"Bad Image" pop-ups; [application or program].dll issues; google redirects

Inactive
By xdeadlockxfan
Dec 12, 2010
Topic Status:
Not open for further replies.
  1. Hi, I'm new here and I had to post because I'm still having issues with my computer after following this link:http://www.techspot.com/vb/topic58138.html
    I only downloaded the Malwarebytes' AntiMalware program and have a log below of the first scan. I also downloaded the GMER program and had issues with it. (This is the main reason why I'm posting here because the issue should be resolved after quarantining infected items but it is not; and GMER just unexpectedly shut down on me, and shut down my computer).
    The Malware scan also told me (during the scanning process) that I had only 24 infected items; here in the log it does not say. I removed them and restarted my computer, but "Bad Image" pop-ups still appear!
    The first two times using GMER in regular normal Windows Vista settings, I had a blue screen error and my computer unexpectedly shut down. After that, I switched to safe mode and tried GMER again, which gave me the log below.
    I didn't do the DDS program yet because I wanted to get some input on the whole "Bad Image" issue, which started only last night after trying to open a few corrupted .pdf files, before going any further with diagnostics and repair.
    Among the Bad Image issue, I have the google redirect issue, which I've seen quite a bit, and the .dll-program issue, which comes up in the same error message as the "Bad Image" thing.

    I have a Windows Vista, Dell Inspiron 1501 Laptop, about four years old.
    Here are the logs. Note, I only did AntiMalware and GMER only.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5298

    Windows 6.0.6000
    Internet Explorer 7.0.6000.17037

    12/11/2010 10:34:18 PM
    mbam-log-2010-12-11 (22-34-18).txt

    Scan type: Quick scan
    Objects scanned: 156907
    Time elapsed: 10 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    --------------------

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-11 22:13:35
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL040D
    Running: t8xihc4g.exe; Driver: C:\Users\Albert\AppData\Local\Temp\ugliqpow.sys


    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7402FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FFB9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FEA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FECBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FE8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73FFCF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FE7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FE7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FE6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7407C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74007F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FE90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73FF2179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73FF21A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FF7F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FF7D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1208] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740283D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    Here's the blue screen error details:

    Problem signature:
    Problem Event Name: BlueScreen
    OS Version: 6.0.6000.2.0.0.768.3
    Locale ID: 1033

    Additional information about the problem:
    BCCode: 50
    BCP1: 87C00000
    BCP2: 00000000
    BCP3: A47A4EED
    BCP4: 00000000
    OS Version: 6_0_6000
    Service Pack: 0_0
    Product: 768_1

    Files that help describe the problem:
    C:\Windows\Minidump\Mini121110-01.dmp
    C:\Users\Albert\AppData\Local\Temp\WER-92453-0.sysdata.xml
    C:\Users\Albert\AppData\Local\Temp\WER4992.tmp.version.txt

    Read our privacy statement:
    http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
    -------------------
    Even after the Malware scan and GMER, I still have the "Bad Image" pop-ups coming up. And I wanted some input on the GMER blue screen/shut down thing too. I can imagine it's also tied into the google redirects too- where I click a google link to a wikipedia page and it takes me to a "local" search page (like 7search or something).

    Somebody please help me save my computer!
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! Ah well, you want the cart before the horse! You want me to tell you what's causing the BSOD before checking for a malware cause!
    It depends on what files were corrupted and why. Regarding the Error Event that you left: that most likely would have come after the cause of the problem driver with the system trying to fix it. You should follow the instructions on the site and look for the Error before the minidump.

    It works like this: If you want to check the Event Viewer for any error that corresponds to the time of the BSOD, here's how: Follow these steps and screen shots HERE
    (Note: there is a space after this line: "To get started with event viewer, you need to open up the start menu and right click on Computer, then click manage"> please scroll down to where it continues.

    There is usually white writing on the blue screen also which would give info.

    The file info you left is for a minidump. If you want that checked, please move to the Windows OS forum.
    It is not uncommon for GMER to cause a program when invoking the scan. We tell the user to try one of the following:
    1. Uncheck Devices-or >
    2. Run the scan in Safe mode, which is what you did.

    Now- both this Mbam and GMER are clean. It is not reasonable for you to assume just running those scans will fix your problem, so don't hold me hostage! The more information I have, the better I can help you. So please go back to :http://www.techspot.com/vb/topic58138.html and do the rest of the steps.

    When I see the rest of the logs, I will better be able to guide you.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    I'm sorry, but what is BSOD? (I don't know very many technological terms). And what is the minidump thing all about? Could you give me a little run down about what that is and does to my computer?

    Here's the DDS log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Albert at 13:28:41.24 on Sun 12/12/2010
    Internet Explorer: 7.0.6000.17037
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.956 [GMT -8:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdqserv.exe
    C:\Windows\system32\lxdqcoms.exe
    C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Button Manager\BM.exe
    C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Albert\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uWindow Title = Internet Explorer provided by Dell
    uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
    mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: WinAVI FLVSense: {e8df67a1-b618-4f3f-9e7c-cbe175adef5b} - c:\program files\winavi flv converter\FLVTune.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
    TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
    dRunOnce: [<NO NAME>]
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\magic-i.lnk - c:\program files\arcsoft\magic-i 3\Magic-i.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\winavi flv converter\FLVTune.dll
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226548221207&h=1049e3811d711ac3028f03ec502dd18f/&filename=jinstall-6u10-windows-i586-jc.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL cscutil.dll atlqueue.dll

    ============= SERVICES / DRIVERS ===============

    R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20101124.001\IDSvix86.sys [2010-11-25 287792]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-10-30 149352]
    R2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe -service --> c:\windows\system32\lxdqcoms.exe -service [?]
    R2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdqserv.exe [2009-4-28 94208]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
    R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-6-6 1245064]
    R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2006-11-2 16896]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-4 30192]

    =============== Created Last 30 ================

    2010-12-12 04:10:37 -------- d-----w- c:\users\albert\appdata\roaming\Malwarebytes
    2010-12-12 04:10:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-12 04:10:27 -------- d-----w- c:\progra~2\Malwarebytes
    2010-12-12 04:10:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-12 04:10:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-11 02:17:13 478720 --sha-w- c:\windows\system32\cscutil.dll
    2010-12-10 22:29:47 749832 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
    2010-12-10 22:26:07 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4cdfae65-cb0d-40ad-84a8-bdd41283b5db}\mpengine.dll
    2010-12-02 05:39:16 17064 ----a-w- c:\windows\system32\lxdqwupd.exe
    2010-12-02 05:39:14 102400 ----a-w- c:\windows\system32\lxdqwupd.dll
    2010-12-02 05:38:53 348160 ----a-w- c:\windows\system32\LXDQinst.dll
    2010-12-02 05:37:28 147968 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxdqdrpp.dll
    2010-12-02 05:37:24 -------- d-----w- c:\program files\Lexmark Z2400 Series
    2010-12-02 01:30:11 -------- d-----w- c:\program files\Linksys EasyLink Advisor

    ==================== Find3M ====================

    2010-10-28 03:45:13 0 ----a-w- c:\users\albert\mstsc.exe
    2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

    ============= FINISH: 13:32:52.36 ===============

    -----------------

    That's the last log. I've also got some info from a friend about what else to use if the problem doesn't get resolved sometime soon. Any other info you need me to get (like the Event Viewer in correspondence with the BSOD thing) just let me know and I'll get it to you promptly. Thank you so much for your help!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    'blue screen' = BSOD= Blue Screen Of Death

    I cannot tell you what it does until I know what's causing it.

    The only useful information that would be different is if you reformat/reinstall the operating system instead of trying to troubleshoot the problem. Friends can get you into a lot of trouble with their help- unless the are experienced and right there with you to guide you.

    Yes, please do that.

    See Post #4 here for some background on Bad Image:http://www.vistax64.com/vista-performance-maintenance/80733-windows-bad-image-error-message.html
  5. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    Okay, I got you. So what is it that I'm supposed to do with the event viewer thing? Am I supposed to get you a log or just see if I can create a task or something? I'm confused. I need to know exactly what you need me to do since I'm not a computer technician and I'm nowhere near it.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    When you get the blue screen, look at the time on the computer clock.
    There are screen shots here to help: http://www.windowsvistauserguide.com/event_viewer.htm
    (Note; the is a blank white screen below this line: "To get started with event viewer, you need to open up the start menu and right click on Computer, then click manage) scroll down a bit to pick up the images.

    Copy any appropriate errors and Paste here (Ctrl V).


    NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

    Errors are time coded.

    This does not 'fix' anything- it shows us if there was an error in the system or application that is causing the blue screen.
  7. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    Are these what you want? Would you like me to include screen shots? These were found under the Critical section.

    Critical 10/25/2010 9:09:51 PM Kernel-Power 41 None
    Critical 10/15/2010 7:26:32 PM Kernel-Power 41 None
    Critical 9/12/2010 5:03:49 PM Kernel-Power 41 None
    Critical 8/25/2010 1:30:59 PM Kernel-Power 41 None
    Critical 8/3/2010 4:17:33 PM Kernel-Power 41 None
    Critical 7/21/2010 12:31:48 PM Kernel-Power 41 None
    Critical 7/18/2010 5:16:44 PM Kernel-Power 41 None
    Critical 7/13/2010 7:02:28 PM Kernel-Power 41 None
    Critical 7/12/2010 6:30:04 PM Kernel-Power 41 None
    Critical 7/11/2010 5:00:47 PM Kernel-Power 41 None
    Critical 6/6/2010 10:53:58 AM Kernel-Power 41 None
    Critical 4/29/2010 8:14:28 PM Kernel-Power 41 None
    Critical 4/17/2010 8:14:44 AM Kernel-Power 41 None

    They all show the same error message: The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    If this would help, I don't have a battery in my computer. I have to use an AC power adapter since the battery life declined and my battery (which is stock, came with the computer) won't work anymore. It can't even charge. If I have my laptop on, and close the lid, and accidentally unplug it from the outlet or the adapter, it will shut down.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    When you close the lid, the system goes to sleep or Stand by. If it's unplugged in that mode, it will cause an improper shutdown> depending on the state you left it when closing the top such as the browser up, maybe email also, they did not go through the proper shutdown cycle. Sleep and Standby are low power cycles, so even though you don't have the battery, the machine would normally be able to support either mode is still connected to the power. If you remove the power source, then even reduced power setting are left with no power.

    My suggestion would be to make sure you close all active programs and then use the shut down sequence. It's possible that if you do this, then reboot to bring the system up again, it may stop. But you need to makes sure of 2 things:
    Make sure the system is shut down correctly brfore you close it.
    Stop 'accidentally' disconnecting the power if it's sleeping or in standby.
    =========================================
    I did find the following in 2 Windows 7 forums: None mentioned the state of the system before closing the lid.>>>>>

    Another user- same problem- finally checked this on advice of another user and it fixed the problem:
    Re: Kernel-Power 41 (63) error
    Post #4: http://www.techsupportforum.com/mic...t/434613-solved-kernel-power-41-63-error.html
    No spelling corrections are made in quoted text.

    And another:
    How many people here have kernel power failures/event 41
    http://social.technet.microsoft.com...f/thread/df192a83-cdd5-4845-80e2-c7cd168d1e91
  9. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    So then are you saying that I may not have any malware infections at all? Or it's just a problem with a driver? What about the bad image pop ups then? How would I stop those? What are you suggesting?
  10. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    So then what are you suggesting by this? May I not have a malware infection or virus or something? Then what am I to do about the "bad image" popups?

    (Sorry if there's a double post; the first post didn't show up).
  11. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    I just totally realized I forgot to attach the attach.dds log! Here it is.

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 10/4/2007 8:28:25 PM
    System Uptime: 12/13/2010 5:46:12 PM (3 hours ago)

    Motherboard: Dell Inc. | | 0UW744
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-58 | Socket M2/S1G1 | 1900/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 139 GiB total, 53.06 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 6.166 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Media Player
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Shockwave Player 11.5
    Adobe® Photoshop® Album Starter Edition 3.2
    AppCore
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Magic-i 3
    ArcSoft VideoImpression 2
    ArcSoft WebCam Companion 2
    ATI Catalyst Control Center Ex
    ATI PCI Express (3GIO) Filter Driver
    Audacity 1.2.6
    BlackBerry Desktop Software 4.3
    Bonjour
    Browser Address Error Redirector
    ccCommon
    Component Framework
    Conexant HDA D110 MDC V.92 Modem
    Dell Support Center (Support Software)
    Dell System Customization Wizard
    Dell Wireless WLAN Card
    DellSupport
    Digital Line Detect
    Drivers Install For Linksys Easylink Advisor
    EarthLink Setup Files
    Games, Music, & Photos Launcher
    GIMP 2.4.6
    Google Desktop
    Google Earth
    Google Toolbar for Internet Explorer
    Guitar Pro 5.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Button Manager
    HP Webcam User's Guide
    iTunes
    Java(TM) 6 Update 10
    Lexmark Z2400 Series
    Linksys EasyLink Advisor 1.6 (0032)
    LiveUpdate (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Modem Diagnostic Tool
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    Norton AntiVirus
    Norton AntiVirus Help
    Norton Confidential Core
    Norton Internet Security
    Norton Internet Security (Symantec Corporation)
    Norton Protection Center
    Power Tab Editor 1.7
    Product Documentation Launcher
    QuickSet
    QuickTime
    RollerCoaster Tycoon 2
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio Media Manager
    Roxio Update Manager
    SigmaTel Audio
    Sonic Activation Module
    Sony RAW Driver
    SPBBC 32bit
    Symantec Real Time Storage Protection Component
    SymNet
    Synaptics Pointing Device Driver
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    User's Guides
    Viewpoint Media Player
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinPcap 4.1.1
    WinRAR archiver
    XP Codec Pack

    ==== End Of File ===========================
  12. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    Bobbye, I also got a question. What do these logs exactly tell you?
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    They tell me what programs you have installed, what processes are running, which drivers and Services are on the system, what security programs you have, hardware info, software info. You log tells me you don't have any restore points, meaning you've either turned them off or removed them- or that a system problem may be causing SR not to run.

    If you had given me the other log from DDS, named Attach.txt I would have been able to see Events from the Event Viewer.

    I have to determine what should and should not be doing what it's doing, whether an entry is legitimate or not andnandonandonandon.

    Feel free to open any of the logs and see what's there!
     
  14. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    I already posted the attach.txt log. I'll post it again right here.

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 10/4/2007 8:28:25 PM
    System Uptime: 12/13/2010 5:46:12 PM (3 hours ago)

    Motherboard: Dell Inc. | | 0UW744
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-58 | Socket M2/S1G1 | 1900/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 139 GiB total, 53.06 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 6.166 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Media Player
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Shockwave Player 11.5
    Adobe® Photoshop® Album Starter Edition 3.2
    AppCore
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Magic-i 3
    ArcSoft VideoImpression 2
    ArcSoft WebCam Companion 2
    ATI Catalyst Control Center Ex
    ATI PCI Express (3GIO) Filter Driver
    Audacity 1.2.6
    BlackBerry Desktop Software 4.3
    Bonjour
    Browser Address Error Redirector
    ccCommon
    Component Framework
    Conexant HDA D110 MDC V.92 Modem
    Dell Support Center (Support Software)
    Dell System Customization Wizard
    Dell Wireless WLAN Card
    DellSupport
    Digital Line Detect
    Drivers Install For Linksys Easylink Advisor
    EarthLink Setup Files
    Games, Music, & Photos Launcher
    GIMP 2.4.6
    Google Desktop
    Google Earth
    Google Toolbar for Internet Explorer
    Guitar Pro 5.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Button Manager
    HP Webcam User's Guide
    iTunes
    Java(TM) 6 Update 10
    Lexmark Z2400 Series
    Linksys EasyLink Advisor 1.6 (0032)
    LiveUpdate (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Modem Diagnostic Tool
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    Norton AntiVirus
    Norton AntiVirus Help
    Norton Confidential Core
    Norton Internet Security
    Norton Internet Security (Symantec Corporation)
    Norton Protection Center
    Power Tab Editor 1.7
    Product Documentation Launcher
    QuickSet
    QuickTime
    RollerCoaster Tycoon 2
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio Media Manager
    Roxio Update Manager
    SigmaTel Audio
    Sonic Activation Module
    Sony RAW Driver
    SPBBC 32bit
    Symantec Real Time Storage Protection Component
    SymNet
    Synaptics Pointing Device Driver
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    User's Guides
    Viewpoint Media Player
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinPcap 4.1.1
    WinRAR archiver
    XP Codec Pack

    ==== End Of File ===========================

    So, when can we get started with the malware removal? Do you need any other logs or such?

    I have a Dell Inspiron 1501 Laptop, with an AMD Turion 64 X2 processor. It's windows vista... That's all I know, really.

    By the way, I've never had any system restores or restore points. I haven't defragmented my hard drives either.

    What do you need from the Event Viewer? Warning, Critical, or Error?
  15. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    Not to be rude or impatient or anything... But is anyone going to continue helping me? O.o
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Thank you for bringing the thread back to my attention. Sometimes when it's very busy, I may lose track of a thread.

    I note the uInternet Settings,ProxyServer = http=127.0.0.1:50370. It appears that Cox is your ISP. Do they require you set Port 50370? If not, the is likely the cause of the redirection. You may have a single problem such as a malware infection adding the port, then redirecting,

    I am not saying any of this because I don't have enough information yet:
    Nor do we expect running the steps in the preliminary thread will cure all or any problems:
    I don't know yet if the corrupt PDF file is causing the bad image or if there was malware in it that activated when you opened it.

    Bad image is basically a technical way of saying the file or entry doesn't 'look' like it's suppose to. There are many different causes for this> some only system related, some caused by malware, or a combination of the two.
    =======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    The bad image problem you have is directly related to the corrrupt PDF file you opened. It wou;d be helpful to have some information about the file.
  17. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    I only had google redirects for about a night or so. Cox requires me to set to Port 50370, but after a problem with my LAN settings I stopped connecting manually to the proxy server and checked the box "Automatically detect settings" under Internet Options>Connections>LAN Settings, in IE.

    Ran Combofix and everything seems better! No more "bad images!" What I DID find weird though was that I was never prompted about a Windows Recovery Console, although I had so many "Bad Image" pop ups come up because of the program accessing other programs and had to click "OK" so many times. Do I need the WRC?

    PDF's came from this site: http://www.kokoweef.com/
    They were about the legend of the mine and such.

    Here's the Combofix log:

    ComboFix 10-12-20.01 - Albert 12/20/2010 12:34:48.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.1200 [GMT -8:00]
    Running from: c:\users\Albert\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Albert\mstsc.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
    .

    2010-12-20 20:28 . 2010-12-20 20:30 -------- d-----w- C:\32788R22FWJFW
    2010-12-17 23:11 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81A344F4-CD2A-4902-9CBB-9D74CB3626BC}\mpengine.dll
    2010-12-15 01:38 . 2010-12-20 03:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-15 01:38 . 2010-12-19 21:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\users\Albert\AppData\Roaming\Malwarebytes
    2010-12-12 04:10 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-12 04:10 . 2010-12-12 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-12 04:10 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-11 02:17 . 2010-12-11 02:17 478720 --sha-w- c:\windows\system32\cscutil.dll
    2010-12-10 22:29 . 2010-12-10 22:29 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-12-02 05:39 . 2008-02-27 23:09 17064 ----a-w- c:\windows\system32\lxdqwupd.exe
    2010-12-02 05:39 . 2007-11-21 14:39 102400 ----a-w- c:\windows\system32\lxdqwupd.dll
    2010-12-02 05:38 . 2007-11-28 23:09 348160 ----a-w- c:\windows\system32\LXDQinst.dll
    2010-12-02 05:37 . 2009-08-13 20:02 147968 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdqdrpp.dll
    2010-12-02 05:37 . 2010-12-02 05:46 -------- d-----w- c:\program files\Lexmark Z2400 Series
    2010-12-02 01:30 . 2010-12-02 01:34 -------- d-----w- c:\program files\Linksys EasyLink Advisor

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 18:41 . 2009-10-04 17:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-4 50688]
    HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-4-9 266240]
    Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-4-9 530944]
    QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-10-4 45056]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux5"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1281210887-1614234157-3903570788-1000]
    "EnableNotificationsRef"=dword:00000001

    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-17 30192]
    S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101215.001\IDSvix86.sys [2010-09-15 287792]
    S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
    S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27 594600]
    S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]
    S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
    S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Albert.job
    - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2008-02-07 14:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-20 12:42
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP000000708C4E573586EB6A78 524288 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-12-20 12:48:06
    ComboFix-quarantined-files.txt 2010-12-20 20:47

    Pre-Run: 62,309,982,208 bytes free
    Post-Run: 62,312,402,944 bytes free

    - - End Of File - - D5A589C531142C38BD54FDD0E447868F


    I tried running ESET but after I clicked "Start" a pop up window came up and it couldn't show a picture nor start the scan.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'm sorry for the posting problems you've had. There has been a glitch on the board that we're tring to chase down. Your Combofix log looks good- just a couple of things:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]
    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please try to run this online virus scan: Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
    ===================================
    Follow with Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    I'll check the logs and if no removals are needed, I'll have you remove the cleaning tools.
  19. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    Okay, I was able to see the thread provided through the PM you sent me. I'll be sure to follow your instructions tomorrow when I have more time.

    Thanks!
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Good! Hopefully that issue won't recur. Leave logs when ready.
  21. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    Here is the Combofix log: ComboFix 10-12-25.02 - Albert 12/25/2010 23:08:24.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.1168 [GMT -8:00]
    Running from: c:\users\Albert\Desktop\ComboFix.exe
    Command switches used :: c:\users\Albert\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
    .

    2010-12-26 07:15 . 2010-12-26 07:15 -------- d-----w- c:\users\Albert\AppData\Local\temp
    2010-12-26 07:15 . 2010-12-26 07:15 -------- d-----w- c:\users\TEMP\AppData\Local\temp
    2010-12-26 07:15 . 2010-12-26 07:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-25 20:52 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A166F29A-AC1B-44C3-88DE-C55811F873BA}\mpengine.dll
    2010-12-21 04:42 . 2010-12-21 04:42 -------- d-----w- c:\programdata\DivX
    2010-12-15 01:38 . 2010-12-20 03:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-15 01:38 . 2010-12-19 21:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\users\Albert\AppData\Roaming\Malwarebytes
    2010-12-12 04:10 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-12 04:10 . 2010-12-12 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-12 04:10 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-11 02:17 . 2010-12-11 02:17 478720 --sha-w- c:\windows\system32\cscutil.dll
    2010-12-10 22:29 . 2010-12-10 22:29 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-12-02 05:39 . 2008-02-27 23:09 17064 ----a-w- c:\windows\system32\lxdqwupd.exe
    2010-12-02 05:39 . 2007-11-21 14:39 102400 ----a-w- c:\windows\system32\lxdqwupd.dll
    2010-12-02 05:38 . 2007-11-28 23:09 348160 ----a-w- c:\windows\system32\LXDQinst.dll
    2010-12-02 05:37 . 2009-08-13 20:02 147968 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdqdrpp.dll
    2010-12-02 05:37 . 2010-12-02 05:46 -------- d-----w- c:\program files\Lexmark Z2400 Series
    2010-12-02 01:30 . 2010-12-02 01:34 -------- d-----w- c:\program files\Linksys EasyLink Advisor

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 18:41 . 2009-10-04 17:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-4 50688]
    HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-4-9 266240]
    Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-4-9 530944]
    QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-10-4 45056]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux5"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1281210887-1614234157-3903570788-1000]
    "EnableNotificationsRef"=dword:00000001

    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-17 30192]
    S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101215.001\IDSvix86.sys [2010-09-15 287792]
    S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
    S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27 594600]
    S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]
    S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
    S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Albert.job
    - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2008-02-07 14:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-25 23:15
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2010-12-25 23:18:55
    ComboFix-quarantined-files.txt 2010-12-26 07:18
    ComboFix2.txt 2010-12-20 20:48

    Pre-Run: 62,179,807,232 bytes free
    Post-Run: 62,410,293,248 bytes free

    - - End Of File - - DBC76A5BD3B56027A26EED7C1FD7D2EA



    I received an error message from Kaspersky Online Scanner: Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: Anti-virus database was updated after license expiry]

    I don't have time at the moment to do the HijackThis information. I will do it soon though. What do I do about the online scanner?
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'd still like to get an online scan. I went back over the logs- maybe I missed it, but I usually have you run an Eset online virus scan. If that doesn't work for any reason, then I suggest the Kaspersky scan.


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    As far as I know, from what you say, the problems of the bad image have been resolved. Is there any other area of concern about malware?

    I do want to bring your attention to a couple of things: according to the list of installed programs, all of the following are installed separately for Norton security:
    Norton AntiVirus
    Norton AntiVirus Help
    Norton Confidential Core
    Norton Internet Security
    Norton Internet Security (Symantec Corporation)
    Norton Protection Center
    Symantec Real Time Storage Protection Component
    SymNet (SymNet is a component of the Firewall application installed with Norton products.)

    Some of us complain about the Norton 'bloat'- something to consider.

    You also have the following loading from the Registry> do you use either of these?
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

    Your logs are free of malware so far.
  23. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    Here's the online ESET scan log. It worked this time.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=1998bb39964f2f449cfacd9fb13dcbea
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-29 01:06:41
    # local_time=2010-12-28 05:06:41 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6000 NT
    # compatibility_mode=3584 16777191 100 0 0 0 0 0
    # compatibility_mode=5892 16776573 100 100 0 130186874 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=150266
    # found=1
    # cleaned=0
    # scan_time=5455
    C:\Users\Albert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\25d09bb3-16c47571 Java/TrojanDownloader.OpenStream.NAC trojan (unable to clean) 00000000000000000000000000000000 I


    My "bad image" pop ups are completely gone. I'm not concerned about anything else. Unless you see anything else that needs attention.

    Norton is a bit... weird. I am using the remainder of my subscription but not using anymore after this year. I have approximately 50 days left of it. I figure I'll just download something that you recommend (preferably free AV software).

    The registry keys? I'm assuming those are codes you plug in so you can get the chance to register your product. As far as I know, I don't use them. But how can I make sure? Is this important?

    ESET did find one infected file, still after doing combofix. Where do we go from here? Almost done, I assume!
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Good. Glad to see Eset. The entry is easy to remove. I'll have you do it directly first, then run it through OTMoveIt to make sure it's gone:

    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
    =========================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files  
      C:\Users\Albert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\25d09bb3-16c47571
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dellsupportcenter"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]
    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    IF you do not use the Dell Support Center, it can be uninstalled in Add/Remove Programs.
    The program folder can be deleted using Windows Explorer: Windows key + E> Compouter. Local Drive> Programs. You must sign in under the Administrative Account. And if you get message about 'no right to access', let me know and I'll run you through taking ownership.
    ===============================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ============================================
    Suggestion for free, good antivirus program> choose only one:
    Avira Free
    [o]Avast Home
  25. xdeadlockxfan

    xdeadlockxfan Newcomer, in training Topic Starter Posts: 35

    When I delete the temporary files under Java, I'm also prompted for deleting "trace and log files" too. Should I leave this checked or unchecked?

    Do you still want me to do the HiJackThis instructions? I haven't downloaded the program nor used it for anything yet, I forgot about it.

    Now, I'll get to the scans and stuff soon. I'm on vacation and just trying to keep the thread alive before dying and not becoming unable to get my computer free of malware and stuff. But I promise I will do the scans!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.