TechSpot

"Bad Image" pop-ups; [application or program].dll issues; google redirects

Inactive
By xdeadlockxfan
Dec 12, 2010
Topic Status:
Not open for further replies.
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    [​IMG]
    All should be checked. The 3 separate designations are only for deleting certain specific files. In this case, all three are okay.

    When you vacation is over, we'll check the system and see what's going on. At that time, I'll determine what, if anything, needs to be done.
  2. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    I did the OTM stuff and deleted that Java thing.

    HELP! I forgot to disable my antivirus software before running the new ComboFIx script. Now when I try to open Internet Explorer, I get an error message saying "Illegal operation attempted on a registry key that has been marked for deletion."

    What do I do now?! It won't let me open even iTunes!
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The only Registry entries I had in the script were for the Welcome Center and the Dell Support Center. Check the Startup menu and see if either of these are checked. If they are, uncheck.

    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

    IF that does not handle the problem:
    Control Panel (or Tools in IE)> Internet Options> Program tab> click on Reset Web Settings.

    FYI, I don't know of any reason why forgetting to disable the AV program would cause this.

    I'll have you check the Event Viewer if the problem continues.
  4. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    At first, I used another computer and googled the issue. I came across another message board where if I used Command Prompt and typed sfc/ scannow I can see if the issue would be resolved. It worked and then I followed your instructions too just to make sure it would work.

    Here are the logs:

    ComboFix 11-01-03.01 - Albert 01/03/2011 11:17:06.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.1055 [GMT -8:00]
    Running from: c:\users\Albert\Desktop\ComboFix.exe
    Command switches used :: c:\users\Albert\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
    .

    2011-01-03 19:40 . 2011-01-03 19:40 -------- d-----w- c:\users\Albert\AppData\Local\temp
    2011-01-03 19:40 . 2011-01-03 19:40 -------- d-----w- c:\users\TEMP\AppData\Local\temp
    2011-01-03 19:40 . 2011-01-03 19:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-03 18:47 . 2011-01-03 18:47 -------- d-----w- C:\_OTM
    2010-12-31 23:30 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7236D729-65CB-4B11-94EF-0CE907646420}\mpengine.dll
    2010-12-28 23:28 . 2010-12-28 23:28 -------- d-----w- c:\program files\ESET
    2010-12-21 04:42 . 2010-12-21 04:42 -------- d-----w- c:\programdata\DivX
    2010-12-15 01:38 . 2010-12-20 03:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-15 01:38 . 2010-12-19 21:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\users\Albert\AppData\Roaming\Malwarebytes
    2010-12-12 04:10 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-12 04:10 . 2010-12-12 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-12 04:10 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-11 02:17 . 2010-12-11 02:17 478720 --sha-w- c:\windows\system32\cscutil.dll
    2010-12-10 22:29 . 2010-12-10 22:29 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 18:41 . 2009-10-04 17:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-4 50688]
    HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-4-9 266240]
    Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-4-9 530944]
    QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-10-4 45056]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux5"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1281210887-1614234157-3903570788-1000]
    "EnableNotificationsRef"=dword:00000001

    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-17 30192]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]
    S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101229.001\IDSvix86.sys [2010-09-15 287792]
    S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
    S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27 594600]
    S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]
    S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
    S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Albert.job
    - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2008-02-07 14:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-03 11:40
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP0000005FE6B8AECC059211C5 524288 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-01-03 11:47:10
    ComboFix-quarantined-files.txt 2011-01-03 19:47
    ComboFix2.txt 2010-12-26 07:18
    ComboFix3.txt 2010-12-20 20:48

    Pre-Run: 62,631,972,864 bytes free
    Post-Run: 62,765,305,856 bytes free

    - - End Of File - - 172CB9C735F838D0884257C0314197DF


    And OTM..

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    File/Folder C:\Users\Albert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\25d09bb3-16c47571 not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Albert
    ->Temp folder emptied: 199205792 bytes
    ->Temporary Internet Files folder emptied: 6580026 bytes
    ->Java cache emptied: 658494 bytes
    ->Flash cache emptied: 483889 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: TEMP
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 307810 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 261912 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 198.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 01032011_104743

    Files moved on Reboot...
    File C:\Windows\temp\JET121B.tmp not found!

    Registry entries deleted on Reboot...


    -Uninstalled Combofix.
    -Downloaded AVAST as instructed.
    -Combofix has this thing of creating a new internet explorer on my computer, like a new icon right under CF's icon. I usually delete this icon. Is that okay? Why would I have a new IE icon?
    -Uninstalled Dell Support Center
    -Did OTC.
    -Will create a system restore point as soon as computer reboots!

    What else is left of the malware removal process?
    I didn't do a HijackThis yet. Do I still need it?
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, what you did was have scannow replace a corrupt Favorites folder. Were all the Favorites intact and able to open?

    You should not have uninstalled Combofi until I told you too.
    I am not aware of any reason why Combofix would cause any change to the icons.

    Yes, please run HJT, after I check the log, if no entries need removal, you can remove any of the cleaning tools and logs again.
  6. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    Um, my favorites were able to open before the occurance, but then I fixed the problem. I couldn't open any single program.

    You told me to uninstall Combofix in Post #24, as instructed. After I use Combofix, it creates another Internet Explorer icon underneath the Combofix icon. Maybe that version is a "no add-on" version?

    And where do I download HiJackThis? And you mean remove EVERYTHING as far as logs and tools that I've used to get rid of the malware?
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Reply #24:
    Yes, I do. The programs you used were only to do the scans. They were free and that version was not meant to remain on the system. You can purchase Malwarebytes on their site. The Eset scan can remain. You don't need DDS or GMER in the background- these were for information only. Keeping the logs won't do you any good.
    ============================================
    Sorry about HijackThis- I thought I had you run it previously. It is free and can remain on the system, but does not need to start on boot or run in the background:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ==============================================
    I'll check the HJT log and if okay, you should follow my tool clean up instructions. When we have finished, I will give you links for security programs that are all free and good and will help protect your system.
  8. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    I'm just letting you know I got quite a bit going on with school since my semester exams are next week, and I have a big memory quiz for my calculus class Thursday and Friday. I downloaded HiJackThis and I will do the scan tomorrow. I will also delete the programs and such you instructed me to use for the malware removal.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Good luck on the exams! They come first- been there! Take you time. Leave the log when you can.
  10. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    The scan took like less than 30 seconds. Is that normal?

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:11:26 PM, on 1/12/2011
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.17037)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Button Manager\BM.exe
    C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Windows Live\Messenger\wlcsdk.exe
    C:\Users\Albert\Desktop\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ww2.cox.com/myconnection/lasvegas/home.cox
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: HP Button Manager.lnk = ?
    O4 - Global Startup: Magic-i.lnk = C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
    O4 - Global Startup: QuickSet.lnk = ?
    O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
    O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: lxdqCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe
    O23 - Service: lxdq_device - - C:\Windows\system32\lxdqcoms.exe
    O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8243 bytes
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The more processes running, the longer the scan takes. This is true of any programs that has to deal with the files on a system. (By the way, it's why you do either a disc cleanup or at least remove the temp files before defragging or doing an error check- deleting those files will shorten the working times) Your HJT log looks perfectly normal.

    I did recommend stopping a few entries though:

    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O4 - Global Startup: HP Button Manager.lnk = ?> See Option 1
    O4 - Global Startup: Magic-i.lnk = C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
    O4 - Global Startup: QuickSet.lnk = ?

    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe


    Please read Option 1 for entries coded in Green before doing Fix Checked.
    Option 1: The Global Startups: When you have a program set to Global Startup, it means the program will start no matter which account is logging on. The 3 you have are:
    HP Button Manager.lnk>> tray icon for HP Webcam
    Magic-i.lnk>> Visual effects to be used with the web cam
    QuickSet.lnk>> preloaded by Dell. Uses resources that can be handled by other parts of the OS.

    (http://www.direct-laptops-guide.com/dell-quickset.html)
    Check to stop in HJT, then use the msconfig utility to stop these 3 processes by unchecking them on the Startup menu.

    Note about Services: All of these Services are legitimate, but none need to be set to Automatic Startup type. They can be set to Manual Startup:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Click on Start> Run> type in services.msc> enter> double-click on each of the following> set startup type to Manual> Stop the Service unless you are actively using it at that time.
    DSBrokerService
    MgiSvr
    Roxio UPnP Renderer
    Roxio Upnp Server
    LiveShare P2P Server 9 (RoxLiveShare9)
    RoxMediaDB9
    Roxio Hard Drive Watcher 9 (RoxWatch9)

    (It is part of Media Manager and it is indexing all of your media files (video and audio). If you feel this is a feature you do not use or want, run Media Manager and under TOOLS, turn it off.)
    ===========================================
    No new log needed. Please go ahead with Removing all of the tools we used and the files and folders they created in Reply #24.

    Let me know if you have any more questions.
     
  12. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    Holy hell Bobbye, something totally weird is going on with my computer now. I got on and surfed the web a bit and then this Antivirus Scan program is automatically a part of windows and now I can't open any program without getting an error message saying "Application cannot be executed. The file _____.exe is infected. Do you want to activist your antivirus software now?" My Norton subscription is also near ending. And my computer is totally freaking out. Help! Haven't done any of the other HiJackThis stuff yet.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There is no antivirus scan program that is automatically part of Windows! Do not act on anything you are told by the rogue program.

    So you didn't follow any of Reply 36?
    Do not connect to the internet without a working, updated antivirus program. If you want to replace Norton:
    Antivirus Software(only one):Both of the following programs are free and known to be good:
    [o]Avira Free
    [o]Avast Home
    ==============================================
    Please update and run a new scan with Malwarebytes:

    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    The update and rescan with Eset:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  14. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    From Post #36...

    I did the Option 1, however I could not find QuickSet on my startup menu. The other two were there and I unchecked those. Do you still want me to do "fix checked" on HJT?

    I will now be doing the safe mode stuff with the other entries in black.

    As an update from Post #38, I'll get to that after the safe mode reboot. All of a sudden, that rogue program is gone and not prompting me anything now.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Note please that the instructions for checking in HijackThis say "if present." So if QuickSet isn't there, you can't check it. Remove whatever you did check.

    You didn't leave either Mbam or the Eset logs- but most likely what is now gone was removed in Mbam. I would like to see both logs.
  16. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5543

    Windows 6.0.6000
    Internet Explorer 7.0.6000.17037

    1/17/2011 7:52:16 PM
    mbam-log-2011-01-17 (19-52-16).txt

    Scan type: Quick scan
    Objects scanned: 156028
    Time elapsed: 8 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\yr87fk3d2dnszapq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    -----------
    I couldn't run ESET because it's simply not loading. Do you have the Kaspersky one I could use? And your last post, you said I didn't leave Mbam or ESET, I did that on purpose- I even said I'd get to it after I did the System Configuration stuff.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sometimes, it's difficult to know what "it" is referring to.

    Mbam removed a rogue security program. We need to tighten up the security.

    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
  18. xdeadlockxfan

    xdeadlockxfan TS Rookie Topic Starter Posts: 35

    Kaspersky is still giving me problems. It won't load the scan after downloading then necessary files!
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You started this thread 6 weeks ago. I have dealt with everything shown in the logs. I have tried to answer all of your questions and provided you with additional directions. We aren't getting anywhere here.

    I will offer two suggestions before I close this thread:
    1. Start a new thread in the Windows BSOD, Freezing Restarting Forum HERE.
    Include the following:
    Descreibe the "Bad Image" popups, dll issues.
    Tell them that the Java cache Trojan has been handled.
    Tell them you ran scan now on your own.
    Tell them that I had you run OTM and CFfix script.
    Tell them that I had you remove entries in HJT.

    Tell them that you posted this:
    2. Do a reformat/reinstall of the OS:
    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

    I do not think continuing on this thread will be productive.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.