Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is PC infected, please help!


  • Please log in to reply
17 replies to this topic

#1 loveit111

loveit111

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 09 May 2015 - 07:46 PM

Hello everybody,  been having lots of problems with my Dell Vostro 200 running WinXP Home.  Browser keeps downloading unknown files then PC begins to freeze.  After I restart it I have to do SFC /scannow because it is missing system files.  Plus I get W32RPC server not connected.  I use 360 Total Protection antivirus that lately every time i run System Internals Process Explorer it is not verified and under security it shows unknown account.  

 

Any help would be greatly appreciated.

 

Thanks

 

George



BC AdBot (Login to Remove)

 


#2 TheN00bBuilder

TheN00bBuilder

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Overclock.net
  • Local time:09:03 PM

Posted 09 May 2015 - 07:52 PM

You really need a new PC if you are running Windows XP. What is your budget? I can build you one on PC Part Picker for you to buy and assemble, or you can send the parts to me and I'll put it all together.


Sorry if I snap at you. I can't stand stupid for more than 5 minutes at a time.


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 10 May 2015 - 12:34 AM

Hi there,

We can do a checkup, but I'd really recommend you to upgrade if you can.

MiniToolbox by Farbar

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Regards,
Alex

#4 loveit111

loveit111
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 May 2015 - 04:20 AM

 
Thank you for your help Alexstrasza, below are the logs:
 
 
MiniToolBox by Farbar  Version: 14-04-2015
Ran by userone (administrator) on 10-05-2015 at 03:09:13
Running from "C:\Documents and Settings\userone\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Model: Vostro 200 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
 
Windows IP Configuration
 
 
 
Successfully flushed the DNS Resolver Cache.
 
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
127.0.0.1       localhost
 
========================= IP Configuration: ================================
 
TP-LINK 150Mbps Wireless Lite N Adapter = Wireless Network Connection (Connected)
 
 
# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip
 
 
# Interface IP Configuration for "Wireless Network Connection"
 
set address name="Wireless Network Connection" source=dhcp 
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp
 
 
popd
# End of interface IP configuration
 
 
 
 
Windows IP Configuration
 
 
 
        Host Name . . . . . . . . . . . . : dellpc-c86c4245
 
        Primary Dns Suffix  . . . . . . . : 
 
        Node Type . . . . . . . . . . . . : Unknown
 
        IP Routing Enabled. . . . . . . . : No
 
        WINS Proxy Enabled. . . . . . . . : No
 
        DNS Suffix Search List. . . . . . : elp.rr.com
 
 
 
Ethernet adapter Wireless Network Connection:
 
 
 
        Connection-specific DNS Suffix  . : elp.rr.com
 
        Description . . . . . . . . . . . : TP-LINK 150Mbps Wireless Lite N Adapter
 
        Physical Address. . . . . . . . . : A0-F3-C1-24-8D-BF
 
        Dhcp Enabled. . . . . . . . . . . : Yes
 
        Autoconfiguration Enabled . . . . : Yes
 
        IP Address. . . . . . . . . . . . : 192.168.1.126
 
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
 
        Default Gateway . . . . . . . . . : 192.168.1.1
 
        DHCP Server . . . . . . . . . . . : 192.168.1.1
 
        DNS Servers . . . . . . . . . . . : 192.168.1.1
 
                                            209.18.47.61
 
                                            209.18.47.62
 
        Lease Obtained. . . . . . . . . . : Sunday, May 10, 2015 2:55:40 AM
 
        Lease Expires . . . . . . . . . . : Monday, May 11, 2015 2:55:40 AM
 
Server:  dns-cac-lb-01.rr.com
Address:  209.18.47.61
 
Name:    google.com
Addresses:  74.125.227.226, 74.125.227.228, 74.125.227.238, 74.125.227.229
 74.125.227.233, 74.125.227.231, 74.125.227.230, 74.125.227.225, 74.125.227.224
 74.125.227.232, 74.125.227.227
 
 
 
Pinging google.com [173.194.115.14] with 32 bytes of data:
 
 
 
Reply from 173.194.115.14: bytes=32 time=25ms TTL=53
 
Reply from 173.194.115.14: bytes=32 time=29ms TTL=53
 
 
 
Ping statistics for 173.194.115.14:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 25ms, Maximum = 29ms, Average = 27ms
 
Server:  dns-cac-lb-01.rr.com
Address:  209.18.47.61
 
Name:    yahoo.com
Addresses:  206.190.36.45, 98.139.183.24, 98.138.253.109
 
 
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
 
 
 
Reply from 206.190.36.45: bytes=32 time=74ms TTL=46
 
Reply from 206.190.36.45: bytes=32 time=78ms TTL=46
 
 
 
Ping statistics for 206.190.36.45:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 74ms, Maximum = 78ms, Average = 76ms
 
 
 
Pinging 127.0.0.1 with 32 bytes of data:
 
 
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
 
 
Ping statistics for 127.0.0.1:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...a0 f3 c1 24 8d bf ...... TP-LINK 150Mbps Wireless Lite N Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.126  25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1  1
      192.168.1.0    255.255.255.0    192.168.1.126   192.168.1.126  25
    192.168.1.126  255.255.255.255        127.0.0.1       127.0.0.1  25
    192.168.1.255  255.255.255.255    192.168.1.126   192.168.1.126  25
        224.0.0.0        240.0.0.0    192.168.1.126   192.168.1.126  25
  255.255.255.255  255.255.255.255    192.168.1.126   192.168.1.126  1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (05/09/2015 03:37:35 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
 
System errors:
=============
Error: (05/10/2015 02:47:29 AM) (Source: Service Control Manager) (User: )
Description: The aswMonFlt service failed to start due to the following error: 
%%5
 
Error: (05/09/2015 10:17:22 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Firewall Core Service service failed to start due to the following error: 
%%2
 
Error: (05/09/2015 10:16:22 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Firewall Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (05/09/2015 10:15:59 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Home Network service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (05/09/2015 10:08:54 PM) (Source: DCOM) (User: DELLPC-C86C4245)
Description: The server {209500FC-6B45-4693-8871-6296C4843751} did not register with DCOM within the required timeout.
 
Error: (05/09/2015 10:08:24 PM) (Source: DCOM) (User: DELLPC-C86C4245)
Description: The server {209500FC-6B45-4693-8871-6296C4843751} did not register with DCOM within the required timeout.
 
Error: (05/09/2015 10:02:54 PM) (Source: Service Control Manager) (User: )
Description: The McAfee SiteAdvisor Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (05/09/2015 09:53:00 PM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: 
%%5
 
Error: (05/09/2015 09:47:49 PM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: 
%%5
 
Error: (05/09/2015 09:47:18 PM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: 
%%5
 
 
Microsoft Office Sessions:
=========================
Error: (05/09/2015 03:37:35 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.
 
 
 
=========================== Installed Programs ============================
Adobe Flash Player 17 PPAPI (HKLM\...\Adobe Flash Player PPAPI) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Avast Free Antivirus (HKLM\...\Avast) (Version: 10.2.2218 - AVAST Software)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Opera Stable 28.0.1750.51 (HKLM\...\Opera 28.0.1750.51) (Version: 28.0.1750.51 - Opera Software ASA)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.5408 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
SpywareBlaster 5.0 (HKLM\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
TP-LINK Wireless Utility (HKLM\...\{7EF80615-639D-4BD0-B612-E347096452AD}) (Version: 1.0.3.0 - TP-LINK)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.0 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Support Tools (HKLM\...\{8398B542-3CC4-44D9-83DF-696CCE70124B}) (Version: 5.1.2510.0 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinUtilities Free Edition 11.38 (HKLM\...\{FC274982-5AAD-4C20-848D-4424A5043010}_is1) (Version: 11.38 - YL Computing, Inc)
 
========================= Devices: ================================
 
Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer: 
Service: 
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02381028&REV_02\3&2411E6FE&0&FB
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 50%
Total physical RAM: 2037.1 MB
Available physical RAM: 1016.56 MB
Total Pagefile: 4939.11 MB
Available Pagefile: 3464.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.57 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:107.42 GB) (Free:97.77 GB) NTFS
2 Drive d: () (Fixed) (Total:127.99 GB) (Free:67.67 GB) NTFS
3 Drive e: (Files) (Fixed) (Total:337.77 GB) (Free:263.43 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\DELLPC-C86C4245
 
Administrator            Guest                    HelpAssistant            
SUPPORT_388945a0         userone                  
 
========================= Minidump Files ==================================
 
No minidump file found
 
========================= Restore Points ==================================
 
09-05-2015 21:21:10 System Checkpoint
09-05-2015 21:28:13 Installed TP-LINK Wireless Utility
09-05-2015 22:30:25 Installed Windows XP Service Pack 3.
09-05-2015 22:48:55 Installed Windows Internet Explorer 8.
09-05-2015 22:50:09 Installed Windows Support Tools
09-05-2015 23:11:47 HOY
10-05-2015 01:39:28 Installed Windows XP KB2618444.
10-05-2015 01:44:59 Installed Microsoft Fix it 50777
10-05-2015 01:58:15 Software Distribution Service 3.0
10-05-2015 04:00:19 Revo Uninstaller's restore point - McAfee SiteAdvisor
10-05-2015 04:06:54 Revo Uninstaller's restore point - McAfee LiveSafe – Internet Security
10-05-2015 04:23:19 Software Distribution Service 3.0
10-05-2015 04:53:51 Software Distribution Service 3.0
10-05-2015 06:40:42 Installed Realtek High Definition Audio Driver
10-05-2015 08:39:06 avast! antivirus system restore point
10-05-2015 09:07:42 Software Distribution Service 3.0
 
**** End of log ****
 
 
 

 Results of screen317's Security Check version 1.001  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 ESET Online Scanner v3   
 Avast Free Antivirus    
`````````Anti-malware/Other Utilities Check:````````` 
 SpywareBlaster 5.0    
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 20% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 
 
Once again thanks for your help.......


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 10 May 2015 - 04:28 AM

Hi there,

Please uninstall the following software with Add/Remove Programs:

WinUtilities Free Edition 11.38 (HKLM\...\{FC274982-5AAD-4C20-848D-4424A5043010}_is1) (Version: 11.38 - YL Computing, Inc)

If you need instructions on how to do this, let me know.

You state that you use Qihoo 360 Total Security, yet in the list I saw Avast and also signs of McAfee. What happened?

Please run this tool to check for malware.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Full Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex

#6 loveit111

loveit111
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 May 2015 - 06:51 AM

Alex, 

 

     Uninstalled software as instructed and the reason I have the Avast Antivirus now is that for the last month everytime I ran the Process Explorer from System Internals it would not have a digital signature and unknown account present in the security tab.  I dont know if not having the signature was that big deal but I decided to install avast.  Ran the Emsisoft Emergency Kit and log is bellow:

 

Emsisoft Emergency Kit - Version 9.0
Last update: 5/10/2015 4:27:25 AM
User account: DELLPC-C86C4245\userone
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, E:\, F:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 5/10/2015 4:43:01 AM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD detected: Setting.DisableCMD (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
D:\Documents and Settings\userone.DELLPC-FAE4F1FD\My Documents\Downloads4444\ReimageRepair.exe detected: Application.Win32.AdImage (A)
D:\Documents and Settings\userone\My Documents\SlimDrivers-setup (2).exe detected: Application.Win32.InstallDrive (A)
E:\SlimDrivers-setup (2).exe detected: Application.Win32.InstallDrive (A)
E:\System Volume Information\_restore{806CB7F7-48DC-4E89-8CA2-24F7B8C2B712}\RP44\A0031580.exe detected: Application.Win32.InstallAd (A)
E:\System Volume Information\_restore{806CB7F7-48DC-4E89-8CA2-24F7B8C2B712}\RP44\A0031578.exe detected: Gen:Trojan.Heur.GM.0160008122 (B)
E:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005945.exe detected: Application.Win32.AdImage (A)
E:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005947.exe detected: Application.Win32.AdImage (A)
 
Scanned 193498
Found 10
 
Scan end: 5/10/2015 5:36:16 AM
Scan time: 0:53:15
 
E:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005947.exe Quarantined Application.Win32.AdImage (A)
E:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005945.exe Quarantined Application.Win32.AdImage (A)
E:\System Volume Information\_restore{806CB7F7-48DC-4E89-8CA2-24F7B8C2B712}\RP44\A0031578.exe Quarantined Gen:Trojan.Heur.GM.0160008122 (B)
E:\System Volume Information\_restore{806CB7F7-48DC-4E89-8CA2-24F7B8C2B712}\RP44\A0031580.exe Quarantined Application.Win32.InstallAd (A)
E:\SlimDrivers-setup (2).exe Quarantined Application.Win32.InstallDrive (A)
D:\Documents and Settings\userone\My Documents\SlimDrivers-setup (2).exe Quarantined Application.Win32.InstallDrive (A)
D:\Documents and Settings\userone.DELLPC-FAE4F1FD\My Documents\Downloads4444\ReimageRepair.exe Quarantined Application.Win32.AdImage (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD Quarantined Setting.DisableCMD (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Quarantined Setting.DisableTaskMgr (A)
 
Quarantined 10
 
Will wait for further instructions........
 
Thanks 
 
George


#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 10 May 2015 - 07:10 AM

Hi there,

Tools from Sysinternals are fine to use, so no need to worry.

What is this "unknown account" that you mentioned?

Please run the following two software to check if there are anything else.

Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


===

ESET Online Scanner

You will need to use Internet Explorer for this scan.
  • Hold down Ctrl and click here to open ESET Online Scanner in a new window.
  • Click the ESET Online Scanner button.
  • Put a checkmark in "YES, I accept the Terms of Use."
  • Click Start.
  • Accept any security warnings from your browser.
  • Under Scan settings, put a checkmark in Scan Archives.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Scan.
  • ESET Online Scanner will automatically update and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats.
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex

#8 loveit111

loveit111
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 May 2015 - 09:17 AM

Alex, 

 

I will run process explorer (system internals) with option to verify image signatures.  All services will have image signatures verified then I will run it again in an hour and it will say no signature present in the subject line.  Right now its process svchost.exe and the service registered in the process  is Dnscache  path is c:\windows\system32\dnsrslvr.dll.  Under the security tab in GROUPS all entries are shown twice.     BUILTIN\Users shown twice,Everyone shown twice,LOCAL shown twice, Logon SID [S-1-5-5-0-47217] shown once, NT AUTHORITY\Authenticated users shown twice, NT AUTHORITY\ NETWORK SERVICE shown once and last NT AUTHORITY\SERVICE shown once.  If i hit permissions at the bottom they all have an entry that has a different face followed by [S-1-5-5-0-47217.  Sometimes that  last entry will say unknown account.   

 

Malwarebytes Log below:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/10/2015
Scan Time: 8:00:00 AM
Logfile: Malwarebytes Log.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.05.10.04
Rootkit Database: v2015.04.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: userone
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 288052
Time Elapsed: 12 min, 19 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.OpenCandy, C:\Documents and Settings\userone\Local Settings\Temp\utt24.tmp, , [9468860b94f6cf67f74654eaf3138e72], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
Will paste ESET scan results in a little bit.


#9 loveit111

loveit111
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 May 2015 - 02:04 PM

Hi Alex,

 

ESET log below:

 

D:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005934.exe a variant of Win32/OpenCandy.C potentially unsafe application deleted - quarantined
D:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005935.exe Win32/DownWare.W potentially unwanted application deleted - quarantined
D:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005936.exe Win32/InstallMonetizer.AU potentially unwanted application deleted - quarantined
D:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005937.exe Win32/InstallMonetizer.AN potentially unwanted application deleted - quarantined
D:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP14\A0005938.exe a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application deleted - quarantined
D:\System Volume Information\_restore{8C8578E2-265A-4246-B835-F348A42DEBA0}\RP17\A0007107.exe Win32/ReImageRepair.F potentially unwanted application deleted - quarantined
 
George


#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 10 May 2015 - 02:11 PM

Hi there,

Please reset your browsers using instructions in here.

After that you should defragment your hard drive - 20% is rather bad and can slow your machine down considerably.

About the "unknown account"... please take a screenshot of it, upload the image to Imgur and copy the link into your reply.

Thank you.

Regards,
Alex

#11 loveit111

loveit111
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 11 May 2015 - 08:53 PM

http://imgur.com/6Nbzq5e

 

http://imgur.com/Jc5LbLg

 

http://imgur.com/BVEriz1

 

Hi Alex, 

 

First two screen shots are of weird account that pops up on unsigned image signature and third one is of Opera Browser that opened without any information and said invalid handle on all entries.  Will wait for further instructions.

 

Thanks George



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 12 May 2015 - 05:17 AM

Hi there,

Can you check to see how is your computer doing?

Alex

#13 loveit111

loveit111
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 12 May 2015 - 05:36 PM

Hi Alex,

 

Computer is doing better except for the strange behavior in Process Explorer, I will run it and everything will check out fine then run it 30 min later and same processes that where showing no problems 30 min earlier now show no image signature , invalid handle and here i got you a screen shot of the unknown account that shows up once in a while.  Is this something to worry about?

 

https://imgur.com/BGgclTJ

 

This second screen shot you can see all the Opera.exe running with no info on them....

 

https://imgur.com/NNe38oh

 

Please advise..

 

Thanks,

 

George



#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 13 May 2015 - 11:37 AM

Hi there,

Please follow the instructions below to check your profile list.
  • Open a Command Prompt window (Start => Programs => System Tools => Command Prompt).
  • Enter the following line into the Command Prompt window and press Enter:
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /s > %userprofile%\Desktop\profilelist.txt
  • A textfile named profilelist.txt will be created on your Desktop. Please copy and paste the contents into your next reply.
As for Opera, can you check if any other programs do the same?

Regards,
Alex

#15 loveit111

loveit111
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 14 May 2015 - 04:51 PM

Hi Alex,

 

When I try to run the command you gave me I get error Too many command line parameters.  As for programs only Opera does that where it is missing all info fields.  On the missing signature it vary every time I start Process Explorer.

 

 

Thanks,

 

George






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users