Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Something creating may copies of iexplorer.exe, wltuser.exe comnputer

Started by JohnnieF , Jan 30 2012 10:22 AM

  • Please log in to reply

#31
JohnnieF
Posted 05 February 2012 - 07:49 PM

JohnnieF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
The boot scan log had listed the three .bad files we put in the root of C: and one other:
C:\windows\pchealth\ERRORREP\UserDumps\svchost.exe.20120127-214105-00.hdmp but I looked and it is not there now. I just looked and they are all in the AVAST chest now.

I see one file in the root of C: that I don't know, cmldr @ 255KB . Can I just delete that?

There is also the _OTL folder and subs and Qoobox and subs can I just delete these?

The two event logs you wanted are below.

===============================================

Vino's Event Viewer v01c run on Windows XP in English
Report run at 05/02/2012 5:37:25 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 04/02/2012 11:54:02 AM
Type: error Category: 100
Event: 1004 Source: Application Error
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x000b3a46.

Log: 'Application' Date/Time: 03/02/2012 11:34:09 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x000b3a46.

Log: 'Application' Date/Time: 31/01/2012 1:41:50 PM
Type: error Category: 100
Event: 1004 Source: Application Error
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00004a5a.

Log: 'Application' Date/Time: 30/01/2012 10:30:15 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00004a5a.

Log: 'Application' Date/Time: 30/01/2012 10:11:32 AM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application OTL.exe, version 3.2.31.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 30/01/2012 12:27:18 AM
Type: error Category: 0
Event: 10005 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error 27046. CA_Error27046: DriverInstallationFun(0x00000000): Driver installation failed

Log: 'Application' Date/Time: 30/01/2012 12:20:07 AM
Type: error Category: 0
Event: 5000 Source: Microsoft Security Client
The event description cannot be found.

Log: 'Application' Date/Time: 30/01/2012 12:20:06 AM
Type: error Category: 0
Event: 5000 Source: Microsoft Security Client
The event description cannot be found.

Log: 'Application' Date/Time: 30/01/2012 12:11:44 AM
Type: error Category: 0
Event: 10005 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error 27046. CA_Error27046: DriverInstallationFun(0x00000000): Driver installation failed

Log: 'Application' Date/Time: 29/01/2012 11:58:56 PM
Type: error Category: 0
Event: 10005 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error 27046. CA_Error27046: DriverInstallationFun(0x00000000): Driver installation failed

Log: 'Application' Date/Time: 29/01/2012 11:42:37 PM
Type: error Category: 100
Event: 1004 Source: Application Error
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module avglogx.dll, version 10.0.0.1304, fault address 0x00001013.

Log: 'Application' Date/Time: 29/01/2012 11:30:36 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module avglogx.dll, version 10.0.0.1304, fault address 0x00001013.

Log: 'Application' Date/Time: 29/01/2012 5:20:36 PM
Type: error Category: 100
Event: 1004 Source: Application Error
Faulting application winlogon.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x005824ae.

Log: 'Application' Date/Time: 29/01/2012 5:17:58 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x005824ae.

Log: 'Application' Date/Time: 29/01/2012 5:15:25 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application explorer.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.

Log: 'Application' Date/Time: 29/01/2012 10:21:04 AM
Type: error Category: 0
Event: 1001 Source: Application Hang
Fault bucket 1180947459.

Log: 'Application' Date/Time: 29/01/2012 10:20:45 AM
Type: error Category: 0
Event: 1001 Source: Application Hang
Fault bucket 1180947459.

Log: 'Application' Date/Time: 29/01/2012 10:20:12 AM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 29/01/2012 10:20:11 AM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 29/01/2012 9:54:35 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application explorer.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 31/01/2012 5:21:24 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user LAURA\Lauras registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 30/01/2012 12:25:28 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:25:28 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:24:35 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:09:42 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:09:42 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:09:03 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:05:25 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:05:24 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 30/01/2012 12:04:42 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 29/01/2012 11:55:57 PM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 29/01/2012 11:55:57 PM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 29/01/2012 11:55:13 PM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 29/01/2012 7:08:37 PM
Type: warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Log: 'Application' Date/Time: 29/01/2012 7:06:25 PM
Type: warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Log: 'Application' Date/Time: 29/01/2012 7:04:05 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user LAURA\Lauras registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 29/01/2012 7:03:44 PM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 29/01/2012 6:52:20 PM
Type: warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Log: 'Application' Date/Time: 29/01/2012 6:46:02 PM
Type: warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Log: 'Application' Date/Time: 29/01/2012 5:49:11 PM
Type: warning Category: 0
Event: 3 Source: SQLBrowser
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.


=======================================================================

Vino's Event Viewer v01c run on Windows XP in English
Report run at 05/02/2012 5:34:21 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/02/2012 4:52:12 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 05/02/2012 4:52:12 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The AVGIDSDriver service depends on the AVGIDSFilter service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 05/02/2012 4:52:12 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The AVGIDSFilter service depends on the AVGIDSShim service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

Advertisements

#32
RKinner
Posted 06 February 2012 - 12:32 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
You don't want to touch cmldr.

You can delete the folders if you want to but they should go away during the cleanup:

That's about all I see so I think we can clean up now.

We need to clean up System Restore.

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#33
JohnnieF
Posted 06 February 2012 - 10:06 AM

JohnnieF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
How am I supposed to know when Combo fix is finished it's cleanup. It has been a long time and I see Goobox is still there and I see a new folder with a number letter mix name on the computer with a file inside called nircmd.3xe ? There does not seem to be any disk activity at all other then when I opened windows explorer to take a look to see if everything is done?
  • 0

#34
RKinner
Posted 06 February 2012 - 10:16 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Sounds like it didn't work. Just delete the folder C:\qoobox and any folders that start with C:\Combofix and the Combofix.exe file on your desktop.
  • 0

#35
JohnnieF
Posted 06 February 2012 - 10:43 AM

JohnnieF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
What about this one?

<quote>
new folder with a number letter mix name on the computer with a file inside called nircmd.3xe ?
</quote>
  • 0

#36
JohnnieF
Posted 06 February 2012 - 10:46 AM

JohnnieF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
There is also a folder under goobox called backenv that I can't delete and I can't even look inside it.

Maybe that is what made combofix fail?

Edited by JohnnieF, 06 February 2012 - 10:55 AM.

  • 0

#37
RKinner
Posted 06 February 2012 - 11:16 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Run OTL, Cleanup and see if that gets it. It is supposed to remove Combofix as part of its cleanup.
  • 0

#38
JohnnieF
Posted 06 February 2012 - 05:03 PM

JohnnieF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Well I guess that is it. Everything seems to be working and I am doing a backup for her now.

Thanks for all the help Ron, it is very much appriciated.


Johnnie
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP