TechSpot

Redirects and random audio

Resolved
By mitchamwillow
Jun 13, 2010
  1. Help! I have followed the 8 steps as closely as I can. Attached are the log files. I have tried multiple times to run GMER but it takes more than 4 hours and ends up crashing windows. When I first open up some output is shown so I have included the log from that but it doesn't work when I click scan (as above) and have even tried declicking devices. Mostly I get redirected to a site www.news-11-today.com and I did have some random audio playing without any application running. While following the 8 steps I did get some cleanup with Malware but the redirects continue and I haven't been on long enough to know about the audio (it only happened once). I run McAfee security normally and do reasonably frequent malwarebytes and spybotS&D scans. Looking for advice please,
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The GMER log that you left shows a Rootkit.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    If you have only had one incident of random audio, it would be difficult to pin that down. So you can see if it recurs as we go.

    Please don't run any other cleaning programs or scans while I'm helping you unless I direct you to. Don't run a Registry cleaner or make any changes in the Registry.

    I'll finish checking the logs and will have some script for ou to run after Combofix.

    EDIT: Some FYIs for you:
    1. You need to be thinking seriously of removing whatever you're not using. And that includes the junk that Dell preloads- most of us don't use it. Your hard drive is almost used up: 107 GiB total, 8.008 GiB free.

    2. Please uninstall all Java versions except v6u20. The old versions are vulnerabilities. I see:
    1_5_0_06, 1_5_0_09, 1_5_0_10, 1_5_0_11, 1.6.0, 1_6_0_01, 1_6_0_02, 1_6_0_03, 1_6_0_07
    Some of these are in the add-ons.

    3. You have Norton Security Scan running. You might need to use the Norton Removal Tool

    4. Unknown entries:
    There are 2 entries of Application data in a file for 'Dad': Do any of these words mean anything to you? I can't ID any of them.
    [erudovey] c:\documents and settings\dad\local settings\application data\ljkrtpwrk\pcraprbtssd.exe
    [qavpdyfr] c:\documents and settings\dad\local settings\application data\wusiilqsf\ojcbrsjtssd.exe

    There is also an entry in the network service that I can't ID:
    [sdnebhan] c:\documents and settings\networkservice\local settings\application data\hlagaifrk\bxoyveitssd.exe

    These are most likely malware but since this is a global board, I ask.
     
  3. mitchamwillow

    mitchamwillow TS Rookie Topic Starter

    ComboFix download

    I have managed to download combofix by disabling mcafee. However whenever I run it it works for a while, starts, creates the restart point and then starts the scanning saying that it may take 10 minutes or more. 1-2 minutes later I then get the dreaded windows blue screen with a message saying bad_pool_caller. I have tried multipe times making sure everything I can see is disabled in mcafee, making sure no other applications are running and I even tried running it in safe mode (it didn't work) but I still get teh same blue screen. I really don't know where to go next.
     
  4. mitchamwillow

    mitchamwillow TS Rookie Topic Starter

    FYIs

    Re FYIs
    1. I am in the process of cleaning up hard drive but didn't want to do anything until this was fixed.

    2. Do I do this in add/remove programs?

    3. I am not running norton virus protection (only McAfee) which makes me think the GMER log is not from my machine given the problems I had running it.

    4. Those entries mean nothing to me
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, just wanted to get those points over to you. If you start getting error trying to download the cleaning programs, then you might need to do some uninstalls. And uninstalls are best done first, within the program itself if it has an uninstaller or second, in Add/Remove Programs. Go ahead and uninstall the old Java versions because they are vulnerabilities.

    I know you aren't intentionally running Norton. But many people have Norton re-loaded and don't use it. It still has to be uninstalled. If you find Norton on Add/Remove, uninstall it. If not, use the Removal Tool.

    Reboot the computer

    I suspected the app data was malware- I'll have you remove it with script after you run Combofix.

    As mentioned in the Combofix directions, any activity for the mouse can cause a problem such as the 'bad pool caller.' So let's start that over:

    Reboot the computer
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Reboot the computer

    Then do a new install of Combofix. When you have started the scan, take care not to move the mouse. See if that will allow it to run through.
     
  6. mitchamwillow

    mitchamwillow TS Rookie Topic Starter

    combofix problems

    Thanks - I uninstalled it correctly and rebooted then downloaded and installed again. I ran it and made sure the mouse didn't move at all. Unfortunately it still gave the same results with the blue screen and bad_pool_caller.

    I did some cleaning up last night and managed to get around 17.5 GB of free space back on the hard drive. Norton did not show up on the add/remove and you mentioned using the removal tool - what is the removal tool?

    I see we are going to be crossing over time zones - thank for your ongoing help.
     
  7. mitchamwillow

    mitchamwillow TS Rookie Topic Starter

    OK I opened my eyes and found norton and removed it. I then uninstalled combofix again and reinstalled it. Ran it with everything else turned off and no mouse movements but still get the bad_pool_caller. Not sure what to do now.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Run the and see if a cause can be found:

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.

    (Courtesy rev-Olie)
     
  9. mitchamwillow

    mitchamwillow TS Rookie Topic Starter

    won't let me post replies

    "had trouble posting and attaching so had to paste a little bit at a time - here is the log"

    Vino's Event Viewer v01c run on Windows XP in English
    Report run at 16/06/2010 21:06:31

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 16/06/2010 13:52:35
    Type: error Category: 0
    Event: 20 Source: Google Update
    The event description cannot be found.

    "Lots more repeats of this then"

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 16/06/2010 21:01:46
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 16/06/2010 21:01:46
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.

    Log: 'System' Date/Time: 16/06/2010 21:01:46
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 16/06/2010 21:01:46
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.

    Log: 'System' Date/Time: 16/06/2010 21:01:46
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 16/06/2010 21:01:46
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Themes service to connect.

    Log: 'System' Date/Time: 16/06/2010 21:00:19
    Type: error Category: 0
    Event: 49 Source: Ftdisk
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    Log: 'System' Date/Time: 16/06/2010 21:00:19
    Type: error Category: 0
    Event: 45 Source: Ftdisk
    The system could not sucessfully load the crash dump driver.

    Log: 'System' Date/Time: 16/06/2010 20:13:53
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Process Monitor service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 16/06/2010 17:34:50
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 16/06/2010 17:34:50
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.


    Log: 'System' Date/Time: 16/06/2010 17:32:23
    Type: error Category: 0
    Event: 49 Source: Ftdisk
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    Log: 'System' Date/Time: 16/06/2010 17:32:23
    Type: error Category: 0
    Event: 45 Source: Ftdisk
    The system could not sucessfully load the crash dump driver.

    Log: 'System' Date/Time: 16/06/2010 13:54:17
    Type: error Category: 0
    Event: 7001 Source: Service Control Manager
    The Canon Camera Access Library 8 service depends on the Windows Image Acquisition (WIA) service which failed to start because of the following error: After starting, the service hung in a start-pending state.

    Log: 'System' Date/Time: 16/06/2010 13:54:17
    Type: error Category: 0
    Event: 7022 Source: Service Control Manager
    The Windows Image Acquisition (WIA) service hung on starting.

    Log: 'System' Date/Time: 16/06/2010 13:52:56
    Type: error Category: 0
    Event: 7001 Source: Service Control Manager
    The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 16/06/2010 13:52:56
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 16/06/2010 13:52:56
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Help and Support service to connect.

    Log: 'System' Date/Time: 16/06/2010 13:52:56
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 16/06/2010 13:52:56
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the COM+ Event System service to connect.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The most consistent thing in these errors points to a connection problem:

    The service did not respond to the start or control request in a timely fashion.
    Timeout (30000 milliseconds) waiting for the COM+ Event System service to connect.


    Follow this for the causes and resolution for the fDisc Errors #49 and #45:
    http://support.microsoft.com/kb/226448

    The system is trying to debug but literally has no place to out the files!
     
  11. mitchamwillow

    mitchamwillow TS Rookie Topic Starter

    I followed the fix which recommended that the virtual memory be set at 1.5 times the physical memory, The machine has 1024 kB of memory and the virtual memory was already set at 1500 kB. I increased that to 3048 kB (the maximum it would let me) and re ran combofix - same problem. I reran VEW to get the new log as below

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 18/06/2010 22:43:15
    Type: error Category: 0
    Event: 7001 Source: Service Control Manager
    The Canon Camera Access Library 8 service depends on the Windows Image Acquisition (WIA) service which failed to start because of the following error: After starting, the service hung in a start-pending state.

    Log: 'System' Date/Time: 18/06/2010 22:43:15
    Type: error Category: 0
    Event: 7022 Source: Service Control Manager
    The Windows Image Acquisition (WIA) service hung on starting.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Shell Hardware Detection service to connect.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7000 Source: Service Control Manager
    The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 18/06/2010 22:41:45
    Type: error Category: 0
    Event: 7009 Source: Service Control Manager
    Timeout (30000 milliseconds) waiting for the Themes service to connect.

    Log: 'System' Date/Time: 18/06/2010 22:41:31
    Type: error Category: 0
    Event: 49 Source: Ftdisk
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    Log: 'System' Date/Time: 18/06/2010 22:41:31
    Type: error Category: 0
    Event: 45 Source: Ftdisk
    The system could not sucessfully load the crash dump driver.

    Log: 'System' Date/Time: 18/06/2010 22:36:22
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The Process Monitor service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 18/06/2010 22:34:54
    Type: error Category: 0
    Event: 7034 Source: Service Control Manager
    The iPod Service service terminated unexpectedly. It has done this 1 time(s).

    Log: 'System' Date/Time: 18/06/2010 22:31:33
    Type: error Category: 0
    Event: 49 Source: Ftdisk
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    Log: 'System' Date/Time: 18/06/2010 22:31:33
    Type: error Category: 0
    Event: 45 Source: Ftdisk
    The system could not sucessfully load the crash dump driver.

    Log: 'System' Date/Time: 18/06/2010 22:23:20
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 18/06/2010 22:21:26
    Type: error Category: 0
    Event: 7001 Source: Service Control Manager
    The Canon Camera Access Library 8 service depends on the Windows Image Acquisition (WIA) service which failed to start because of the following error: After starting, the service hung in a start-pending state.

    Log: 'System' Date/Time: 18/06/2010 22:21:26
    Type: error Category: 0
    Event: 7022 Source: Service Control Manager
    The Windows Image Acquisition (WIA) service hung on starting.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It's still showing basically the same problem> failure to connect within the time allowed. If you have a router, it might have gone bad-or-it might need to be rebooted:

    To 'Power Cycle' the router: Shut the computer down
    Disconnect the power from both the router and modem. Wait about 20 seconds, then reconnect both. Boot the computer and see if the connection gets established.

    If it does, you should be okay on that problem. If it does not, please contact the ISP and report the connection problem. Ask if they have reported problems.
    ============================================
    For the hanging application errors:
    Date/Time: 18/06/2010 22:21:26
    Event: 7001 Source: Service Control Manager
    The Canon Camera Access Library 8 service depends on the Windows Image Acquisition (WIA) service which failed to start because of the following error: After starting, the service hung in a start-pending state:
    This process is on the Startup menu and the Service is set to Automatic. In order to start, it requires the WIA Service to be running. This Service is either Disabled or possibly set to Manual Startup.

    Fix these as instructed below:
    Click on Start> Run> type in services.msc> double click on each of the following and set as directed:
    Service Name: CCALib8
    Service Display Name: Canon Camera Access Library 8
    Change startup type to Manual> Stop the Service
    When this process is running, you will see the entry CALMAN.exe in the Task Manager.
    This is Installed as part of the Canon digital camera software. IF you need it to run as soon as you start the computer, set the Startup type to Automatic. (Not recommended.)
    then
    Adjust the following Service accordingly:
    WIA:
    Provides image acquisition services for scanners and cameras.
    Service Name (registry): stisvc
    Display Name: Windows Image Acquisition (WIA)
    If the Canon Service remains on startup and the Service is set to Automatic Startup type, then WIA will also have to be set to Automatic Startup.If Canon is on Manual, WIA can also be on Manual

    This error continues:
    Event: 49 Source: Ftdisk
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    My recommendation for these files:
    .dmp - Dump file. When Windows (or an application) experiences a crash, a memory dump is performed. If you don't use these files (for trouble shooting), delete them, you can save quite a bit of space!
     
  13. mitchamwillow

    mitchamwillow TS Rookie Topic Starter

    Please close this thread

    I eventually gave up on this because I couldn't get combofix to run. I finally took the computer to a local business servicing pcs who advised I had some physical defects on teh hard drive that were causing a lot of the performance problems., They removed the html virus for me and are putting in a new bigger hard drive. Thanks for your help - sorry I couldn't get it to work.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Thank you for the update. Once you get the system back, consider adding some or all of the following:


    Please follow these simple steps to keep your computer clean and secure:


    Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    Do regular Maintenance
    • Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    • Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.