Jump to content

PC not working correctly after Smart PC Cleaner uninstalled


badpc

Recommended Posts

Hi Gringo

You were assisting with this post that was unfortunately lost, cant remember all the details originally posted on 25/10/2012, however the basic problem is the pc is not working correctly after Smart pc cleaner was uninstalled, Internet Explorer hangs or just disappears when started, icons on desktop and on the start menu have to be opened by using right mouse click -> Open.

The last post you sent was :

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix

let me know of any problems you may have had

How is the computer doing now after running the script?

Gringo

I hadnt completed the above , do i need to repost your previous replies and logs or should i just proceed with the above.

Glad everything is back up and running.

Badpc

Link to post
Share on other sites

Gringo

Ran the CFScript in ComboFix, here are the results:

ComboFix 12-11-04.01 - Home 11/04/2012 0:39.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.363 [GMT -4:00]

Running from: c:\documents and settings\Home\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-10-04 to 2012-11-04 )))))))))))))))))))))))))))))))

.

.

2012-11-01 05:00 . 2012-11-01 05:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland

2012-11-01 05:00 . 2012-11-01 05:00 -------- d-----w- c:\documents and settings\Home\Application Data\Softland

2012-11-01 04:59 . 2012-10-03 16:50 23944 ----a-w- c:\windows\system32\dopdfmn7.dll

2012-11-01 04:59 . 2012-10-03 16:50 20872 ----a-w- c:\windows\system32\dopdfmi7.dll

2012-11-01 04:59 . 2010-02-05 19:00 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

2012-11-01 04:59 . 2012-11-01 04:59 -------- d-----w- c:\program files\Softland

2012-10-27 15:57 . 2012-10-27 15:57 -------- d-----w- c:\documents and settings\Matthew\Application Data\Malwarebytes

2012-10-25 05:18 . 2012-10-25 05:18 -------- d-----w- c:\documents and settings\Home\Application Data\Malwarebytes

2012-10-25 05:18 . 2012-10-25 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-10-25 05:18 . 2012-10-25 05:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-10-25 05:18 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-23 05:51 . 2012-10-23 05:51 -------- d-----w- c:\program files\Common Files\PC Tools

2012-10-23 00:29 . 2012-10-23 00:29 -------- d-----w- c:\documents and settings\All Users\Uniblue

2012-10-09 21:53 . 2012-10-09 21:53 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Sun

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-27 01:25 . 2012-04-07 01:30 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-27 01:25 . 2011-06-04 02:27 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-26 13:12 . 2011-07-31 18:01 664 ----a-w- c:\documents and settings\Rudolph\Local Settings\Application Data\d3d9caps.tmp

2012-08-23 20:24 . 2012-08-23 20:24 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-08-23 20:24 . 2012-08-23 20:25 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-08-23 20:24 . 2012-08-23 20:25 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-08-23 20:24 . 2012-08-23 20:25 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-10-24 17:50 . 2012-10-30 05:53 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2011-10-06 2015544]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]

"LGODDFU"="c:\program files\lg_fwupdate\lgfw.exe" [2012-08-24 27760]

"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - [N/A]

VPN Client.lnk - [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/25/2012 1:18 AM 399432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/25/2012 1:18 AM 676936]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/25/2012 1:18 AM 22856]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - EraserUtilDrv11220

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-04 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 01:26]

.

2012-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-30 22:21]

.

2012-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-30 22:21]

.

2012-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1677128483-682003330-1003Core.job

- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-04 03:31]

.

2012-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1677128483-682003330-1003UA.job

- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-04 03:31]

.

2012-11-04 c:\windows\Tasks\User_Feed_Synchronization-{06B50F7A-8905-436E-B510-FC3AEBF08103}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

2012-11-04 c:\windows\Tasks\User_Feed_Synchronization-{3B3AFBDC-3401-4EC4-A696-FBCA10255DA3}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

TCP: DhcpNameServer = 10.0.0.1

FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\y1b1oqgh.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - ExtSQL: 2012-10-10 22:39; {20a82645-c095-46ed-80e3-08825760534b}; c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\y1b1oqgh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - ExtSQL: !HIDDEN! 2010-11-20 00:49; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-04 00:51

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2524)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-11-04 00:54:28

ComboFix-quarantined-files.txt 2012-11-04 04:54

ComboFix2.txt 2012-10-31 02:53

.

Pre-Run: 13,244,915,712 bytes free

Post-Run: 13,304,270,848 bytes free

.

- - End Of File - - 695620EDA0640AB5F7BD8AC5A226B448

Regards

Badpc

Link to post
Share on other sites

Gringo

Forgot to mention there were no issues running ComboFix and the issue with internet explorer is the same, it launches for a few moments then closes. Open MS Word (old version) and i got this error:

Also when attempting to open pre-installed games, e.g. Internet Checkers i get this error:

Also still have to open icons on the desktop and from the start menu using the mouse right click -> open.

Apart from that the pc is running well.

Regards

Badpc

Link to post
Share on other sites

Gringo

Forgot to mention there were no issues running ComboFix and the issue with internet explorer is the same, it launches for a few moments then closes. Open MS Word (old version) and i got this error:

Also when attempting to open pre-installed games, e.g. Internet Checkers i get this error:

Also still have to open icons on the desktop and from the start menu using the mouse right click -> open.

Apart from that the pc is running well.

Regards

Badpc

i posted the errors but they didnt show: the word error was

An error occurred and this feature is no longer functioning properly. Please run setup and select "Repair..." to restore this application.

the internet checkers error:

Checkers is unable to start. Close some other programs and try again, or try reinstalling checkers using Add/Remove Programs in the Control Panel.

Badpc

Link to post
Share on other sites

  • Staff

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

Gringo

Ran OTL.exe, it started to scan and then a message box appeared with the message:

Access violation at address 052DFB7 in module 'OTL.exe'. Read of address 00000000.

I clicked 'Ok' and the scan stopped. No notepad files opened

I noted that it was scanning C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder ....

Should i run it again.

Regards

Badpc

Link to post
Share on other sites

  • Staff

Download Windows Repair (all in one) from this site

Install the program then run

Go to step 2 and allow it to run Disc check

Capture3.gif

Once that is done then go to step 3 and allow it to run SFC

Capture.gif

On the start repairs tab select advanced mode and click start

Capture1.gif

Select the items below (remove the ticks from the rest ) and tick restart system when finished

Reset Registry permisions

reset File permisions

repair WMI

repair windows firewall

repair internet explorer

remove policies set by infection

repair winsock & DNS cache

remove temp files

repair proxy settings

repair windows update

Link to post
Share on other sites

Gringo

Clicked Yes , it brought up Step 4 which seem to do something automatically, then brought up a tweeting.com page with lots of file information, then the PC rebooted itself. When i run Start Repairs again it asks to create a restore point and back up registry again.

Badpc

Link to post
Share on other sites

Gringo

After the repair was run, Internet Explorer now opens successfully, the Internet games open successfully, however MS Word still has an error when opened and i still have to use right mouse click -> Open to launch desktop icons and items from the Start menu.

Not tried to install any software yet, will try later.

Badpc

Link to post
Share on other sites

  • Staff

Scan with exeHelper:

Please download exeHelper to your desktop.

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Link to post
Share on other sites

Gringo

Results from exeHelper

exeHelper by Raktor

Build 20100414

Run at 23:57:24 on 11/09/12

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

Regards

Badpc

Link to post
Share on other sites

Gringo

Ran Windows Repair again, there is no change to the desktop icons still have to use right mouse click -> open, same with the items on the start menu. Also noticed a message box appears when the pc is starting up - GetODDModel - Invalid picture.

MS Word has the same error, but it does open and can be used.

I will attempt to install some software and see if that works, will post with the update on that.

Regards

Badpc

Link to post
Share on other sites

Gringo

I created a new profile (limited not administrator) and the only icon on the start menu that launches when clicked is Internet Explorer, all others use right mouse click -> open, the same occurs with the icons on the desktop.

Should i create an admin account to see if i can install any software.

Regards

Badpc

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.