XP 64 bit question

[CaseyJ000]

I have a Windows XP 64 bit computer. "dds.scr" isn't supported, (it runs on Windows 7 64 bit though.) GMER ran but with many of the checkboxes greyed out. It gave a message "there was no system modifications" but didn't produce any logs.

I have the Full version of Malwarebytes and have another thread going about my wife's computer which was infected with the Windows XP Anti-Virus malware.

I wanted to check my computer as I've pulled things back and forth on USB sticks between the 2 computers.

Here's the Malwarebytes logs including the protection logs. One of the Protection logs says that there is no IP protection. I don't know if that is because I have run Defogger, or that I was running the GMER scan.

mbam-log-2011-06-11 (20-56-46).txt

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6837

Windows 5.2.3790 Service Pack 2

Internet Explorer 8.0.6001.18702

6/11/2011 8:56:46 PM

mbam-log-2011-06-11 (20-56-46).txt

Scan type: Full scan (C:\|F:\|)

Objects scanned: 347786

Time elapsed: 1 hour(s), 33 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

protection-log-2011-06-11.txt

16:01:57 Administrator MESSAGE Scheduled update executed successfully

16:02:05 Administrator MESSAGE Database updated successfully

protection-log-2011-06-12.txt

04:58:26 Administrator MESSAGE Protection started successfully

04:58:30 Administrator ERROR IP protection failed: PfMakeLog failed with error code 122

[kahdah]

Hi windows xp x64 is kind of rare not much will support it or run on it.

To look it over please do the following:

• Download OTL to your desktop.
  
• Double click on OTL to run it.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

[CaseyJ000]

Here are the OTL Files.

Thanks!!

OTL.zip

[kahdah]

Your logs are clean of malware but you may have a potential hard drive failure in the nesr future according to the event viewer.

\Device\Harddisk0\DR0, has a bad block

It may not fail but usually when I see those errors it does mean the drive is starting to go bad.

We can try to repair the bad block by doing the following:

Go to Start >Run type in cmd then hit ok.

THen type in this chkdsk /r /f then hit enter.

Type in Y at the prompt and then restart the computer.

Let it run through this check and then let me know how it goes.

[CaseyJ000]

When the Disk Check started it gave a message

Deleting corrupt Attribute record (128,$bad)from file record seg 8

I had to leave and didn't see the full Disk Check and restart

[kahdah]

Yes it doesn't have any output the only way to tell if it does anything is to go into the event viewer and see if you see any more bad block messages dated from today.

To do that click start right then click on My Computer choose manage click the plus sign next to Event Viewer over to the left.

Select the System option then over to the right lok for any errors that may say Disk on them if they are red or yellow double click on them and see if it says the following:

\Device\Harddisk0\DR0, has a bad block

Let me know if that is present and if not how it is running.

[CaseyJ000]

{These are all from last night, {6-15-11}I ran the Disk check again and installed Java updates and Windows updates including Windows Malicious software removal update. I uninstalled Lavasoft because since yesterday it was putting up update screens which didn't do anything. I had installed the Defogger previously}

\SystemRoot\SysWow64\DRIVERS\mdc8021x.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

The DS1410D service failed to start due to the following error:

The system cannot find the file specified.

( this seems to be a printer error I see from the internet)

The AEGIS Protocol (IEEE 802.1x) v2.3.1.9 service failed to start due to the following error:

This driver has been blocked from loading

The Lavasoft helper driver service failed to start due to the following error:

A device attached to the system is not functioning.

Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

The IMAPI CD-Burning COM Service service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.

( I did use the Defogger)

The DS1410D service failed to start due to the following error:

The system cannot find the file specified.

\SystemRoot\SysWow64\DRIVERS\mdc8021x.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

6-14-11

The AEGIS Protocol (IEEE 802.1x) v2.3.1.9 service failed to start due to the following error:

This driver has been blocked from loading

The IPSec driver has entered Secure mode. IPSec policies, if they have been configured, are now being applied to this computer.

6-12-11

The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:

The device, \Device\Harddisk0\DR0, has a bad block.

{I got a bunch of these Bad Blocks and followed by C is corrupt I got this right after I made one of the logs. I didn't run the disk check immediately, but did it when you asked me which was soon after}

6-11

{I saw these Windows delated write popups on this day which made me think the malware had gotten into my computer}

The system failed to flush data to the transaction log. Corruption may occur.

Application popup: Windows - Delayed Write Failed : Windows was unable to save all the data for the file \Device\HarddiskVolume3\$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

6-10-11

( got about 30 of these at 9:04PM)

The device, \Device\Harddisk0\DR0, has a bad block.

6-9-11

{I got a whole stream of disk errors after returning from a trip

about 30 of these between 6:42 and 6:43}

An error was detected on device \Device\Harddisk1\DR3 during a paging operation.

5-31-11

{ got a bunch of these, they seem to have subsided now}

Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

{I have a bunch of IP error also around 5-31-11 when we left on our trip and my wife's machine was infected, I've added some XXX to the IPs}

Your computer has automatically configured the IP address for the Network Card with network address 00188B1EXXX. The IP address being used is 169.254.193.XXX.

Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00188B1E7XXX. The following error occurred:

The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

The name "HOME :1d" could not be registered on the Interface with IP address 169.254.193.XXX. The machine with the IP address 169.254.74.XXdid not allow the name to be claimed by this machine.

Your computer has automatically configured the IP address for the Network Card with network address 00188B1E7EFB. The IP address being used is 169.254.193.XXX.

5-24-11 ( there are periodic errors like this which seem to have subsided)

The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. Monitor the system events displayed in the Event Viewer to make sure that a more serious problem does not exist.

[kahdah]

OK good it took care of the bad block so no more disk errors.

Old wireless software is the cause of this error : \SystemRoot\SysWow64\DRIVERS\mdc8021x.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. Have you ever had any wireless software installed?

The DS1410D service failed to start due to the following error:

The system cannot find the file specified.

( this seems to be a printer error I see from the internet)

This error can be fixed instructions are here:

http://support.citrix.com/article/CTX106399

[CaseyJ000]

kahdah said

"Old wireless software is the cause of this error : \SystemRoot\SysWow64\DRIVERS\mdc8021x.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. Have you ever had any wireless software installed?"

I wonder if I hit a wrong preference when I set up my router years ago. I don't use wireless. So I need to remove whatever this driver is. Do I just delete it?

[kahdah]

Yes actually simply renaming the r file will keep it from loading.

Show hidden files\folders

To Show them:

• Click Start.
  
• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View Tab.
  
• Under the Hidden files and folders heading select Show hidden files and folders.
  
• Uncheck the Hide protected operating system files (recommended) option.
  
• Uncheck the Hide extensions for known file types option.
  
• Click Yes to confirm.
  
• Click OK

then go here : C:\Windows\SysWow64\DRIVERS\ and find the file > mdc8021x.sys right click on it and remove the .sys part and rename it to .old

Then click off of the file to save it like that.

Reboot and let me know if it helps.

[CaseyJ000]

Kahdah said

"The DS1410D service failed to start due to the following error:

The system cannot find the file specified.

( this seems to be a printer error I see from the internet)

This error can be fixed instructions are here:

http://support.citri...ticle/CTX106399 "

link says:

1. Delete/rename the following files: DS1410D.SYS and IB10E32.DLL. This will disable any parallel port operation.

2. Backup and remove the DS1410D registry key located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

I've included Screengrabs of what my registry looks like

I can't find DS1410D.SYS in drive C only in old Drive H. I can't find the IB10E32.DLL

How should I proceed? I'm not sure from how my registry looks what to do to what key.

I see this webpage on how to edit the registry:

http://support.microsoft.com/kb/136393

Thanks!

DS1410D_002.zip

[kahdah]

Ok please do the following:

Go to start > Run type in cmd then hit ok.

Then in the command prompt box type in sc delete DS1410D then hit enter.

Let me know what it says.

[CaseyJ000]

It says:

[sC} DeleteService SUCCESS

That sounds good right?

[kahdah]

That is good now reboot and let me know of any remaining issues.

[CaseyJ000]

Now I'm just getting these 2 errors and warnings in Event Viewer.

The AEGIS Protocol (IEEE 802.1x) v2.3.1.9 service failed to start due to the following error:

The system cannot find the file specified.

The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. Monitor the system events displayed in the Event Viewer to make sure that a more serious problem does not exist.

[kahdah]

Ok the first one is fine since it is looking for the file you renamed.

No worries we can leave it alone and the other as well.

No problems will come from either the time sync error is always going to be present.

It only means that when the s clock was set to sync with the time server it could not.

How is it running?

[CaseyJ000]

Seems to be good. It's running Zbrush and that's the most important thing.

So soon I delete OTL and turn off Defogger?

[kahdah]

Yes you can re-enable defogger and do the rest to remove what we used.

• Double click on OTL to run it.
  
• Click on the Cleanup button at the top.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  
• This will remove itself and other tools we may have used.
  

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  
• Scroll down to where it says "(JRE) then click on it
  
• Click the "Download" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u26-windows-i586.exe to install the newest version.
  

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

How did I get infected in the first place? Also this one by Tony Klein.

If your computer is slow Things you can do if your computer is slow.

PC Safety and Security - What Do I Need? Security suggestions and general hints and tips for PC security.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

[CaseyJ000]

Great, Thank you so much!!!

I was reading some of the included webpages and I noticed on the one about what can slow you computer. "Don't install more than one Antivirus and Firewall with Realtime Protection enabled." I have ESET and then I bought Malwarebytes. They're both running I guess. I haven't seen any mention of that as a problem until now. Should I turn off part of ESET?

[kahdah]

No those programs are fine to run together.

They will not conflict.

Safe surfing and you are welcome and thanks for the donation.

Much appreciated

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.