I think I am infected with an awful virus

Inactive
By Elvira1
Oct 11, 2012
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  2. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    I'm experiencing a slow computer and blue screen of death.
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Upload Dump Files:
    Please go to C:\Windows\Minidump and zip up the contents of the folder. Then upload/attach the .zip file with your next post.
    Left click on the first minidump file.
    Hold down the "Shift" key and left click on the last minidump file.
    Right click on the blue highlighted area and select "Send to"
    Select "Compressed (zipped) folder" and note where the folder is saved.
    Upload that .zip file with your next post.

    If you have issues with "Access Denied" errors, try copying the files to your desktop and zipping them up from there. If it still won't let you zip them up, post back for further advice.

    If you don't have anything in that folder, please check in C:\Windows for a file named MEMORY.DMP. If you find it, zip it up and upload it to a free file hosting service . I recommend Windows Live SkyDrive - http://skydrive.live.com or another free, file-hosting service. Then post the link to it in your topic so that we can download it.

    Then, follow the directions here to set your system for Minidumps (much smaller than the MEMORY.DMP file): http://www.carrona.org/setmini.html


    • Please download VEW by Vino Rosso from here and save it to your desktop
    • Double click it to start it Note: If running Windows Vista or Windows 7 you will need to right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.
    • Click the check boxes next to Application and System located under Select log to query on the upper left
    • Under Select type to list on the right click the boxes next to Error and Warning Note: If running Windows Vista or Windows 7 also click the box next to Critical (not XP).
    • Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run
    • Once it finishes it will display a log file in notepad
    • Please copy and paste its entire contents into your next reply
  4. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

  5. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    Here's my VEW.txt log:

    Vino's Event Viewer v01c run on Windows XP in English
    Report run at 19/10/2012 2:36:46 PM
    Note: All dates below are in the format dd/mm/yyyy
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 19/10/2012 1:52:21 PM
    Type: error Category: 0
    Event: 0 Source: Broadcom ASF IP and SMBIOS Mailbox Monitor
    The event description cannot be found.
    Log: 'Application' Date/Time: 17/10/2012 11:57:27 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
    Log: 'Application' Date/Time: 17/10/2012 11:57:25 PM
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
    Log: 'Application' Date/Time: 17/10/2012 7:21:25 PM
    Type: error Category: 0
    Event: 0 Source: Broadcom ASF IP and SMBIOS Mailbox Monitor
    The event description cannot be found.
    Log: 'Application' Date/Time: 17/10/2012 4:25:29 PM
    Type: error Category: 0
    Event: 0 Source: Broadcom ASF IP and SMBIOS Mailbox Monitor
    The event description cannot be found.
    Log: 'Application' Date/Time: 17/10/2012 3:47:12 AM
    Type: error Category: 0
    Event: 0 Source: Broadcom ASF IP and SMBIOS Mailbox Monitor
    The event description cannot be found.
    Log: 'Application' Date/Time: 17/10/2012 1:57:42 AM
    Type: error Category: 1
    Event: 4112 Source: MSDTC
    Could not start the MS DTC Transaction Manager.
    Log: 'Application' Date/Time: 17/10/2012 1:57:42 AM
    Type: error Category: 2
    Event: 4185 Source: MSDTC
    MS DTC Transaction Manager start failed. LogInit returned error 0x5.
    Log: 'Application' Date/Time: 17/10/2012 1:57:42 AM
    Type: error Category: 4
    Event: 4163 Source: MSDTC
    MS DTC log file not found. After ensuring that all Resource Managers coordinated by MS DTC have no indoubt transactions, please run msdtc -resetlog to create the log file.
    Log: 'Application' Date/Time: 17/10/2012 1:57:31 AM
    Type: error Category: 1
    Event: 4112 Source: MSDTC
    Could not start the MS DTC Transaction Manager.
    Log: 'Application' Date/Time: 17/10/2012 1:57:31 AM
    Type: error Category: 2
    Event: 4185 Source: MSDTC
    MS DTC Transaction Manager start failed. LogInit returned error 0x5.
    Log: 'Application' Date/Time: 17/10/2012 1:57:31 AM
    Type: error Category: 4
    Event: 4163 Source: MSDTC
    MS DTC log file not found. After ensuring that all Resource Managers coordinated by MS DTC have no indoubt transactions, please run msdtc -resetlog to create the log file.
    Log: 'Application' Date/Time: 17/10/2012 1:50:44 AM
    Type: error Category: 0
    Event: 1103 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

    Log: 'Application' Date/Time: 17/10/2012 1:11:01 AM
    Type: error Category: 1
    Event: 4112 Source: MSDTC
    Could not start the MS DTC Transaction Manager.
    Log: 'Application' Date/Time: 17/10/2012 1:11:01 AM
    Type: error Category: 2
    Event: 4185 Source: MSDTC
    MS DTC Transaction Manager start failed. LogInit returned error 0x5.
    Log: 'Application' Date/Time: 17/10/2012 1:11:01 AM
    Type: error Category: 4
    Event: 4163 Source: MSDTC
    MS DTC log file not found. After ensuring that all Resource Managers coordinated by MS DTC have no indoubt transactions, please run msdtc -resetlog to create the log file.
    Log: 'Application' Date/Time: 15/10/2012 10:55:03 PM
    Type: error Category: 0
    Event: 0 Source: Broadcom ASF IP and SMBIOS Mailbox Monitor
    The event description cannot be found.
    Log: 'Application' Date/Time: 15/10/2012 2:27:21 AM
    Type: error Category: 0
    Event: 1103 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

    Log: 'Application' Date/Time: 14/10/2012 11:27:18 PM
    Type: error Category: 0
    Event: 0 Source: Broadcom ASF IP and SMBIOS Mailbox Monitor
    The event description cannot be found.
    Log: 'Application' Date/Time: 14/10/2012 8:10:25 AM
    Type: error Category: 0
    Event: 0 Source: Broadcom ASF IP and SMBIOS Mailbox Monitor
    The event description cannot be found.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 18/10/2012 10:03:27 AM
    Type: warning Category: 0
    Event: 1517 Source: Userenv
    Windows saved user XANDER-DELLD630\leahjewel registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 16/10/2012 8:32:36 PM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 15/10/2012 1:41:33 AM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    Log: 'Application' Date/Time: 15/10/2012 1:41:33 AM
    Type: warning Category: 52
    Event: 4356 Source: EventSystem
    The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.
    Log: 'Application' Date/Time: 15/10/2012 1:41:33 AM
    Type: warning Category: 54
    Event: 4353 Source: EventSystem
    The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 19/10/2012 1:52:24 PM
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    Log: 'System' Date/Time: 19/10/2012 1:52:24 PM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
    Log: 'System' Date/Time: 19/10/2012 12:18:18 AM
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    Log: 'System' Date/Time: 19/10/2012 12:18:18 AM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
    Log: 'System' Date/Time: 19/10/2012 12:18:17 AM
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Advanced SystemCare Service 5 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    Log: 'System' Date/Time: 19/10/2012 12:18:17 AM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Advanced SystemCare Service 5 service to connect.
    Log: 'System' Date/Time: 18/10/2012 1:33:39 AM
    Type: error Category: 0
    Event: 111 Source: Removable Storage Service
    RSM could not load media in drive Drive 0 of library USB 2.0 USB Flash Drive USB Device.
    Log: 'System' Date/Time: 17/10/2012 10:26:25 PM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
    Log: 'System' Date/Time: 17/10/2012 7:20:23 PM
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    Log: 'System' Date/Time: 17/10/2012 7:20:23 PM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
    Log: 'System' Date/Time: 17/10/2012 4:44:43 PM
    Type: error Category: 0
    Event: 7031 Source: Service Control Manager
    The MBAMService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    Log: 'System' Date/Time: 17/10/2012 4:44:41 PM
    Type: error Category: 0
    Event: 7031 Source: Service Control Manager
    The Broadcom ASF IP and SMBIOS Mailbox Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    Log: 'System' Date/Time: 17/10/2012 4:44:39 PM
    Type: error Category: 0
    Event: 7031 Source: Service Control Manager
    The Advanced SystemCare Service 5 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    Log: 'System' Date/Time: 17/10/2012 4:25:59 PM
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    Log: 'System' Date/Time: 17/10/2012 4:25:59 PM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    Log: 'System' Date/Time: 17/10/2012 4:23:53 PM
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The MBAMScheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    Log: 'System' Date/Time: 17/10/2012 4:23:53 PM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the MBAMScheduler service to connect.
    Log: 'System' Date/Time: 17/10/2012 4:23:53 PM
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    Log: 'System' Date/Time: 17/10/2012 4:23:53 PM
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.
    Log: 'System' Date/Time: 17/10/2012 8:35:48 AM
    Type: error Category: 0
    Event: 10005 Source: DCOM
    DCOM got error "%1053" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 19/10/2012 1:50:09 PM
    Type: warning Category: 0
    Event: 4 Source: b57w2k
    Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.
    Log: 'System' Date/Time: 19/10/2012 12:33:05 AM
    Type: warning Category: 0
    Event: 4226 Source: Tcpip
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
    Log: 'System' Date/Time: 19/10/2012 12:12:43 AM
    Type: warning Category: 0
    Event: 4 Source: b57w2k
    Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.
    Log: 'System' Date/Time: 18/10/2012 9:24:46 PM
    Type: warning Category: 0
    Event: 4226 Source: Tcpip
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
    Log: 'System' Date/Time: 17/10/2012 11:47:42 PM
    Type: warning Category: 0
    Event: 4226 Source: Tcpip
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
    Log: 'System' Date/Time: 17/10/2012 9:59:04 PM
    Type: warning Category: 0
    Event: 256 Source: PlugPlayManager
    Timed out sending notification of device interface change to window of "SAS window"
    Log: 'System' Date/Time: 17/10/2012 7:16:47 PM
    Type: warning Category: 0
    Event: 4 Source: b57w2k
    Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.
    Log: 'System' Date/Time: 17/10/2012 4:19:45 PM
    Type: warning Category: 0
    Event: 4 Source: b57w2k
    Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.
    Log: 'System' Date/Time: 17/10/2012 9:23:20 AM
    Type: warning Category: 0
    Event: 4226 Source: Tcpip
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
    Log: 'System' Date/Time: 17/10/2012 8:51:26 AM
    Type: warning Category: 0
    Event: 4226 Source: Tcpip
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
    Log: 'System' Date/Time: 17/10/2012 8:29:15 AM
    Type: warning Category: 0
    Event: 4 Source: b57w2k
    Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.
    Log: 'System' Date/Time: 17/10/2012 3:39:31 AM
    Type: warning Category: 0
    Event: 4 Source: b57w2k
    Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.
    Log: 'System' Date/Time: 17/10/2012 2:29:20 AM
    Type: warning Category: 0
    Event: 1003 Source: Dhcp
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022692A6012. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Log: 'System' Date/Time: 17/10/2012 2:29:20 AM
    Type: warning Category: 0
    Event: 1003 Source: Dhcp
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022692A6012. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Log: 'System' Date/Time: 17/10/2012 2:28:46 AM
    Type: warning Category: 0
    Event: 1003 Source: Dhcp
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022692A6012. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Log: 'System' Date/Time: 17/10/2012 2:28:42 AM
    Type: warning Category: 0
    Event: 1003 Source: Dhcp
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022692A6012. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Log: 'System' Date/Time: 17/10/2012 2:28:37 AM
    Type: warning Category: 0
    Event: 1003 Source: Dhcp
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022692A6012. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Log: 'System' Date/Time: 17/10/2012 2:23:47 AM
    Type: warning Category: 0
    Event: 1006 Source: Dhcp
    Your computer was unable to automatically configure the IP parameters for the Network Card with the network address 0022692A6012. The following error occurred during configuration: The specified network resource or device is no longer available. .
    Log: 'System' Date/Time: 17/10/2012 2:23:44 AM
    Type: warning Category: 0
    Event: 1003 Source: Dhcp
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022692A6012. The following error occurred: An operation was attempted on something that is not a socket. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Log: 'System' Date/Time: 17/10/2012 2:23:44 AM
    Type: warning Category: 0
    Event: 1003 Source: Dhcp
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0022692A6012. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
  6. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    I notice that my audio sound stutters and my system is still running slower than usual. Also, each time I restart my laptop, I check the services and notice that the configurations have been changed. Some items that were set to disable, have been enabled and vice-or-versa... every time I restart. I find this very strange.
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I suspect memory issues are the problem here...

    ยท Run Hardware Diagnostics -
    - RAM - http://www.carrona.org/memdiag.html (read the details at the link)
    - HDD - http://www.carrona.org/hddiag.html (read the details at the link)


    Go to VirusTotal.com, click Choose File, browse for "c:\windows\system32\drivers\atapi.sys".

    If it gives message about already having the file scanned, click Re-Scan. Once done, please copy the link from the address bar, and paste it to your next reply.
  8. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    I'm a novice. The instructions are quite confusing for me. Can you please simplify them for me.

    Thanks so much.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Go ahead and scan the file at VirusTotal... try that first, then we'll continue to next steps...
  10. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
  12. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    Farbar Service Scanner Version: 19-10-2012
    Ran by leahjewel (administrator) on 22-10-2012 at 18:46:39
    Running from "C:\Documents and Settings\leahjewel\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    Srservice Service is not running. Checking service configuration:
    The start type of Srservice service is OK.
    The ImagePath of Srservice service is OK.
    The ServiceDll of Srservice service is OK.

    sr Service is not running. Checking service configuration:
    The start type of sr service is set to Disabled. The default start type is Boot.
    The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


    System Restore Disabled Policy:
    ========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR"=DWORD:1


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is set to Disabled. The default start type is Auto.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============
    cryptsvc Service is not running. Checking service configuration:
    The start type of cryptsvc service is set to Demand. The default start type is Auto.
    The ImagePath of cryptsvc service is OK.
    The ServiceDll of cryptsvc service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(9)
    0x09000000050000000100000002000000030000000400000008000000060000000700000009000000
    IpSec Tag value is correct.

    **** End of log ****
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
    OTL scan

    Open OTL, click the None button, place the following in the Custom Scans/Fixes box, and hit Run Scan:

    Post log once done.
  14. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    I'm attempting to do this fix but its frozen up and not responding. the desktop never dissappeared and it just says "killing processes. do not interrupt." at the very bottom.
  15. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    OTL logfile created on: 10/24/2012 8:53:43 AM - Run 2
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\leahjewel\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 74.46% Memory free
    3.85 Gb Paging File | 3.46 Gb Available in Paging File | 89.87% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 111.79 Gb Total Space | 66.57 Gb Free Space | 59.55% Space Free | Partition Type: NTFS
    Drive E: | 3.76 Gb Total Space | 1.92 Gb Free Space | 51.18% Space Free | Partition Type: FAT32

    Computer Name: XANDER-DELLD630 | User Name: leahjewel | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

    ========== Custom Scans ==========

    < MD5 for: CRYPTSVC.DLL >
    [2008/04/14 07:00:00 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\ERDNT\cache\cryptsvc.dll
    [2008/04/14 07:00:00 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\system32\cryptsvc.dll
    [2008/04/14 07:00:00 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\system32\dllcache\cryptsvc.dll

    < MD5 for: SR.SYS >
    [2008/04/14 07:00:00 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=76BB022C2FB6902FD5BDD4F78FC13A5D -- C:\WINDOWS\system32\dllcache\sr.sys
    [2008/04/14 07:00:00 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=76BB022C2FB6902FD5BDD4F78FC13A5D -- C:\WINDOWS\system32\drivers\sr.sys

    < MD5 for: WSCSVC.DLL >
    [2008/04/14 07:00:00 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=7C278E6408D1DCE642230C0585A854D5 -- C:\WINDOWS\system32\dllcache\wscsvc.dll
    [2008/04/14 07:00:00 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=7C278E6408D1DCE642230C0585A854D5 -- C:\WINDOWS\system32\wscsvc.dll

    < MD5 for: WUAUCLT.EXE >
    [2012/06/02 15:19:34 | 000,053,784 | ---- | M] (Microsoft Corporation) MD5=2E0B0A051FFAA86E358465BB0880D453 -- C:\WINDOWS\ERDNT\cache\wuauclt.exe
    [2012/06/02 15:19:34 | 000,053,784 | ---- | M] (Microsoft Corporation) MD5=2E0B0A051FFAA86E358465BB0880D453 -- C:\WINDOWS\system32\dllcache\wuauclt.exe
    [2012/06/02 15:19:34 | 000,053,784 | ---- | M] (Microsoft Corporation) MD5=2E0B0A051FFAA86E358465BB0880D453 -- C:\WINDOWS\system32\wuauclt.exe
    < End of report >
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.

    Once done, let me know if the speed has boosted.
  17. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    It's faster, but still very, very slow to start up, load my settings, and browse. I do see improvements though. My audio still sounds somewhat jarbled and choppy and should be a lot faster.

    I appreciate your help and sticking with me all this time.
  18. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    I found this file: Z@R4B.tmp, which appears to a backdoor trojan dropper in the following location:

    C:\Documents and Settings\(user name)\Local Settings\temp

    The file is hidden and goes undetected by Avast and MalwareBytes Pro.
  19. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    Svchost.exe file shows up 8 times constantly in task manager.
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    CCleaner Temporary Files Cleaning

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

      Caution: Only use the Registry feature if you are very familiar with the registry.
      Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.


      Hitman Pro

      Please download Hitman Pro
      • After the download completes please double click the program to run it.
      • Accept the terms of the license agreement and click Next
      • Let the scan run. It will not take long
      • When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
      • Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
      • Upload log.xml here for review please
  21. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    Here's my Hitman Pro log. I left off the self- identifying part at the beginning because I forgot to save the file as xml and could not upload it as txt:

    Scan date . . . . . . : 2012-10-27 18:27:45
    Scan mode . . . . . . : Normal
    Scan duration . . . . : 34m 23s
    Disk access mode . . : Direct disk access (SRB)
    Cloud . . . . . . . . : Internet
    Reboot . . . . . . . : No
    Threats . . . . . . . : 0
    Traces . . . . . . . : 6
    Objects scanned . . . : 714,923
    Files scanned . . . . : 22,664
    Remnants scanned . . : 158,913 files / 533,346 keys
    Cookies _____________________________________________________________________
    C:\Documents and Settings\leahjewel\Cookies\03DN0UZ6.txt
    C:\Documents and Settings\leahjewel\Cookies\8T5NIUTW.txt
    C:\Documents and Settings\leahjewel\Cookies\DFGGLKO0.txt
    C:\Documents and Settings\leahjewel\Cookies\EWXELNS3.txt
    C:\Documents and Settings\leahjewel\Cookies\T6IME2GD.txt
    C:\Documents and Settings\leahjewel\Cookies\VP9JBAAD.txt

    [/code]
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, next rundown of problems...
  23. Elvira1

    Elvira1 Newcomer, in training Topic Starter Posts: 34

    Uh oh. I'm in trouble again. I found the following on my system via Malwarebytes Pro: Hijack.Comsysapp . What to do? What to do?

    Attached Files:

  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.