Problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by VeryBerry, Jan 21, 2011.

  1. VeryBerry

    VeryBerry Private E-2

    Hello,

    I have completed all the scans and am attaching the logs.

    My computer has been crashing regularly, programs like Microsoft Word and Excel kept reinstalling themselves every time I try to look at a document (though that seems to have stopped). What prompted me to come here again is finding an anonymous logon in my security logs. Every site had conflicting and confusing information about that, so I hope you can help me as to what exactly that is. Please help!

    Also, in case it is relevant: when I first ran Root Repeal, it gave me this message: "Error invalid PE image found!"

    I'll put the rest of the logs in the next post.
     

    Attached Files:

    VeryBerry, Jan 21, 2011
    #1
  2. VeryBerry

    VeryBerry Private E-2

    Thank you!!!
     

    Attached Files:

    VeryBerry, Jan 21, 2011
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am not seeing any malware in those logs.

    Only thing I would question is this:

    What does this folder contain?
    • C:\WINDOWS\system32\tempdir

    What login, and what logs?
     
    Kestrel13!, Jan 21, 2011
    #3
  4. VeryBerry

    VeryBerry Private E-2

    Hi and thank you for responding so quickly. I have no idea what that is, I have no idea what most of this stuff is. I did a search and found two files.

    1. The "tempdir" file has a date of Dec. 6, 2010 and has four icons in it: tiny pdf; tinypdf1.dll; tinypdf2.dll; tinypdf. None of them will open. It says it is an application extension used by the operating system. The Properties box for tinypdf1.dll says "TinyPDF for Windows 2000/XP/2003/Vista Copyright (C) 2007 RealSoftware Solutions Inc."

    2. Then there is another folder "Tempdir" with a date of Dec. 14, 2001. There is nothing inside and the properties indicate it is a file folder "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}"

    It was on my Online Armour firewall log (which I had to uninstall to run one of the scans). I wrote down the info though:

    Type: Success Audit
    Date: 1/20/2011 (there were a number of dates going back as far as two years, maybe more)
    Time: 3:42:36
    Source: Security
    Category: Logon/Logoff
    User: NT AUTHORITY/ANONYMOUS LOGON

    And there was a number: 540

    I also found a 1394 net adapter connection that I never had before. I don't know what it is or what it does so I disabled it. My connection is still fine so I don't think I need it, though I would like to know what is and how it got there. I don't have wireless so if it's a wireless adapter or whatever, why is it there? Sorry if these are really stupid questions, I try to read about this stuff, but all the info is conflicting. One site said the anonymous logon/logoff 540 is just the machine logging itself out after I do. Another site said someone may be hacking my computer. I'm just confused.
     
    VeryBerry, Jan 21, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, these are not malware related problems. You have nothing to worry about. If you like, you can further discuss the "NT AUTHORITY/ANONYMOUS LOGON " in the software forums. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 21, 2011
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds