Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MalwareBytes showed several items... Not sure what it is. [Solved]


  • This topic is locked This topic is locked

#16
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

After doing step 1, running the Fix-It tool and re-booting I got a Windows Sidebar pop up window... in said... Windows sidebar is meanaged by your system administrator.

 

When I did Step #4 - rootkit scan, the pull down menu was on Quickscan and that is where I left it.

 

 

here is the Fixlog.txt

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2015
Ran by Wayne at 2015-02-16 12:29:46 Run:1
Running from C:\Users\Wayne\Desktop
Loaded Profiles: Wayne (Available profiles: Wayne)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
S2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1
C:\Program Files (x86)\Norton Internet Security
S1 aweshiqs; \??\C:\Windows\system32\drivers\aweshiqs.sys [X]
S1 fpmjqeee; \??\C:\Windows\system32\drivers\fpmjqeee.sys [X]
S1 kfttqyyd; \??\C:\Windows\system32\drivers\kfttqyyd.sys [X]
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\EX64.SYS [X]
S1 paolubbl; \??\C:\Windows\system32\drivers\paolubbl.sys [X]
C:\ProgramData\Norton
C:\Windows\system32\drivers\paolubbl.sys
C:\Windows\system32\drivers\kfttqyyd.sys
C:\Windows\system32\drivers\fpmjqeee.sys
C:\Windows\system32\drivers\aweshiqs.sys
S1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [X]
S1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [X]
C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS
C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS
2015-02-15 16:17 - 2013-02-20 15:15 - 00000000 ____D () C:\Users\Wayne\AppData\Roaming\uTorrent
CustomCLSID: HKU\S-1-5-21-4173107115-4275760522-2882889172-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}\localserver32 -> C:\Users\Wayne\AppData\Local\Temp\{d5641912-e47a-429c-879e-cfe13eac7a13}\IDriver.NonElevated.exe No  (the data entry has 4 more characters).
EmptyTemp:

 

 
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
"HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
Norton Internet Security => Service deleted successfully.
"C:\Program Files (x86)\Norton Internet Security" => File/Directory not found.
aweshiqs => Service deleted successfully.
fpmjqeee => Service deleted successfully.
kfttqyyd => Service deleted successfully.
NAVENG => Service deleted successfully.
NAVEX15 => Service deleted successfully.
paolubbl => Service deleted successfully.
C:\ProgramData\Norton => Moved successfully.
"C:\Windows\system32\drivers\paolubbl.sys" => File/Directory not found.
"C:\Windows\system32\drivers\kfttqyyd.sys" => File/Directory not found.
"C:\Windows\system32\drivers\fpmjqeee.sys" => File/Directory not found.
"C:\Windows\system32\drivers\aweshiqs.sys" => File/Directory not found.
SRTSP => Service deleted successfully.
SRTSPX => Service deleted successfully.
"C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS" => File/Directory not found.
"C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS" => File/Directory not found.
C:\Users\Wayne\AppData\Roaming\uTorrent => Moved successfully.
"HKU\S-1-5-21-4173107115-4275760522-2882889172-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}" => Key deleted successfully.
EmptyTemp: => Removed 305 MB temporary data.

The system needed a reboot.

==== End of Fixlog 12:30:29 ====

 

 

 

Here is the aswMBR.txt file

 

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-02-16 12:44:36
-----------------------------
12:44:36.401    OS Version: Windows x64 6.0.6002 Service Pack 2
12:44:36.401    Number of processors: 2 586 0x170A
12:44:36.401    ComputerName: HPP6120F  UserName: Wayne
12:44:37.821    Initialize success
12:44:37.930    VM: initialized successfully
12:44:37.930    VM: Intel CPU BiosDisabled
12:48:14.898    AVAST engine defs: 15021600
12:49:17.485    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:49:17.485    Disk 0 Vendor: ST375052 HP22 Size: 715404MB BusType: 8
12:49:17.610    Disk 0 MBR read successfully
12:49:17.610    Disk 0 MBR scan
12:49:17.672    Disk 0 unknown MBR code
12:49:17.672    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       701392 MB offset 63
12:49:17.719    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        14009 MB offset 1436451975
12:49:17.844    Disk 0 scanning C:\Windows\system32\drivers
12:49:35.866    Service scanning
12:50:07.769    Modules scanning
12:50:07.769    Disk 0 trace - called modules:
12:50:07.831    ntoskrnl.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
12:50:07.831    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009924790]
12:50:07.847    3 CLASSPNP.SYS[fffffa60011cfc33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800792a050]
12:50:09.688    AVAST engine scan C:\Windows
12:50:15.460    AVAST engine scan C:\Windows\system32
12:55:10.283    AVAST engine scan C:\Windows\system32\drivers
12:55:41.507    AVAST engine scan C:\Users\Wayne
13:01:15.941    AVAST engine scan C:\ProgramData
13:08:58.168    Disk 0 statistics 3734338/0/0 @ 2.77 MB/s
13:08:58.168    Scan finished successfully
13:10:02.295    Disk 0 MBR has been saved successfully to "C:\Users\Wayne\Desktop\MBR.dat"
13:10:02.373    The log file has been saved successfully to "C:\Users\Wayne\Desktop\aswMBR.txt"

 


  • 0

Advertisements


#17
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

After doing step 1, running the Fix-It tool and re-booting I got a Windows Sidebar pop up window... in said... Windows sidebar is meanaged by your system administrator.

 

Is this a work computer? Do you have an IT Department that should be looking at the machine? I understand some small businesses don't have the IT resources and if that's the circumstance here we are willing to help on a case by case basis. Many of our fixes don't take into consideration machines joined to a domain or centrally managed. Our Terms of Use , specifically 3b states the following: We offer free computer help and tech support for home and personal use. We are not here to support others that work for profit, or to support/replace your company's IT department.

 

Please let me know. Thanks.
 


  • 0

#18
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

I'm a one man show.. CEO, janitor and all in between.

 

I use this computer for work and personal use.

 

Thanks


  • 0

#19
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Got it. Thanks. Please do the following.

 

Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   183bytes   25 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

Step#2 - Security Check
1. Download Security Check from here or here or here.
2. Save it to your Desktop.
3. Right-click SecurityCheck.exe and select Run as administrator. Follow the onscreen instructions inside of the black box.
4. A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: Don't be alarmed if the process runs for 10 to 15 minutes before completing. If it runs for over 30 minutes, just close the program and try running it again.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.

 

 

Step#3 - ESET Online Scanner and Post Results
Before running this scan, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done. Instructions for doing this on many AVs are here. This one could take awhile to run but is necessary to ensure there are no remnants hanging around.

 

  • Please go here and click on 1.JPG
  • Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
  • Please accept the ESET Online Scanner EULA and click Start.
  • If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
  • Make sure Enable detection of potentially unwanted applications is selected.
  • Click the Advanced Settings link.
  • Make sure Remove found threats is NOT checked.
  • Make sure Scan archives IS checked.
  • Make sure Scan for potentially unsafe applications IS checked.
  • Make sure Enable Anti-Stealth technology IS checked
  • 2.JPG
     
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed, if anything was detected please click the List of found threats link.
  • ThreatsFound.JPG
     
  • Then click the Copy to Clipboard link and paste this information into your next reply.
  • CopyToClipboard.JPG

     

     

  • Then you may click the Back button.
  • Check Uninstall Application on Close before clicking finish.

 
Items for your next post

1. FRST Fix Log

2. Security Check log
3. Contents of the ESET log file

 


  • 0

#20
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

Step #1

Fixlog.txt

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2015
Ran by Wayne at 2015-02-16 14:39:17 Run:2
Running from C:\Users\Wayne\Desktop
Loaded Profiles: Wayne (Available profiles: Wayne)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar]
[-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar]
EmptyTemp:
*****************

Restore point was successfully created.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar => Key Deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar => Key not found.
EmptyTemp: => Removed 356.9 MB temporary data.

The system needed a reboot.

==== End of Fixlog 14:43:02 ====


  • 0

#21
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

Step #2

checkup.txt

 

 Results of screen317's Security Check version 0.99.96 
 Windows Vista Service Pack 2 x64 (UAC is enabled) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 25 
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31 
 Adobe Flash Player  16.0.0.305 
 Adobe Reader 10.1.9 Adobe Reader out of Date! 
 Mozilla Firefox (35.0.1)
 Google Chrome (40.0.2214.111)
 Google Chrome (40.0.2214.94)
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
 


  • 0

#22
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

Here is the online scan log

 

 

C:\AdwCleaner\Quarantine\C\Users\Wayne\AppData\LocalLow\Toolbar4\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}\TbHelper2.exe.vir a variant of Win32/Toolbar.Iminent.E potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Wayne\AppData\LocalLow\Toolbar4\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}\uninstall.exe.vir a variant of Win32/Toolbar.Iminent.E potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Wayne\AppData\LocalLow\Toolbar4\{977AE9CC-AF83-45E8-9E03-E2798216E2D5}\update.exe.vir a variant of Win32/Toolbar.Iminent.E potentially unwanted application
C:\Windows\System32\rtfepser.dll a variant of Win32/Urlbot.NAO trojan
C:\Windows\SysWOW64\rtfepser.dll a variant of Win32/Urlbot.NAO trojan
 


  • 0

#23
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Great job. Please do the following. The first step is required. Steps 2 & 3 are optional but highly recommended as they are avenues for infection.
 
Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   168bytes   24 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.
 
Step#2 - Keeping Java Updated
WARNING: Java is one of the most exploited programs at this time. The Department of Homeland Security recommends that computer users disable Java. You can read more about this here.
I would recommend that you completely uninstall Java unless you need it to run an important software. If you need it or are unsure or uncomfortable with removing it then I would recommend that you disable Java in your browsers until you need it and then enable it at that time. (See How to disable Java in your web browser and How to unplug Java from the browser). If you don't uninstall it, it's also important that you follow the directions below to update to the latest version of Java.
 
Note: If you don't use Java or don't know if you need it I would uninstall it.
 
If you wish to keep it please follow the instructions below to update to the newest version.
1. Click the Start button
2. Type Java
3. Click on Configure Java in the search results
4. Click the Update tab
5. Click the Update Now button and allow the update to download/install.
 
Step#3 - Keep Adobe Reader Updated
1. Uninstall Adobe Reader. Click here for instructions on how to uninstall a program.
2. Install the newest version from this website.
Note: Make sure to uncheck the Optional Offer (i.e. Google Chrome, Google Toolbar) unless you really want it.
Note: You should disable JavaScript in the program as this is a highly exploitable method for the bad guys to get in your machine. Follow these instructions to disable it in Adobe Reader.
1. Open Adobe Reader
2. Select Edit from the menu and select Preferences
3. Click on JavaScript in the left column and uncheck Enable Acrobat JavaScript.
4. Click OK and close the program.
NOTE: Many installers, including Adobe Reader, offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

 

 

 

Items for your next post

1. FRST Fix log


  • 0

#24
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Also if you don't mind, please try the following again and let me know the results.

 

Step#1 - Warnings
Windows Sidebar/Gadgets
I see that you use the Windows Sidebar with Gadgets. Microsoft deems these as a security vulnerability and recommends that they are disabled. Unless you have good reason not to, please download and install the Microsoft Fix-It from here. Note: Please ensure you reboot when prompted. If you don't and continue this could leave your machine in an unstable state.


  • 0

#25
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

Here is the new fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2015
Ran by Wayne at 2015-02-17 08:22:08 Run:3
Running from C:\Users\Wayne\Desktop
Loaded Profiles: Wayne (Available profiles: Wayne)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
File:C:\Windows\System32\rtfepser.dll
File:C:\Windows\SysWOW64\rtfepser.dll
C:\Windows\System32\rtfepser.dll
C:\Windows\SysWOW64\rtfepser.dll
*****************

Restore point was successfully created.

========================= File:C:\Windows\System32\rtfepser.dll ========================

MD5: 9DEEF86F5709D0249A76F0C14569640B
Creation and modification date: 2008-01-20 20:48 - 2008-01-20 20:48
Size: 1574400
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:

====== End Of File: ======

========================= File:C:\Windows\SysWOW64\rtfepser.dll ========================

MD5: 9604FA14B4756E249E949708B974D2EB
Creation and modification date: 2008-01-20 20:48 - 2008-01-20 20:48
Size: 1282048
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:

====== End Of File: ======

C:\Windows\System32\rtfepser.dll => Moved successfully.
C:\Windows\SysWOW64\rtfepser.dll => Moved successfully.

==== End of Fixlog 08:22:30 ====


  • 0

Advertisements


#26
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

I did unistall Java as you suggested.

I don't know if I need it or not.

 

I uninstalled and re-installed Adobe Reader per your instructions.

 

I selected the Fix It that said Disable Windows Sidebar and Gadgets and ran it. Selected re-start computer when prompted to. When the computer re-started it opened the browser back up to where I was.

Also, I got that pop up window again from Windows Sidebar.

It said Windows Sidebar is managed by your system adminstrator.

 

I went to control panel \ user accounts to make sure than I am the administrator and I am.  So, I don't know why is not allowing the change.


  • 0

#27
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Thank you. Let's do the following to confirm that it's disabled.

 

1. Click your Start button.

2. Type cmd.exe and hit enter on the keyboard.

3. You should have a black command-prompt window open.

4. Copy and paste the following line into the command prompt window. Note: To paste you will need to right-click your mouse in the window and select paste.

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar" /v TurnOffSidebar

5. Hit Enter.

 

If the results look like the following, we are good to go.

TurnOffSidebar    REG_DWORD    0x1

 

Let me know. Thanks.


  • 0

#28
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

Ok.. I did as intructed and I did get the result TurnOffSidebar REG_DWORD 0x1


  • 0

#29
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Excellent. Everything is good and you are malware free. The "Windows Sidebar is managed by your system administrator" message won't come up anymore.

 

Are you still having issues with "There is No Disk in the drive" or has that subsided now?


  • 0

#30
Waynesworld

Waynesworld

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 248 posts

I'm thinking that only happened when I ran OTL.

 

Is there anyway you can help me with this font issue that I'm having within one of my software programs.

 

I was told by the software company that the isssue is with a recent Windows update.

 

here is what their email said

 

Until Microsoft releases a fix, here are your options to consider:

  1. Don't do anything. Continue to operate with the font problem until Microsoft releases a fix.
  2. Acquire or repurpose a computer with a newer operating system to use until Microsoft
    releases a fix.
  3. Uninstall the latest security update and turn off automatic updates temporarily; this process is described in KB Article 13531. This will return the fonts to normal. WARNING: this does mean Windows Security will not be up to date and your computer will not pick up new updates until you turn automatic updates back on. This option carries security risks that should not be ignored; Microsoft fixed a critical security flaw with this latest update.
  4. Upgrade your Microsoft operating system. Proceed with caution: this option carries risk, and requires technical expertise to perform a successful upgrade. It also requires you to learn to navigate a new operating system and to consider compatibility issues for your other software programs. Due to the time of year, this option should be carefully evaluated.

As soon as we are made aware of a fix from Microsoft, we will let you know

 

Here is the ling to that article.

http://kb.drakesoftw...es-Font-Problem

 

I did what it said to do but the Windows Update (KB3013455) does not show up under installed updates however it does show up under View Update History.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP