« previous next »
Pages: [1]   Go Down

Author Topic: [Inactive] PC infection _ malware_ vista  (Read 328 times)

0 Members and 1 Guest are viewing this topic.

Offline bimbo

  • Bronze Member
  • Posts: 1
[Inactive] PC infection _ malware_ vista
« on: February 22, 2012, 03:37:56 PM »
I am using Windows Vista. Each time I launch internet explorer , the following message appears. I can't even launch adobe any more.

---------------------------
GoogleToolbarUser_32.exe - Bad Image
---------------------------
C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_248D3CEB7C787E4E.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.
---------------------------
OK
---------------------------

---------------------------
Adobe Reader: AcroRd32.exe - Bad Image
---------------------------
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.
---------------------------
OK
---------------------------


I have tried to get rid of it but without success.I have scanned my Pc with malwarebytes anti malaware ( trial version) . But nothing could be found .

Ran a comboFix and attached the log file to investigate. Thanks in advance.

ComboFix 12-02-17.01 - xxxxxx 17/02/2012 12:16:15.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1014.403 [GMT 0:00]
Running from: c:\users\jobianga\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-17 to 2012-02-17 )))))))))))))))))))))))))))))))
.
.
2012-02-15 21:56 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7573407F-2982-4354-811D-5BFC4D31DC1D}\mpengine.dll
2012-01-31 22:56 . 2012-01-31 22:56 0 ---ha-w- c:\users\jobianga\AppData\Local\BITD9DA.tmp
2012-01-29 11:39 . 2012-01-29 11:39 -------- d-----w- c:\users\jobianga\AppData\Roaming\Malwarebytes
2012-01-29 11:38 . 2012-01-29 11:38 -------- d-----w- c:\programdata\Malwarebytes
2012-01-29 11:38 . 2012-01-31 22:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-29 11:38 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-23 13:41 . 2012-01-24 13:20 -------- d-----w- C:\bp interview
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
  ComboFix.txt (6.45K)
Number of downloads: 1.
2012-01-27 00:21 . 2009-10-28 19:10 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-11 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2006-12-08 77824]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-09-13 19:23 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc0917a4301c80.job
- c:\program files\Google\Update\GoogleUpdate.exe [2006-03-24 23:30]
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2006-03-24 23:30]
.
2012-02-17 c:\windows\Tasks\User_Feed_Synchronization-{73FF216A-14E3-406B-BA9E-9EA7EB73A66C}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = cslibproxy:80
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-17 12:29
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3492)
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
Completion time: 2012-02-17 12:35:43
ComboFix-quarantined-files.txt 2012-02-17 12:35
.
Pre-Run: 20,101,050,368 bytes free
Post-Run: 22,734,917,632 bytes free
.
- - End Of File - - 66892B1868AE66B803E65EC0FEC777E2

« Last Edit: February 22, 2012, 05:56:24 PM by 1972vet »
Logged


Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Inactive] PC infection _ malware_ vista
« Reply #1 on: February 22, 2012, 06:05:57 PM »
Greetings bimbo and Welcome to our Forums,

Please do this:
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here. Next, please download the free utility DDS from any of these locations...Here, Here...or Here.
Note - Some infections may prevent certain executable files from running on your computer. If one of these download locations results in a failed run of the utility, please try the next location until you find one that will work on your machine
Double click dds.scr to run the tool
  • When it completes, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Next, Download GMER from the following location and save it to your desktop.

GMER Download Link 1
GMER Download Link 2 (Only use if the previous link does not work)

  • Right-click on the gmer.zip icon and select the Extract all... menu option. You should now see the gmer folder.
  • Open the folder and double-click on the gmer.exe icon. Please "ok" any prompts to allow the program to start.
  • You should now see the main GMER window. If you receive a warning about rootkit activity asking if you want to run a full scan, please click on the NO button.
  • We now need to configure GMER to prevent some features from being used during the scan. Please uncheck the following settings (we do NOT want to see these in our scan):
    • IAT/EAT
    • Drives/Partition other than Systemdrive,[/b]  which is typically C:\
    • Show All <--Important. Don't miss this one
  • Now that you have removed the check marks from the boxes for those items listed above, please click the Scan button.
    This scan may take quite some time, so please be patient. When it has finished, you will be back at the main screen.

  • Please click on the Save... button and save the report to your desktop. Please name the saved file ark.txt

  • Please do not act on any of the information in this report. Many legitimate programs could be listed there.
  • Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.

Please remember to include the following logs in your next reply.
  • DDS.txt
  • Attach.txt
  • ARK.txt
...and by the way, please answer why you decided to run combofix, and why you edited things out of the log. Just curious. Thanks!
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Inactive] PC infection _ malware_ vista
« Reply #2 on: February 25, 2012, 10:43:31 AM »
Still with us bimbo?
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Inactive] PC infection _ malware_ vista
« Reply #3 on: February 27, 2012, 06:49:00 AM »
Due to the lack of feedback this Topic is closed. If you need continued support, please create a new thread detailing what issues you are having.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven
Pages: [1]   Go Up
« previous next »