Pop Up Errors

NorthernJoy · 12-13-2011, 07:49 PM

First, let me say that I would sincerely appreciate any help possible on the following issue/s. Please know that I consider myself a Wizard's Apprentice on the computer ... what I don't know definitely gets me in trouble. lol Step-by-step directions in layman's terms would be very helpful. Thanks, Joy.

SYSTEM DESCRIPTION: Windows XP Media Center Edition Version 2002/Service Pack 3

BACKGROUND:

I began noticing a system slow down and problems kept popping up with Internet Explorer and Outlook. I made sure all they were both up-to-date. Then pop up error messages began to appear either saying that a picture couldn't be read or that there was not enough room (exceeds quota?) for a function. (sorry ... as I am typing this of course the exact error message wording is no where to be found. If needed, I will be happy to document them when they appear again.)

One program I was getting error messages on was Malwarebytes so I removed the program and then reinstalled a fresh copy. Also, at one point I got a message from Norton that the 2012 upgrade was available. The first upgrade didn't take so I ran the upgrade a second time. It seemed to take. A Kodak file (from my printer) also kept popping up but I ignored it. Currently my printer is not attached to my computer. Last, but not least, I also saw errors for Pure Network's nmctxth.exe.

I also did a full scan with Norton AntiVirus Version 19.2.0.10 and Malwarebytes' Anti-Malware Version 1.51.2.1300 and nothing was found. I also did maintenance by running a disk clean, defrag, etc.

Today I came to this site for help. I followed the instructions located at http://www.techsupportforum.com/forums/f50/new-instructions-read-this-before-posting-for-malware-removal-help-305963.html .

When I was getting the GMER file, somehow the download took me to a Reimage PC Repair Online file which ran when the download completed. It did show one threat: C:\program files\search toolbar\searchtoolbar.dll -- Adware.ZugoInfotep.rd a.k.a Adware.Searchbar-33 a.k.a. Zugo Ltd (v) (sent:5ddb11ea4ae68dc90c4d3eb427c290d3).

Also, Reimage reported under PC Stability the following programs have crashed: Crypt32 (12/8/11); Windows Explorer (10/14/11); Kodak.statistics.exe (12/11/11); Odbc (12/12/11); Microsoft Office 12 (12/8/11); 248971733 (10/14/11); Pprekop.exe (11/18/2011)

DDS LOG:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 15:05:07 on 2011-12-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.397 [GMT -9:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cherry\CDI\cdi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
svchost.exe
C:\Program Files\Cherry\CDI\cdimsrclient.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\program files\digital media reader\readericon45g.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\program files\digital media reader\shwiconem.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Airlink101\AWLC3028 & AWLH3028\RtWLan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4024
uStart Page = hxxp://www.iba-backgammon.com/
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=kf_dDUcfjlx6jC58pAim9Vh5-KM
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4024
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\19.2.0.10\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\windows ilivid toolbar\datamngr\toolbar\searchqudtx.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\1.0.1.8\coIEPlg.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\windows ilivid toolbar\datamngr\toolbar\searchqudtx.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [FreeMem Pro] "c:\progra~1\freeme~1\fmempro.exe" autostart
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [CDIMSRClient] "c:\program files\cherry\cdi\cdimsrclient.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [readericon] c:\program files\digital media reader\readericon45g.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [DATAMNGR] c:\progra~1\windows ilivid toolbar\datamngr\datamngrUI.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Power2GoExpress] NA
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
StartupFolder: c:\docume~1\owner~1.you\startm~1\programs\startup\airlink101 cardbus & pci wireless configuration utility.lnk - c:\program files\airlink101\awlc3028 & awlh3028\RtWLan.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263271136625
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
TCP: DhcpNameServer = 209.165.131.12 209.165.131.13 192.168.1.1 209.165.131.12 209.165.131.13
TCP: Interfaces\{88CB8ECB-D1F3-4E7A-9CE5-83508D5BAAD6} : DhcpNameServer = 209.165.131.12 209.165.131.13 192.168.1.1 209.165.131.12 209.165.131.13
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\windows ilivid toolbar\datamngr\datamngr.dll c:\progra~1\windows ilivid toolbar\datamngr\IEBHO.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1302000.00a\symds.sys [2011-12-10 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1302000.00a\symefa.sys [2011-12-10 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\bashdefs\20111123.001\BHDrvx86.sys [2011-11-23 819320]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\nav\1302000.00a\ccsetx86.sys [2011-12-10 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1302000.00a\ironx86.sys [2011-12-10 149624]
R2 Cherry Device Interface;Cherry Device Interface;c:\program files\cherry\cdi\cdi.exe [2007-9-27 585774]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2010-1-11 38144]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-9-5 393648]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\19.2.0.10\ccsvchst.exe [2011-12-10 138760]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-7-1 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-12 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\ipsdefs\20111212.002\IDSXpx86.sys [2011-12-13 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\virusdefs\20111213.002\NAVENG.SYS [2011-12-13 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\virusdefs\20111213.002\NAVEX15.SYS [2011-12-13 1576312]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-21 135664]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\owner~1.you\locals~1\temp\aticdsdr.sys --> c:\docume~1\owner~1.you\locals~1\temp\ATICDSDr.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner~1.you\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner~1.you\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-21 135664]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\cm108.sys --> c:\windows\system32\drivers\CM108.sys [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-11-17 21:56:52 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07

50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 19:41:20 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 19:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 19:41:14 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 15

27.89 ===============

1972vet · 12-14-2011, 07:07 AM

Please temporarily disable your on board protective programs as detailed Here. Carefully read through that entire thread to make certain any and all programs YOU have on board are disabled.

Next:
It is extremely important that you DO NOT close this program until or unless you are directed to do so. Once the program is closed, it will automatically uninstall itself taking with it anything that was removed and the related report.

Please read through this instruction thoroughly before you begin. Save these instructions in a notepad file, or print them out if necessary so you can refer to them should something go wrong for you during your attempt to carry out these steps. If you have any questions, please ask first before you attempt anything at all.

Please download the AVP removal tool to the desktop and double-click the executable to install it. Select your language preference, accept the agreement and click the Start button. You should see something like this:

...click the settings button...it's the small "Gear" icon just to the right of the large yellow button. Make sure the following boxes are checked:
System memory
Hidden startup objects
Disk boot sectors
Computer

...Next, click the Actions link and click the bullet item labeled "Select action". Disinfect and Delete if disinfection fails should already be checked by default...then return to the Automatic Scan tab and click the Start scanning button.

If you happen to receive a pop up during the scan which reads "File C:\whatever...is password protected, you can safely ignore them. The program will find it's own password protected files and report these during the scan. If there is a genuine malicious file that is password protected, we will deal with it manually later.

The scan will begin and you will see a progress bar and scanned objects counter. When the scan completes, the progress bar will disappear. Click the "Reports" tab icon to the far right, just under the large yellow button. Click on the "Automatic scan report" link, then click the save button. Save the report to your desktop as Scan 1. The report will be saved as a text file.

That file is going to be very large...too large to post the entire thing. What I need you to do at this point, is to open that log in "Notepad", then click Edit from the menu at the top and select "Find". Using that Find search function, use these as search terms:
Disinfected
Cleared of viruses
Detected

Now...you'll need to search for those terms in that log, one at a time. Having selected the "Edit-->Find" function in Notepad, in the Find what search box, type in the word Disinfected then click the Find Next button. The search function will find anything in the text file having the name "Disinfected". Once it presents the findings, copy that individual line item and paste it into another blank notepad, then continue searching by clicking the Find Next button. Do this in like manner, for each of the search terms identified above. Once you complete the search and copied everything you found into the other blank notepad, save it to your desktop as Edited_AVP_Log.txt.

Next, please return to the AVP scanning utility and click the Manual Disinfection tab. Please click the Start gathering system information button. You'll again see a progress bar while the utility collects the necessary information. When it completes, the progress bar will disappear. Click the "Report sending" tab, then click on the link avptool sysinfo.zip (open the file manager). Attach that zip file here on your next reply along with the contents of the "notepad" file that you saved from the above "First scan" instruction. Thanks!

NorthernJoy · 12-14-2011, 02:38 PM

Quick questions please ... Once I am done, can I enable both the firewall and my anti-virus protection? Also, once the Virus Removal Tool is installed, will I need my internet connection?

1972vet · 12-14-2011, 03:37 PM

Quote:

Originally Posted by NorthernJoy

Quick questions please ... Once I am done, can I enable both the firewall and my anti-virus protection? Also, once the Virus Removal Tool is installed, will I need my internet connection?

You can re-enable them when we finish. You will not need an internet connection to run the scan. If you have access to another computer, you could just disconnect from the internet after installation, run the scan, post back the log and stand-by for further instructions. If you are online now, we could finish up with it in short order.

NorthernJoy · 12-14-2011, 05:06 PM

Found some courage, disabled my Norton 2012 Antivirus, disabled Windows Firewall, downloaded Kaspersky Virus Removal Tool and began the installation.

AVP Tool installation failed - reboot your computer. Failed to extract the produce into C:\Docum~1\owner~1.YOU\locals~1\Temp\1913493. Error is 193.

NorthernJoy · 12-14-2011, 05:31 PM

Re-booted. File seems to have installed. Am going back at it.

NorthernJoy · 12-14-2011, 10:07 PM

Woohoo! Here we go! None of the procedure was hard to do ... just looooong. lol I will wait patiently with my fingers crossed until I hear from you. I do appreciate the time you are giving me. Thank you.

DISINFECTED: None found.

CLEARED OF VIRUSES: None found.

DETECTED:

12/14/2011 7:01:39 PM OK D:\i386\Apps\App15681\windowsxpmediacenter2005-kb873369-enu.exe/PE_Patch/medcthlp.cab/rmtview.chm/htm/aninternetconnectionisnotdetected.htm
12/14/2011 6:32:55 PM OK C:\WINDOWS\ehome\ehHelp1\files\NoFMRadiostationsaredetected_text.htm
12/14/2011 6:32:55 PM OK C:\WINDOWS\ehome\ehHelp1\files\NoFMRadiostationsaredetected.htm
12/14/2011 6:32:52 PM OK C:\WINDOWS\ehome\ehHelp1\files\aninternetconnectionisnotdetected_text.htm
12/14/2011 6:32:52 PM OK C:\WINDOWS\ehome\ehHelp1\files\aninternetconnectionisnotdetected.htm
12/14/2011 6:32:50 PM OK C:\WINDOWS\ehome\ehHelp\files\_4_ifaninternetconnectionisnotdetected.htm
C:\WINDOWS\ehome\ehHelp\files\NoFMRadiostationsaredetected_text.htm
12/14/2011 6:32:45 PM OK C:\WINDOWS\ehome\ehHelp\files\NoFMRadiostationsaredetected.htm
12/14/2011 6:32:41 PM OK C:\WINDOWS\ehome\ehHelp\files\ifaninternetconnectionisnotdetected_text.htm
12/14/2011 6:32:41 PM OK C:\WINDOWS\ehome\ehHelp\files\ifaninternetconnectionisnotdetected.htm
12/14/2011 6:32:34 PM OK C:\WINDOWS\ehome\ehHelp\tenfoothelp.exe/PE_Patch/./ehHelp/Files/NoFMRadiostationsaredetected_text.htm
12/14/2011 6:32:34 PM OK C:\WINDOWS\ehome\ehHelp\tenfoothelp.exe/PE_Patch/./ehHelp/Files/NoFMRadiostationsaredetected.htm
12/14/2011 6:32:33 PM OK C:\WINDOWS\ehome\ehHelp\files\aninternetconnectionisnotdetected_text.htm
12/14/2011 6:32:33 PM OK C:\WINDOWS\ehome\ehHelp\files\aninternetconnectionisnotdetected.htm
12/14/2011 6:32:32 PM OK C:\WINDOWS\ehome\ehHelp\tenfoothelp.exe/PE_Patch/./ehHelp/Files/ifaninternetconnectionisnotdetected_text.htm
12/14/2011 6:32:32 PM OK C:\WINDOWS\ehome\ehHelp\tenfoothelp.exe/PE_Patch/./ehHelp/Files/ifaninternetconnectionisnotdetected.htm
12/14/2011 6:14:42 PM OK C:\Program Files\ParetoLogic\PCHA\Images\detected_items.png
12/14/2011 5:34:31 PM OK C:\Documents and Settings\Owner.YOUR-9F4FAD2B85\Local Settings\Temp\7899023\Report\detected.idx
12/14/2011 5:34:31 PM OK C:\Documents and Settings\Owner.YOUR-9F4FAD2B85\Local Settings\Temp\7899023\Report\detected.rpt
12/14/2011 4:53:15 PM OK C:\Documents and Settings\Owner.YOUR-9F4FAD2B85\Desktop\Downloads\Ashampoo Burning Studio 7\ashampoo_burning_studio_7_7.33_sm.exe/data0021/WISE0011.BIN/content/multicommunity_detected.xul
12/14/2011 4:44:21 PM OK C:\CMPNENTS\MEDIACTR\I386\MEDIACTR.CAB/NoFMRadiostationsaredetected_text.htm
12/14/2011 4:44:21 PM OK C:\CMPNENTS\MEDIACTR\I386\MEDIACTR.CAB/NoFMRadiostationsaredetected.htm
12/14/2011 4:44:16 PM OK C:\CMPNENTS\MEDIACTR\I386\MEDIACTR.CAB/aninternetconnectionisnotdetected_text.htm
12/14/2011 4:44:16 PM OK C:\CMPNENTS\MEDIACTR\I386\MEDIACTR.CAB/aninternetconnectionisnotdetected.htm
12/14/2011 4:44:14 PM OK C:\CMPNENTS\MEDIACTR\I386\MEDIACTR.CAB/medcthlp.cab/rmtview.chm/htm/aninternetconnectionisnotdetected.htm

1972vet · 12-15-2011, 01:15 AM

Did you install the program "GoToMeeting 4.8.0.723" and do you use it? It's fine if you did. The program itself isn't malicious, but if you use it, make certain you use Strong Passwords with it and change them occasionally. If you didn't install it, or use it, you should uninstall it.

You need also to uninstall the following software programs:
iLivid
ParetoLogic PC Health Advisor
Viewpoint Media Player
Windows iLivid Toolbar
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 3
...the java install that remains, "Java(TM) 6 Update 21" would be more current than those but is still out of date and needs to be updated, as that version has also been exploited. Please do this:
Click start-->run
...type, or copy and paste the following into the run box:
javacpl.cpl
...then click "OK". When the Java Control Panel opens, click on the Update tab then click the "Update Now" button at the bottom. Your update should start.

When it completes, return to the Java Control Panel again. From the "General" tab, under the "Temporary Internet Files" (at the bottom), please click the Settings button. When the "Temporary Files Settings" box opens, please remove the check from the option box to "Keep temporary files on my computer". Please click "OK", then "Apply" to close the Java Control Panel.

Next, please return to the AVP scanning utility and click the "Manual Disinfection" tab. Click on the Script execution link far right side. Copy and paste the below script indicated in Bold text, into the text window, then click the Run script button.
When it completes, the system will reboot. Post back when the system comes back up and let us know how things are running for you now. Thanks!

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
BC_DeleteFile('C:\WINDOWS\system32\DRIVERS\1111803drv.sys');
BC_DeleteFile('\SystemRoot\system32\DRIVERS\1111803drv.sys');
BC_DeleteFile('D:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteWizard('TSW',2,3,true);
BC_Activate;
RebootWindows(true);
end.

NorthernJoy · 12-15-2011, 06:46 PM

Greetings 1972vet,

GoToMeeting must have been pre-installed.

The rest of the programs have been deleted except for iLivid (it's toolbar is gone). I looked and looked for a way to uninstall it ... it's not in the control panel add/remove nor on the Start/Programs list. I'll keep looking.

Java updated perfectly. Thank you for the setting suggestion!

I was away from my computer last night when it booted itself. Needless to say, the AVP Scanning Utility closed. The only AVP link I could find was the setup link on my desktop. For the script, I ran a new setup and proceeded to apply the script. Hopefully that was ok.

Since I finished your instructions, I have not seen one error message. (knocking on wood) Even last night I sensed that it wasn't as bad as before. I was able to catch up on my work with only one re-boot. That's a miracle! :)

I cannot believe how helpful you have been! Your advice was clearly presented in a way that was so easy to follow. I am humbled at how you know where to look and how to fix it. I am definitely bookmarking this site.

Please have a wonderful holiday season!

Cheers

Joy

1972vet · 12-16-2011, 06:43 AM

Quote:

Originally Posted by NorthernJoy

Greetings 1972vet,

GoToMeeting must have been pre-installed...

...Since I finished your instructions, I have not seen one error message. (knocking on wood) Even last night I sensed that it wasn't as bad as before. I was able to catch up on my work with only one re-boot. That's a miracle! :)

I cannot believe how helpful you have been! Your advice was clearly presented in a way that was so easy to follow. I am humbled at how you know where to look and how to fix it. I am definitely bookmarking this site.

Please have a wonderful holiday season!

Cheers

Joy

Thank you, I will...and it's good to know everything seems to have now been resolved. Please do bookmark us and come back to visit again!

I should address your comment about GoToMeeting. It is never pre-installed on any system (not that I'm aware of that is). As said previously though, it is most certainly NOT malicious, but I am aware of some who's systems have been compromised from it, largely because of the password(s) created for it were less than "Strong" so...since you seem to be in the dark about it, I would certainly uninstall it.

Unless you purchased that system from someone who rebuilt it, I would suspect that the GoToMeeting software was installed by someone else in the household, or that system was fixed at one time, by some remote means. Tech Support folks do that sometimes. I know Dell is good for installing it so their tech support folks can rake in some income for them.

Anyway, since you are now happy with the system, the way it's running, then we can finish up and send you on your way.

You can delete these now:
DDS.scr
DDS.txt
Attach.txt
GMER and associated log(s)

Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.
To assist in the prevention of malicious software intrusion and infections, you can begin by reading "How to boost your malware defense and protect your PC"...

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

A word of caution
Security vendors, in recent years, have partnered with "Ask.com" in providing the "Ask Toolbar" bundled with their download(s).

Although the toolbar is considered to be a Legitimate program, it is nonetheless questionable as to it's behavior. It is alleged to be spyware/adware as the behavior of this application tracks a user's history and sends "search" information to it's servers in order to provide a user with targeted search results, many of these results may also be for questionable web sites. In fairness, one should keep in mind, google does the same thing regarding search results.

This tracking is considered by many of us in the security field, to be offensive.

Some of the "Download links" that I may provide, may also contain this program bundled with it. If you choose not to use it, the bundled software will always contain an "Opt Out" measure via some checkbox. The user can check (or uncheck) this box to prevent the download.

If a user isn't cautious and may have mistakenly installed this program, it can easily be removed via the "Uninstall" string provided with the software. Detailed instructions how to remove the program can be found Here.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been satisfied from having tested and used each one of those at one time or another.

Immunize your browser by installing Spywareblaster. What does it do?

Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least one (but not more than one) of these types of third party firewalls running on board:

Zone Alarm...Windows 2k/XP/Vista

Outpost Free

Comodo...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. Please avoid using the "registry" cleaning feature of this utility unless you consider yourself an expert. Contrary to popular thought, the Windows Registry has no need of any "cleaning". I personally challenge anyone to show a substantial benefit from having used any of these "registry cleaning" programs. There is none. Any difference at all is so miniscule that it's nearly impossible to calculate.

On the flip side, rather than any benefit, there is the possibility of slicing out enough pieces of the registry to render things useless...and that includes the operating system.

By default, CCleaner will ask you if you want to backup what is removed, and I suggest you do just that. If you have already used this option and found that something no longer works properly, please find the backup that was created and use it to restore that particular item. Remember, using this to clean the disk is absolutely useful and beneficial. A novice needs only to use the disk cleaning feature...and avoid the registry cleaning aspect. It's not difficult...just don't bother to click the Registry button on the menu.

CCleaner is an excellent...and fast disk cleaning utility that can easily be configured to suit your needs. Often, users find a simple reboot resolves a quirky performance issue which can come about as a result of the collection of temp files while browsing the web...and if you configure CCleaner to run on start up, then your system could be kept running fast and clean with each new user session.

The Yahoo Toolbar is included by default during the installation of the CCleaner utility...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

So how did I get infected in the first place?
Regards, and Happy Surfing!

1972vet · 12-16-2011, 06:45 AM

Since this issue appears to be resolved this topic will now be closed. Other members who need assistance please start your own topic
in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

IMPORTANT - Read This Before Posting For Malware Removal Help