Inactive "Bad Image" pop-ups; [application or program].dll issues; google redirects

[Bobbye]

[6]. Click Apply> OK on Temporary Files Settings window.

All should be checked. The 3 separate designations are only for deleting certain specific files. In this case, all three are okay.

When you vacation is over, we'll check the system and see what's going on. At that time, I'll determine what, if anything, needs to be done.

 

[xdeadlockxfan]

I did the OTM stuff and deleted that Java thing.

HELP! I forgot to disable my antivirus software before running the new ComboFIx script. Now when I try to open Internet Explorer, I get an error message saying "Illegal operation attempted on a registry key that has been marked for deletion."

What do I do now?! It won't let me open even iTunes!

 

[Bobbye]

The only Registry entries I had in the script were for the Welcome Center and the Dell Support Center. Check the Startup menu and see if either of these are checked. If they are, uncheck.

To remove entries from Startup using the msconfig utility:

• Click on Start> Run> type in msconfig> enter>
• Click on Selective Startup
• Choose the Startup tab:
  This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

IF that does not handle the problem:
Control Panel (or Tools in IE)> Internet Options> Program tab> click on Reset Web Settings.

FYI, I don't know of any reason why forgetting to disable the AV program would cause this.

I'll have you check the Event Viewer if the problem continues.

 

[xdeadlockxfan]

At first, I used another computer and googled the issue. I came across another message board where if I used Command Prompt and typed sfc/ scannow I can see if the issue would be resolved. It worked and then I followed your instructions too just to make sure it would work.

Here are the logs:

ComboFix 11-01-03.01 - Albert 01/03/2011 11:17:06.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1917.1055 [GMT -8:00]
Running from: c:\users\Albert\Desktop\ComboFix.exe
Command switches used :: c:\users\Albert\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-03 19:40 . 2011-01-03 19:40 -------- d-----w- c:\users\Albert\AppData\Local\temp
2011-01-03 19:40 . 2011-01-03 19:40 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-01-03 19:40 . 2011-01-03 19:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-03 18:47 . 2011-01-03 18:47 -------- d-----w- C:\_OTM
2010-12-31 23:30 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7236D729-65CB-4B11-94EF-0CE907646420}\mpengine.dll
2010-12-28 23:28 . 2010-12-28 23:28 -------- d-----w- c:\program files\ESET
2010-12-21 04:42 . 2010-12-21 04:42 -------- d-----w- c:\programdata\DivX
2010-12-15 01:38 . 2010-12-20 03:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-15 01:38 . 2010-12-19 21:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\users\Albert\AppData\Roaming\Malwarebytes
2010-12-12 04:10 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 04:10 . 2010-12-12 04:10 -------- d-----w- c:\programdata\Malwarebytes
2010-12-12 04:10 . 2010-12-12 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 04:10 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 02:17 . 2010-12-11 02:17 478720 --sha-w- c:\windows\system32\cscutil.dll
2010-12-10 22:29 . 2010-12-10 22:29 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 18:41 . 2009-10-04 17:44 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-4 50688]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-4-9 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-4-9 530944]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-10-4 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1281210887-1614234157-3903570788-1000]
"EnableNotificationsRef"=dword:00000001

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-17 30192]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101229.001\IDSvix86.sys [2010-09-15 287792]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27 594600]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Albert.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2008-02-07 14:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/lasvegas/home.cox
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071005
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 11:40
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000005FE6B8AECC059211C5 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-03 11:47:10
ComboFix-quarantined-files.txt 2011-01-03 19:47
ComboFix2.txt 2010-12-26 07:18
ComboFix3.txt 2010-12-20 20:48

Pre-Run: 62,631,972,864 bytes free
Post-Run: 62,765,305,856 bytes free

- - End Of File - - 172CB9C735F838D0884257C0314197DF


And OTM..

All processes killed
========== PROCESSES ==========
========== FILES ==========
File/Folder C:\Users\Albert\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\25d09bb3-16c47571 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Albert
->Temp folder emptied: 199205792 bytes
->Temporary Internet Files folder emptied: 6580026 bytes
->Java cache emptied: 658494 bytes
->Flash cache emptied: 483889 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 307810 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 261912 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 198.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 01032011_104743

Files moved on Reboot...
File C:\Windows\temp\JET121B.tmp not found!

Registry entries deleted on Reboot...


-Uninstalled Combofix.
-Downloaded AVAST as instructed.
-Combofix has this thing of creating a new internet explorer on my computer, like a new icon right under CF's icon. I usually delete this icon. Is that okay? Why would I have a new IE icon?
-Uninstalled Dell Support Center
-Did OTC.
-Will create a system restore point as soon as computer reboots!

What else is left of the malware removal process?
I didn't do a HijackThis yet. Do I still need it?

 

[Bobbye]

Okay, what you did was have scannow replace a corrupt Favorites folder. Were all the Favorites intact and able to open?

You should not have uninstalled Combofi until I told you too.

Combofix has this thing of creating a new internet explorer on my computer, like a new icon right under CF's icon. I usually delete this icon. Is that okay? Why would I have a new IE icon?

I am not aware of any reason why Combofix would cause any change to the icons.

Yes, please run HJT, after I check the log, if no entries need removal, you can remove any of the cleaning tools and logs again.

 

[xdeadlockxfan]

Um, my favorites were able to open before the occurance, but then I fixed the problem. I couldn't open any single program.

You told me to uninstall Combofix in Post #24, as instructed. After I use Combofix, it creates another Internet Explorer icon underneath the Combofix icon. Maybe that version is a "no add-on" version?

And where do I download HiJackThis? And you mean remove EVERYTHING as far as logs and tools that I've used to get rid of the malware?

 

[Bobbye]

Reply #24:

Removing all of the tools we used and the files and folders they created

And you mean remove EVERYTHING as far as logs and tools that I've used to get rid of the malware?

Yes, I do. The programs you used were only to do the scans. They were free and that version was not meant to remain on the system. You can purchase Malwarebytes on their site. The Eset scan can remain. You don't need DDS or GMER in the background- these were for information only. Keeping the logs won't do you any good.
============================================
Sorry about HijackThis- I thought I had you run it previously. It is free and can remain on the system, but does not need to start on boot or run in the background:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
==============================================
I'll check the HJT log and if okay, you should follow my tool clean up instructions. When we have finished, I will give you links for security programs that are all free and good and will help protect your system.

 

[xdeadlockxfan]

I'm just letting you know I got quite a bit going on with school since my semester exams are next week, and I have a big memory quiz for my calculus class Thursday and Friday. I downloaded HiJackThis and I will do the scan tomorrow. I will also delete the programs and such you instructed me to use for the malware removal.

 

[Bobbye]

Good luck on the exams! They come first- been there! Take you time. Leave the log when you can.

 

[xdeadlockxfan]

The scan took like less than 30 seconds. Is that normal?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:11:26 PM, on 1/12/2011
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Button Manager\BM.exe
C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\wlcsdk.exe
C:\Users\Albert\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ww2.cox.com/myconnection/lasvegas/home.cox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Button Manager.lnk = ?
O4 - Global Startup: Magic-i.lnk = C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
O4 - Global Startup: QuickSet.lnk = ?
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxdqCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe
O23 - Service: lxdq_device - - C:\Windows\system32\lxdqcoms.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8243 bytes

 

[Bobbye]

The more processes running, the longer the scan takes. This is true of any programs that has to deal with the files on a system. (By the way, it's why you do either a disc cleanup or at least remove the temp files before defragging or doing an error check- deleting those files will shorten the working times) Your HJT log looks perfectly normal.

I did recommend stopping a few entries though:

Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - Global Startup: HP Button Manager.lnk = ?> See Option 1
O4 - Global Startup: Magic-i.lnk = C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
O4 - Global Startup: QuickSet.lnk = ?
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

Please read Option 1 for entries coded in Green before doing Fix Checked.
Option 1: The Global Startups: When you have a program set to Global Startup, it means the program will start no matter which account is logging on. The 3 you have are:
HP Button Manager.lnk>> tray icon for HP Webcam
Magic-i.lnk>> Visual effects to be used with the web cam
QuickSet.lnk>> preloaded by Dell. Uses resources that can be handled by other parts of the OS.
(http://www.direct-laptops-guide.com/dell-quickset.html)
Check to stop in HJT, then use the msconfig utility to stop these 3 processes by unchecking them on the Startup menu.

Note about Services: All of these Services are legitimate, but none need to be set to Automatic Startup type. They can be set to Manual Startup:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Start> Run> type in services.msc> enter> double-click on each of the following> set startup type to Manual> Stop the Service unless you are actively using it at that time.
DSBrokerService
MgiSvr
Roxio UPnP Renderer
Roxio Upnp Server
LiveShare P2P Server 9 (RoxLiveShare9)
RoxMediaDB9
Roxio Hard Drive Watcher 9 (RoxWatch9)
(It is part of Media Manager and it is indexing all of your media files (video and audio). If you feel this is a feature you do not use or want, run Media Manager and under TOOLS, turn it off.)
===========================================
No new log needed. Please go ahead with Removing all of the tools we used and the files and folders they created in Reply #24.

Let me know if you have any more questions.

 

[xdeadlockxfan]

Holy hell Bobbye, something totally weird is going on with my computer now. I got on and surfed the web a bit and then this Antivirus Scan program is automatically a part of windows and now I can't open any program without getting an error message saying "Application cannot be executed. The file _____.exe is infected. Do you want to activist your antivirus software now?" My Norton subscription is also near ending. And my computer is totally freaking out. Help! Haven't done any of the other HiJackThis stuff yet.

 

[Bobbye]

this Antivirus Scan program is automatically a part of windows>> "Application cannot be executed. The file _____.exe is infected. Do you want to activist your antivirus software now?"

There is no antivirus scan program that is automatically part of Windows! Do not act on anything you are told by the rogue program.

So you didn't follow any of Reply 36?
Do not connect to the internet without a working, updated antivirus program. If you want to replace Norton:
Antivirus Software(only one):Both of the following programs are free and known to be good:
[o]Avira Free
[o]Avast Home
==============================================
Please update and run a new scan with Malwarebytes:

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from HERE
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

========================
The update and rescan with Eset:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[xdeadlockxfan]

From Post #36...

I did the Option 1, however I could not find QuickSet on my startup menu. The other two were there and I unchecked those. Do you still want me to do "fix checked" on HJT?

I will now be doing the safe mode stuff with the other entries in black.

As an update from Post #38, I'll get to that after the safe mode reboot. All of a sudden, that rogue program is gone and not prompting me anything now.

 

[Bobbye]

Note please that the instructions for checking in HijackThis say "if present." So if QuickSet isn't there, you can't check it. Remove whatever you did check.

All of a sudden, that rogue program is gone and not prompting me anything now.

You didn't leave either Mbam or the Eset logs- but most likely what is now gone was removed in Mbam. I would like to see both logs.

 

[xdeadlockxfan]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5543

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

1/17/2011 7:52:16 PM
mbam-log-2011-01-17 (19-52-16).txt

Scan type: Quick scan
Objects scanned: 156028
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\yr87fk3d2dnszapq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-----------
I couldn't run ESET because it's simply not loading. Do you have the Kaspersky one I could use? And your last post, you said I didn't leave Mbam or ESET, I did that on purpose- I even said I'd get to it after I did the System Configuration stuff.

 

[Bobbye]

I did that on purpose- I even said I'd get to it after I did the System Configuration stuff.

Sometimes, it's difficult to know what "it" is referring to.

Mbam removed a rogue security program. We need to tighten up the security.

Run Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

 

[xdeadlockxfan]

Kaspersky is still giving me problems. It won't load the scan after downloading then necessary files!

 

[Bobbye]

You started this thread 6 weeks ago. I have dealt with everything shown in the logs. I have tried to answer all of your questions and provided you with additional directions. We aren't getting anywhere here.

I will offer two suggestions before I close this thread:
1. Start a new thread in the Windows BSOD, Freezing Restarting Forum HERE.
Include the following:

Here's the blue screen error details:
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: 50
BCP1: 87C00000
BCP2: 00000000
BCP3: A47A4EED
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini121110-01.dmp
C:\Users\Albert\AppData\Local\Temp\WER-92453-0.sysdata.xml
C:\Users\Albert\AppData\Local\Temp\WER4992.tmp.version.txt

Descreibe the "Bad Image" popups, dll issues.
Tell them that the Java cache Trojan has been handled.
Tell them you ran scan now on your own.
Tell them that I had you run OTM and CFfix script.
Tell them that I had you remove entries in HJT.

Tell them that you posted this:

All of a sudden, that rogue program is gone and not prompting me anything now.

2. Do a reformat/reinstall of the OS:
You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

I do not think continuing on this thread will be productive.