AM) (Source: Application Hang) (User: )

Description: Hanging application notepad.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

 

Error: (01/26/2015 10:38:50 AM) (Source: Application Hang) (User: )

Description: Hanging application notepad.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

 

Error: (01/25/2015 07:23:33 PM) (Source: Bonjour Service) (User: )

Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   23 3.1.168.192.in-addr.arpa. PTR windows-wv34g89.local.

 

Error: (01/25/2015 07:23:33 PM) (Source: Bonjour Service) (User: )

Description: mDNSCoreReceiveResponse: Received from 192.168.1.3:5353   25 3.1.168.192.in-addr.arpa. PTR windows-wv34g89-2.local.

 

Error: (01/24/2015 05:46:56 PM) (Source: VSS) (User: )

Description: Volume Shadow Copy Service error: Cannot install the component C:\Documents and Settings\Owner\Desktop\SWPRV.DLL into the COM+ application 'MS Software Shadow Copy Provider' [0x80110401].

 

Error: (01/24/2015 05:33:04 PM) (Source: WinMgmt) (User: )

Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.MOF while recovering repository file.

 

Error: (01/24/2015 05:32:55 PM) (Source: WinMgmt) (User: )

Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET.MOF while recovering repository file.

 

Error: (01/24/2015 05:32:55 PM) (Source: WinMgmt) (User: )

Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MOF\SERVICEMODEL.MOF while recovering repository file.

 

Error: (01/24/2015 05:32:54 PM) (Source: WinMgmt) (User: )

Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODEL.MOF while recovering repository file.

 

Error: (01/24/2015 05:32:54 PM) (Source: WinMgmt) (User: )

Description: Failed to load MOF C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF while recovering repository file.

 

 

System errors:

=============

Error: (01/26/2015 10:02:39 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"

in order to run the server:

{4EB61BAC-A3B6-4760-9581-655041EF4D69}

 

Error: (01/26/2015 09:06:20 AM) (Source: 0) (User: )

Description: 

 

Error: (01/25/2015 09:47:21 PM) (Source: 0) (User: )

Description: 

 

Error: (01/25/2015 09:43:14 PM) (Source: 0) (User: )

Description: 

 

Error: (01/25/2015 08:03:26 PM) (Source: DCOM) (User: NT AUTHORITY)

Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"

in order to run the server:

{4EB61BAC-A3B6-4760-9581-655041EF4D69}

 

Error: (01/25/2015 07:21:42 PM) (Source: 0) (User: )

Description: 

 

Error: (01/25/2015 07:20:49 PM) (Source: DCOM) (User: NT AUTHORITY)

Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""

in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}

 

Error: (01/25/2015 07:15:42 PM) (Source: Service Control Manager) (User: )

Description: The following boot-start or system-start driver(s) failed to load: 

Fips

intelppm

klhk

klpd

kneps

 

Error: (01/25/2015 07:14:35 PM) (Source: DCOM) (User: NT AUTHORITY)

Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""

in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}

 

Error: (01/25/2015 07:14:15 PM) (Source: 0) (User: )

Description: 

 

 

Microsoft Office Sessions:

=========================

Error: (01/26/2015 10:38:50 AM) (Source: Application Hang)(User: )

Description: notepad.exe5.1.2600.5512hungapp0.0.0.000000000

 

Error: (01/26/2015 10:38:50 AM) (Source: Application Hang)(User: )

Description: notepad.exe5.1.2600.5512hungapp0.0.0.000000000

 

Error: (01/25/2015 07:23:33 PM) (Source: Bonjour Service)(User: )

Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   23 3.1.168.192.in-addr.arpa. PTR windows-wv34g89.local.

 

Error: (01/25/2015 07:23:33 PM) (Source: Bonjour Service)(User: )

Description: mDNSCoreReceiveResponse: Received from 192.168.1.3:5353   25 3.1.168.192.in-addr.arpa. PTR windows-wv34g89-2.local.

 

Error: (01/24/2015 05:46:56 PM) (Source: VSS)(User: )

Description: C:\Documents and Settings\Owner\Desktop\SWPRV.DLLMS Software Shadow Copy Provider0x80110401

 

Error: (01/24/2015 05:33:04 PM) (Source: WinMgmt)(User: )

Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CLR.MOF

 

Error: (01/24/2015 05:32:55 PM) (Source: WinMgmt)(User: )

Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET.MOF

 

Error: (01/24/2015 05:32:55 PM) (Source: WinMgmt)(User: )

Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\MOF\SERVICEMODEL.MOF

 

Error: (01/24/2015 05:32:54 PM) (Source: WinMgmt)(User: )

Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.0\WINDOWS COMMUNICATION FOUNDATION\SERVICEMODEL.MOF

 

Error: (01/24/2015 05:32:54 PM) (Source: WinMgmt)(User: )

Description: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET.MOF

 

 

=========================== Installed Programs ============================

 

7-Zip 9.20

Adobe Flash Player 15 ActiveX (Version: 15.0.0.223)

Adobe Reader XI (11.0.08) (Version: 11.0.08)

Adobe Shockwave Player 12.0 (Version: 12.0.3.133)

Apple Application Support (Version: 3.0.1)

Apple Mobile Device Support (Version: 7.1.1.3)

Apple Software Update (Version: 2.1.3.127)

Bonjour (Version: 3.0.0.10)

Broadcom 440x 10/100 Integrated Controller (Version: 3.29)

Canon IJ Scan Utility

Canon MG2500 series MP Drivers (Version: 1.00)

Canon MG2500 series On-screen Manual (Version: 7.6.1)

Canon MG2500 series User Registration

Canon My Printer (Version: 3.1.0)

Canon Quick Menu (Version: 2.2.1)

Chatango Message Catcher

Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)

Diner Dash

ESET Online Scanner v3

ffdshow [rev 2527] [2008-12-19] (Version: 1.0)

FUJIFILM FinePixViewer S Ver.2.1 (Version: 2.1.0.2)

Google Chrome (Version: 40.0.2214.91)

Google Update Helper (Version: 1.3.25.11)

Intel® Extreme Graphics Driver

Internet Explorer (Enable DEP)

iTunes (Version: 11.1.5.5)

Java 7 Update 71 (Version: 7.0.710)

Java Auto Updater (Version: 2.1.71.14)

Jojo's Fashion Show: World Tour (Version: 1.0.0.45)

Kaspersky Internet Security (Version: 15.0.1.415)

Mahjongg Artifacts 2

Malwarebytes Anti-Malware version 2.0.2.1012 (Version: 2.0.2.1012)

Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)

Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft .NET Framework 4 Extended (Version: 4.0.30319)

Microsoft Application Error Reporting (Version: 12.0.6012.5000)

Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)

Microsoft Download Manager (Version: 1.2.1)

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Silverlight (Version: 5.1.30514.0)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)

Mozilla Firefox 35.0 (x86 en-US) (Version: 35.0)

Mozilla Maintenance Service (Version: 35.0)

NETGEAR Genie (Version: 2.3.1.46)

OpenOffice.org 3.4.1 (Version: 3.41.9593)

Opera 12.16 (Version: 12.16.1860)

Opera Stable 26.0.1656.60 (Version: 26.0.1656.60)

RealDownloader (Version: 1.3.2)

Shared C Run-time for x86 (Version: 10.0.0)

SHG Installation (Version: 2.0.50)

Should I Remove It (Version: 1.0.4)

SoundMAX (Version: 5.12.01.5246)

Super Collapse 2 Free Trial

swMSM (Version: 12.0.0.1)

Turbo Lister 2 (Version: 2.00.0000)

Tweaking.com - Windows Repair (All in One) (Version: 2.10.3)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)

Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)

Update for Windows XP (KB2345886) (Version: 1)

Update for Windows XP (KB2467659) (Version: 1)

Update for Windows XP (KB2661254-v2) (Version: 2)

Update for Windows XP (KB2736233) (Version: 1)

Update for Windows XP (KB2749655) (Version: 1)

Update for Windows XP (KB2863058) (Version: 1)

Update for Windows XP (KB2904266) (Version: 1)

Update for Windows XP (KB2934207) (Version: 1)

Update for Windows XP (KB898461) (Version: 1)

Update for Windows XP (KB951978) (Version: 1)

Update for Windows XP (KB955759) (Version: 1)

Update for Windows XP (KB968389) (Version: 1)

Update for Windows XP (KB971029) (Version: 1)

Update for Windows XP (KB973815) (Version: 1)

Virtual Families 1.0 (Version: 1.0)

Visual Studio 2012 x86 Redistributables (Version: 14.0.0.1)

VLC media player 2.0.0 (Version: 2.0.0)

WebFldrs XP (Version: 9.50.6513)

WildBlue Optimizer Ver 2011-06-01 (Version: 4.8.0.0)

Windows Internet Explorer 7 (Version: 20070813.185237)

Windows Internet Explorer 8 (Version: 20090308.140743)

Windows Media Format 11 runtime

Windows PowerShell™ 1.0 (Version: 2)

Windows XP Service Pack 3 (Version: 20080414.031525)

WorldWinner Games (Version: 1.10.0.25)

Yahoo! Toolbar

 

========================= Devices: ================================

 

Name: PCI Modem

Description: PCI Modem

Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Manufacturer: 

Service: 

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

 

========================= Memory info: ===================================

 

Percentage of memory in use: 38%

Total physical RAM: 2046 MB

Available physical RAM: 1264.27 MB

Total Pagefile: 4891.41 MB

Available Pagefile: 4063.14 MB

Total Virtual: 2047.88 MB

Available Virtual: 1972.83 MB

 

========================= Partitions: =====================================

 

2 Drive c: () (Fixed) (Total:74.5 GB) (Free:39.54 GB) NTFS

 

========================= Users: ========================================

 

User accounts for \\WINDOWS-WV34G89

 

Administrator            ASPNET                   Guest                    

HelpAssistant            Owner                    SUPPORT_388945a0         

 

========================= Minidump Files ==================================

 

C:\WINDOWS\Minidump\Mini010215-01.dmp

C:\WINDOWS\Minidump\Mini042614-01.dmp

C:\WINDOWS\Minidump\Mini052014-01.dmp

C:\WINDOWS\Minidump\Mini071013-01.dmp

========================= Restore Points ==================================

 

05-01-2015 12:19:45 System Checkpoint

06-01-2015 15:14:20 System Checkpoint

06-01-2015 19:33:58 Removed Panda Devices Agent.

07-01-2015 22:30:56 System Checkpoint

09-01-2015 23:53:33 System Checkpoint

10-01-2015 17:12:57 Restore Operation

11-01-2015 20:40:13 System Checkpoint

12-01-2015 21:14:41 System Checkpoint

12-01-2015 23:28:35 First Restore Point

13-01-2015 00:08:34 First Restore Point

14-01-2015 02:07:08 System Checkpoint

14-01-2015 03:34:55 Software Distribution Service 3.0

15-01-2015 19:43:01 System Checkpoint

17-01-2015 00:50:18 System Checkpoint

17-01-2015 18:10:12 Restore Operation

18-01-2015 18:29:52 System Checkpoint

20-01-2015 10:20:30 System Checkpoint

21-01-2015 10:33:30 System Checkpoint

21-01-2015 15:11:03 Tweaking.com - Windows Repair

22-01-2015 15:47:58 System Checkpoint

22-01-2015 21:02:36 Restore Operation

22-01-2015 21:08:10 Software Distribution Service 3.0

24-01-2015 00:21:57 System Checkpoint

24-01-2015 06:00:18 Software Distribution Service 3.0

24-01-2015 23:26:26 Tweaking.com - Windows Repair

26-01-2015 00:26:19 System Checkpoint

 

**** End of log ****

_____________________________
--------------------------------------------------
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.3.0 (08.02.2013:1)
OS: Microsoft Windows XP x86
Ran by Owner on Mon 01/26/2015 at 13:17:25.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry] HKEY_CURRENT_USER\Software\systweak
Successfully deleted: [Registry] HKEY_LOCAL_MACHINE\Software\installcore
Successfully deleted: [Registry] HKEY_LOCAL_MACHINE\Software\systweak
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Documents and Settings\Owner\Application Data\advanced system protector"
Successfully deleted: [Folder] "C:\Documents and Settings\Owner\Application Data\systweak"
Successfully deleted: [Folder] "C:\Program Files\gamesbar"
Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"
 
 
 
~~~ FireFox
 
Successfully deleted: [File] C:\Documents and Settings\Owner\Application Data\mozilla\firefox\profiles\o1su23hy.default-1374979413281\user.js
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 01/26/2015 at 13:29:45.39
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by jesst940, 26 January 2015 - 03:08 PM.

jesst940 :flowers: 


#10 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 03:31 PM

Can't run Eset. It says "Can not get update. Is Proxy configured?" There is an option to configure

proxy. I have no clue as to what to put in the field:

 

Proxy address:_________

Port:_________

Usename:_______

Password:__________

 

Remember I am no techie :)

 

Think I can reach that friend now to see about getting CDs or flash on the last 3 unilities.

 

Have run Rkill if someone wants to take a look at that log.

 

 Have not run any of the list below. Yep, looks like I was attempting a DIY in July//Aug 2013

Microsoft Windows Malicious Software Removal Tool,

SecurityCheck.exe,

 WiseFixer.exe

Spark Trust PC Cleaner

 ATF Cleaner 


jesst940 :flowers: 


#11 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 04:24 PM

My friend who is in the process of loading the utilities to a usb stick says her

Norton AV found 'dangerous' file in the Sardu.

It appears to be re-create software ? What would this application do, exactly?


jesst940 :flowers: 


#12 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 05:03 PM

HI

Something different:

CPU is running low = under 50%- avg = 35% with 6 tabs open on Chrome.  Spikes to

80-90% when new page opens.

Was able to run older copies of Mini Tool Box & Junk Remover Tools this afternoon ?

Logs in previous posts.


jesst940 :flowers: 


#13 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:00 AM

Posted 26 January 2015 - 05:18 PM

What did you run MiniToolBox with? Did you select anything?

Do not anything for ESET's proxy settings.

Please provide us with the RKill log.

Please run SecurityCheck.exe and provide the log.

 

JRT is more useful in its fully updated version - when you are able to, download the latest version on a clean computer and transfer it via USB flash drive.

I see you have Malwarebytes on your computer - can you please run a full scan using that and provide the log?


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#14 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 06:01 PM

Mini Tool Box:  found a download from Aug 2013, just clicked 'run' on this system.

JRT --same as above. 

Below is log from Rkill ran also this afternoon, after the two above.

----------------------------------------------------------------------------------------------

 

Rkill 2.5.8 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2015 BleepingComputer.com

More Information about Rkill can be found at this link:

 http://www.bleepingcomputer.com/forums/topic308364.html

 

Program started at: 01/26/2015 02:11:37 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * No malware processes found to kill.

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * Reparse Point/Junctions Found (Most likely legitimate)!

 

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

 

Checking Windows Service Integrity: 

 

 * No issues found.

 

Searching for Missing Digital Signatures: 

 

 * No issues found.

 

Checking HOSTS File: 

 

 * HOSTS file entries found: 

 

  127.0.0.1       localhost

 

Program finished at: 01/26/2015 02:13:06 PM

Execution time: 0 hours(s), 1 minute(s), and 28 seconds(s)

---------------------------------------------------------------------------------
 
Next...running Malwarebytes

jesst940 :flowers: 


#15 jesst940

jesst940
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:12:00 AM

Posted 26 January 2015 - 08:26 PM

Malwarebytes finished. Could not find a log on it. Briefly saw on main page of dashboard "no malicious software..found."

This is all I was able to retrieve: sorry.

 

Malwarebytes Anti-Malware

www.malwarebytes.org

Update, 1/26/2015 6:18:11 PM, SYSTEM, WINDOWS-WV34G89, Manual, Malware Database, 2015.1.24.15, 2015.1.26.8, 

(end)

 

----------------------------------------------------------------------

 

 

 

However, while searching for the Malwarebytes log I found this; don't know if its revelant:

 

 

19:36:33.0941 0x0bb0  Trojan-Ransom.Win32.Rannoh decryptor tool 1.8.0.0 Dec 29 2014 20:34:44

19:36:35.0285 0x0bb0  ============================================================

19:36:35.0301 0x0bb0  Current date / time: 2015/01/12 19:36:35.0285

19:36:35.0301 0x0bb0  SystemInfo:

19:36:35.0301 0x0bb0  

19:36:35.0301 0x0bb0  OS Version: 5.1.2600 ServicePack: 3.0

19:36:35.0301 0x0bb0  Product type: Workstation

19:36:35.0301 0x0bb0  ComputerName: WINDOWS-WV34G89

19:36:35.0301 0x0bb0  UserName: Owner

19:36:35.0301 0x0bb0  Windows directory: C:\WINDOWS

19:36:35.0301 0x0bb0  System windows directory: C:\WINDOWS

19:36:35.0301 0x0bb0  Processor architecture: Intel x86

19:36:35.0301 0x0bb0  Number of processors: 1

19:36:35.0301 0x0bb0  Page size: 0x1000

19:36:35.0316 0x0bb0  Boot type: Normal boot

19:36:35.0316 0x0bb0  ============================================================

19:36:35.0316 0x0bb0  Initialize success

19:36:47.0394 0x0cac  Can't get encrypted file path

19:36:47.0394 0x0cac  Can't init decryptor

19:37:56.0629 0x02b4  Can't get encrypted file path

19:37:56.0629 0x02b4  Can't init decryptor

19:38:31.0488 0x0980  Can't get encrypted file path

19:38:31.0488 0x0980  Can't init decryptor

19:39:46.0738 0x0d54  Can't get encrypted file path

19:39:46.0738 0x0d54  Can't init decryptor

19:40:09.0285 0x0f50  Can't get encrypted file path

19:40:09.0285 0x0f50  Can't init decryptor

19:40:57.0254 0x0d00  Can't get encrypted file path

19:40:57.0254 0x0d00  Can't init decryptor

19:40:59.0613 0x0894  Deinitialize success

--------------------------------------------------------------------------

jesst940 :flowers: 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users