also @ TechSpot: Huawei Ascend P6 smartphone is the thinnest in the world at 6.18mm

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Malware causing havoc

Discussion in 'Virus and Malware Removal' started by harveydf, Aug 11, 2011.

Page 2 of 3

Broni Malware Annihilator Posts: 40,044 +187
Gremlins?...LOL

You're very welcome

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Aug 12, 2011

#21
harveydf Newcomer, in training Posts: 69

Good news was short lived. Sick computer started to auto scroll the page until it locked at the bottom of the page. I changed tabs in firefox and that page locked up as well. I closed firefox and open explorer, and after loading the home page, it would not go to another link. I retried and it did to go to another link, but after getting there it auto scrolled up and down the page, and would not response anymore. I closed explorer and I'm on my other machine writing you now.
Should I download the first two programs, put them on a flash drive, then run them on sick machine? Should I stay in normal mode or reboot to safe mode to run the programs?

harveydf, Aug 12, 2011

#22
Broni Malware Annihilator Posts: 40,044 +187

Not yet.

Go Start>Run (Start Search in Vista), type in:
msconfig
Click OK (hit Enter in Vista).

Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.

Click OK.
Restart computer in Normal Mode.

NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.

Same problem?

Broni, Aug 12, 2011

#23
harveydf Newcomer, in training Posts: 69

I can not type anything into start run. Every time I type a character the menu flickers and nothing is there?

harveydf, Aug 12, 2011

#24
Broni Malware Annihilator Posts: 40,044 +187

Restart in safe mode and see if you can do it from there.

Broni, Aug 12, 2011

#25

harveydf Newcomer, in training Posts: 69

I restarted in safe mode. I followed all instructions and rebooted to normal mode. I downloaded the two programs to the desktop. Then as I was going to run the first program when firefox started auto scrolling. I closed firefox and started the first program, upon completion it would not allow me to save the file. The file name was blank and I could not type anything in the box for name. Should I run the programs in safe mode?

harveydf, Aug 12, 2011

#26

Broni Malware Annihilator Posts: 40,044 +187

Go ahead, but then you'll need normal mode for Eset scan.

Broni, Aug 12, 2011

#27
harveydf Newcomer, in training Posts: 69

I ran both programs in safe mode. Here is the log.

MiniToolBox by Farbar
Ran by Harveydf (administrator) on 12-08-2011 at 11:59:32
Windows Vista (TM) Home Premium Service Pack 2 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global

popd
# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : Harveydf-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
Physical Address. . . . . . . . . : 00-1E-90-66-FE-E3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::dd1b:ac8c:8e89:88d8%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, August 12, 2011 11:45:52 AM
Lease Expires . . . . . . . . . . : Saturday, August 13, 2011 11:45:52 AM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 201334416
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-D9-20-8F-00-1E-90-64-0C-48
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3c57:3229:3f57:febf(Preferred)
Link-local IPv6 Address . . . . . : fe80::3c57:3229:3f57:febf%9(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : isatap.gateway.2wire.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: home
Address: 192.168.1.254

DNS request timed out.
timeout was 2 seconds.

Pinging google.com [74.125.224.147] with 32 bytes of data:

Reply from 74.125.224.147: bytes=32 time=28ms TTL=53

Reply from 74.125.224.147: bytes=32 time=26ms TTL=53

Ping statistics for 74.125.224.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 28ms, Average = 27ms

Server: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 69.147.125.65
72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=69ms TTL=54

Reply from 209.191.122.70: bytes=32 time=73ms TTL=54

Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 69ms, Maximum = 73ms, Average = 71ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
8 ...00 1e 90 66 fe e3 ...... NVIDIA nForce 10/100 Mbps Ethernet
1 ........................... Software Loopback Interface 1
9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 isatap.gateway.2wire.net
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.64 276
192.168.1.64 255.255.255.255 On-link 192.168.1.64 276
192.168.1.255 255.255.255.255 On-link 192.168.1.64 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.64 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.64 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
9 18 ::/0 On-link
1 306 ::1/128 On-link
9 18 2001::/32 On-link
9 266 2001:0:4137:9e76:3c57:3229:3f57:febf/128
On-link
8 276 fe80::/64 On-link
9 266 fe80::/64 On-link
9 266 fe80::3c57:3229:3f57:febf/128
On-link
8 276 fe80::dd1b:ac8c:8e89:88d8/128
On-link
1 306 ff00::/8 On-link
9 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/12/2011 03:22:38 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/11/2011 04:36:55 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (08/11/2011 00:11:28 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (08/10/2011 11:54:04 PM) (Source: LoadPerf) (User: )
Description: 864416

Error: (08/10/2011 11:54:01 PM) (Source: LoadPerf) (User: )
Description: WmiApRplWmiApRpl8

Error: (08/10/2011 11:54:01 PM) (Source: LoadPerf) (User: )
Description: 864416

Error: (08/10/2011 11:46:52 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (08/10/2011 11:42:59 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (08/10/2011 09:09:41 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE SECURITYCENTER.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (08/10/2011 09:09:41 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\MCAFEE SECURITYCENTER.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

System errors:
=============
Error: (08/12/2011 11:56:52 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Security Update for Windows Vista (KB2563894){90251517-2EF3-4FF2-AA8F-7B463B3D4BD9}102

Error: (08/12/2011 11:56:52 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Security Update for Windows Vista (KB2556532){E01D3C24-0F19-4483-B664-E6387654A2FA}102

Error: (08/12/2011 11:56:52 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 x86 (KB2539633){D25A3C25-89A8-4701-8E07-B4AC308473D3}102

Error: (08/12/2011 11:49:07 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Security Update for Windows Vista (KB2507938){F5B61030-0598-4938-894B-48DAF6E482C3}104

Error: (08/12/2011 11:49:07 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Update for Windows Vista (KB2563227){FA0D4E30-DC73-41BB-95D5-B3A4DAF7A95F}100

Error: (08/12/2011 11:49:07 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Update for Windows Vista (KB2533623){378A8A33-B781-4F63-82ED-23C51EEDCACF}102

Error: (08/12/2011 11:49:07 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Update for Windows Mail Junk E-mail Filter [August 2011] (KB905866){5B014E51-A72C-4153-8348-8E20FCE03EA5}100

Error: (08/12/2011 11:49:07 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Cumulative Security Update for Internet Explorer 9 for Windows Vista (KB2559049){E56F8457-94E9-4FC2-8DFF-0615405C4C39}101

Error: (08/12/2011 11:49:07 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Security Update for Windows Vista (KB2555917){3697DEB7-4AF1-4A4A-A16B-5FED1A2FB9D8}102

Error: (08/12/2011 11:49:07 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070020Update Rollup for ActiveX Killbits for Windows Vista (KB2562937){A72EBFCA-5B2C-4A8E-8967-234068079733}103

Microsoft Office Sessions:
=========================
Error: (06/29/2011 03:15:39 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 207868 seconds with 2700 seconds of active time. This session ended with a crash.

========================= Memory info: ===================================

Percentage of memory in use: 32%
Total physical RAM: 3325.57 MB
Available physical RAM: 2229.49 MB
Total Pagefile: 7849.06 MB
Available Pagefile: 6611.16 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.96 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:324.26 GB) (Free:244.31 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:11.03 GB) (Free:4.5 GB) NTFS
9 Drive k: (CRUZER) (Removable) (Total:7.5 GB) (Free:7.5 GB) FAT32

========================= Users: ========================================

User accounts for \\HARVEYDF-PC

Administrator Guest Harveydf

Even after disabling services and startup per your instructions, I can not connect my browsers. Explorer doesn't work either to run Esent scanner.

harveydf, Aug 12, 2011

#28
harveydf Newcomer, in training Posts: 69

I'm sorry, that was the wrong log.

Results of screen317's Security Check version 0.99.7
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 26
Java(TM) SE Runtime Environment 6 Update 1
Out of date Java installed!
Adobe Flash Player 10.3.181.34
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

harveydf, Aug 12, 2011

#29
Broni Malware Annihilator Posts: 40,044 +187

Uninstall Java(TM) SE Runtime Environment 6 Update 1

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

Broni, Aug 12, 2011

#30
harveydf Newcomer, in training Posts: 69

I was in normal mode and went to add/remove programs and it quit responding. So I booted into safe mode. I'll uninstall java from there. Do I even need adobe reader when I have adobe cs4 suite installed?

harveydf, Aug 12, 2011

#31
harveydf Newcomer, in training Posts: 69

From the safe mode the message windows installer service could not be accessed?

harveydf, Aug 12, 2011

#32
Broni Malware Annihilator Posts: 40,044 +187

See if you can run Eset scan.

Broni, Aug 12, 2011

#33
harveydf Newcomer, in training Posts: 69

I don't have internet in the safe mode, but will reboot into normal mode and give it a try. I have not had a working connection there for some time, but I will try. I will have to search for the link first, because I have not been able to access our forum on the sick machine for quite awhile now. By the way congrats on the thread with funkduck, I saw you and him solved his problems. It gives me hope.

harveydf, Aug 12, 2011

#34
Broni Malware Annihilator Posts: 40,044 +187
The problem with you is, that I'm not even sure if this is about an infection.

If you're unable to run Eset download this tool on good computer and move it to bad computer.

Please click HERE to download Kaspersky Virus Removal Tool.

Double click on the file you just downloaded and let it install.

It will install to your desktop (be patient; it may take a while).

Accept license agreement and click "Start" button.

Click on Settings button

In Scan scope leave pre-checked items as they're and also checkmark My Computer

In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection

Click on Automatic Scan tab and then click on Start scanning button.

Before it is done it may prompt for action regardless of the setting so choose delete if prompted.

When the scan is done NO log will be produced.

Click on Report button then on Automatic Scan report tab.

Right click anywhere within right pane, click Select All then right click again and click Copy.

This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.

You can save this on the desktop.

Post the contents of the document in your next reply.
Broni, Aug 12, 2011

#35
harveydf Newcomer, in training Posts: 69

I don't understand, if it is not a virus what else could this be? I am downloading Kaspersky on the good machine now. I'll run it as soon as it finishes.

harveydf, Aug 12, 2011

#36
Broni Malware Annihilator Posts: 40,044 +187

Let's see what we'll get there.

Broni, Aug 12, 2011

#37
harveydf Newcomer, in training Posts: 69

I ran Kaspersky and copied the report and tried to send it on my good machine. It won't connect to our site. I believe the other machine is now infected.

harveydf, Aug 12, 2011

#38
Broni Malware Annihilator Posts: 40,044 +187

Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):

Broni, Aug 12, 2011

#39
harveydf Newcomer, in training Posts: 69

Hi Broni

Things are not good. The second machine is infected, and there was a third machine on the network and it to has symtoms too . Before Kasperky died it gave me some clues. When Kasperky finished running on machine 1, I opened the log of the quick scan and copied and pasted it to notepad. I should have realized something was up because the pasted selection was trying to being erased from the bottom up, as I pasted the text. When I closed Kasperky it erased the log. But I saw the log, first it archived Kaspersky as a rar.exe file in one line and password protected it in the next. It packed sys 32 wlanapi.dll and moved it to a folder called pe_patch_stolen. It packed 21 .sys files and moved them to sys1132 folder. It renamed combofix and pack it to a directory called UPX, there it archived 21 files and ziped 2 others. It packed and archived Hijackthis.exe and sifxinst. It renamed aswmbr.exe and moved it to a folder upx.
On the second computer there was more damage.
There is a rar program on the root of c drive and it has a x thru the uninstall icon. This explains how I could boot in normal mode but not much functionality.
If you been holding back the big guns, I think we need them now.

harveydf, Aug 14, 2011

#40

Page 2 of 3

Topic Status:: Not open for further replies.

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.