Aces High Bulletin Board
General Forums => The O' Club => Topic started by: Saxman on November 16, 2010, 06:39:16 PM
-
Been having some issues with my computer since a BSOD Sunday afternoon:
Windows Activation Status is now showing as Unknown and not recognizing as a valid copy, even though it is activated and valid
Cannot access Computer Management, get the %dir%\Computer Management.lnk Unspecified Error message when trying to access it
If I try to kick off my A/V, it runs for a bit before BSODing again
Unfortunately, the new versions of Sonicwall Managed Protection (McAfee) don't run in Safe Mode. BRILLIANT idea!
Attempted Trend Micro's Housecall online scan, but it fails to even run
Default Level for the Internet Zone in IE is blank. If I set all Zones to Default it blanks them out, too and loses the slider (Canceled to prevent from hosing my security ENTIRELY)
Have run Malwarebytes, which found nothing and Spybot, which did its usual overreaction
Microsoft's Malicious Software Removal Tool came up clean
.Net Framework 4 keeps trying to repair after every reboot. Attempting to uninstall causes a BSOD
System Restore failed. After attempting to restore failed, all Restore points are now gone
I'm CONVINCED something got into the system that Malwarebytes, Spybot and Microsoft's tool can't find. Which means I'm probably looking at a virus of SOME kind. Unfortunately, I can't run my A/V because the new versions require services that don't operate in Safe Mode--frelling AWESOME job, McAfee.
Anyone have any ideas? I haven't tried using MSCONFIG to launch a clean boot, yet, that's next on my list. However I was wondering if anyone might have some insight from the Hijack This logs before I closed that out.
-
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:20:48 PM, on 11/16/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Safe mode with network support
Running processes:
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S4MSOMY8\HijackThis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files (x86)\McAfee\Managed VirusScan\DesktopUI\XTray.exe" /LOGON
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files (x86)\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files%20(x86)/Monopoly/Images/stg_drm.ocx
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files%20(x86)/Monopoly/Images/armhelper.ocx
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
-
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files (x86)\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee SiteAdvisor Enterprise Service - McAfee, Inc. - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~2\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files (x86)\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - Unknown owner - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (file missing)
O23 - Service: SonicWALL Agent Service (SWAGENT) - McAfee, Inc. - C:\Program Files (x86)\McAfee\Managed VirusScan\Agent\swAgent.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 9866 bytes
-
Hi Saxman, if you can, download and burn trinity rescue kit (trk). This is a bootable resource that will allow you to scan and remove virus's.
If ya cant, let me know and I'll sling one your way via snailmail fella.
Wurzel
http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT_DOWNLOAD&front_id=12&lang=en&locale=en (http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT_DOWNLOAD&front_id=12&lang=en&locale=en)
*edit to slip in a download link to make it easier for ya bud*
-
I'll check that out. Any thoughts on the HijackThis log I posted? I'd really like to address this before I have to close it out.
-
On a quick look, I'd be concerned about the number of missing files (a lot of MS stuff missing) and some of your macafee stuff too - possible indication something has banjoed your av install, and hijacked some of the processes. TRK should sort that out. I'd suggest checking your msconfig to check nothing untoward is loading itself (some malware relies on this - easy to sort).
Initially I'd go with TRK via bootable cd, clear your system (has to be connected to the intardnet to allow file download from fprot etc by the way). Failing that, I'd grab a copy of ubuntu, burn it to a boot disk and install (or use the win7 format to completely erase your current fs, and reinstall) (I prefer installing ubuntu as it mullers the ntfs f/s nicely - personal preference)
Gimme a shout if you need anything bud,
Wurzel
-
Yeah, the missing files had me concerned. I was suspicious those have something to do with why Computer Management wasn't working, and why the system was reporting Windows was activated. One possibility is that Malwarebytes, Spybot, or McAfee/Sonicwall Managed Protection blasted the files themselves when something got in there. I've seen security software do that before; nuke rather than fix, even if it includes system files. I tried running SFC last night but obviously that must have missed them.
The other possibility is that I DID run this from Safe Mode, so I don't know if it's seeing them as Missing even though they're just disabled under Safe Mode....
There's nothing that doesn't belong showing up under MSCONFIG.
-
Yep, its possible they've been excluded as your in safe mode - can you get a download of trk done? That would be my next step - insert, boot up from cd, and use the scan computer bit to check your system.
Wurzel
-
Been running the scans, still going.
I haven't had to mess with Linux commands since maybe 2 weeks of my A+ prep class 4 years ago...
-
Any better Saxman? Sorry, been busy most of today (cant complain tho)
Wurzel
-
Still going. Avast is dragging their feet sending me my license key.
-
Been running the scans, still going.
I haven't had to mess with Linux commands since maybe 2 weeks of my A+ prep class 4 years ago...
You don't need to, download the fully automatic / graphic F-secure linux rescue cd.
-
TRK should have given you a dos like interface, with selectable numbers - no linux commands necessary fella.
F-secure linux rescue cd can be downloaded here http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/ (http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/) (Thanks MrRipley - taken a copy of that for myself too)
Wurzel
-
I had to in this case. For whatever reason the automatic network connection wouldn't work, so I had to manually set the IP and gateway. None of the scans would download until I did.
-
Lovely.....did the scans complete and show anything?
Wurzel
-
F-Prot looks like it found a few in the temp files for Java which if they aren't already, I'm clearing that stuff out ASAP. One of the others seems to have found a couple as well, but didn't give me any specifics. I'm STILL waiting on the Avast license to run that one.
Haven't done a check for any missing files yet, I'm still working on the A/V scans.
-
Sarcasm on:
>Format :C
>Y or N
>Y
"Enemy Tactical Nuke inbound, it's over!"
Sarcasm off:
Ouch, I know the sting of the virus.
-Penguin
-
hate to say it but Penguin might be right, sometimes a Format and fresh install is what's needed
-
run combofix and see what it comes up with
-
i've been having a problem lately where some websites seem to be infected with some malware that kicks off a phony 'security alert' program that offers to scan my computer for viruses. It looks a lot like the windows defender, so once i accidentally clicked yes, not thinking. Ooops.
-
OK, some things that stand out:
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
Many malicious tools use a proxy to bypass network security, any IT geek worth his salt can set up firefox to use a proxy and get past most corporate firewalls. Many of the more illicit spam-bots will set up a proxy and use your machine as a slave, or even worse use your machine as a host for a myriad of bad things. (see here http://www.huffingtonpost.com/2009/11/09/internet-virus-frames-use_n_350426.html )
Though I may be way off, I suspect anything similar to that. Along with the other comment of the many missing files that PC is hosed IMHO, and worth a full re-format.
-
If there's any way possible to fix this without resorting to a reinstall I'm damn well going to try it. It's not just the hassle of installing apps. Windows and Office were both installed with licenses provided by the company for which I no longer work. I MAY have them saved to the drive, but that's going to be a huge issue if they're not.
Now that I've finished the virus scans and got that cleaned up, what I need is a way to replace the missing/corrupted files from the Windows disk. Ordinarily at this point I'd pull the drive, put it in an enclosure and use another computer to break open the install.wim to get to the system files and do the copy. Unfortunately I don't have the hardware to do it.
gpwurzel,
Can TRK be used to access shared files on another computer? I've got the Shared Docs on my laptop turned on and could PROBABLY extract the files I need to the laptop and do it manually that way. PITA, but doable.
Push comes to shove, I'll do it a chunk at a time through my flash drive if I have to....
-
Checking for you now Saxman - gimme a couple minutes and I'll let you know.
Wurzel
-
Hiya Sax, on the main interaction page, there is a prog called MC - which appears to do what you want (nothing here to confirm that or test with as I'm on a single machine).
Wurzel
-
Ok. What I'm going to do is match up the files in the TRK-Infected log, pull them from the CD to my flash drive, and then use MC to copy them over.
-
Ok, current status:
Windows is now booting up to the desktop (woo hoo!)
I DO have my Windows license key saved. Office remains a problem, however....
Computer Management still isn't working
Windows is still not recognizing the Windows Activation status
McAfee is still screwy
The .Net 4.0 repair came up again
However now that I was able to get to the Windows Desktop and locate the license key, I have a new option: I can now do a Repair Install, which should preserve the other apps.
-
Good stuff fella, if your waiting for an avast key, I'd bin macafee (dont much like that a/v to be honest)
Can you open office at all, as your key should be under help (will have a look round on mine, see if I can find where its stored).
Wurzel
-
Looks like Repair Install took care of everything else. Thanks for the help, back up and goin.
-
Excellent, good to hear, I look forward to meeting you in the Virtual fella.
Wurzel