none
Do I have a Worm, Bug, Virus, Malware? Windows7 X 64, Win7 RRS feed

  • Question

  • If you take a moment to search some of my posts you will find I have been having all sorts of issues.  At rondom some issues: Hang/Freeze/Tons of Weird errors in event viewer relating to services winint and movie maker, internet connections(DNS/DCHP), lots of security reports services being stopped, hundreds of anonymous logons.  Registry issues.  Winlogin issues.  My privledges are frequently giving me issues.  Adobe has been reporting errors.  When I run registry cleaners they find MANY invalid enteries on a very frequent BASIS.  Iexplorer is giving me weird issues and crashing(shutting down) or locking up at random.  Possibly on sites that contain specific words or phrases - I have no clue?  Something minidump files get deleted/removed or otherwise disappear(Not over written....  They are there one day then 20 hours later the folder is empty). Automatic updates pauses.  When I try to review my security log I get a big red X that eventually tells me "Access is denied(5)."  Weird .inf and .msi errors in event viewer.  Boot issues as well. 

    Alot of my issues seem to be symptoms of uhhh?  The comfick worm or something? Or symptoms of 1-2 other trojan / viruses I Read about.

    I have had thousands of errors.  80% of them started on 3/24/2010.  Some of my event viewer logs go back to 3/4/2010.  Again this must be relevant, right?  All of the errors 80% of them started on the same day. Then either repeat themselves or variations.

    I ran: Trend Micro, SaSpyware, AVG, Spybot, Bitdefender, Trojan Hunter, Microsoft Security Essentials, and defender.

    Although 1 virus was found...  That was it:

    Trojan.Agent/Gen-FakeAlert[Local]
     C:\WINDOWS.OLD\USERS\DADDY\APPDATA\LOCAL\TEMP\{0DF01249-5A6A-450F-91DA-08AAC0EA2475}\{DE4DF4A7-8E12-41EE-B7DD-1A9E6E4117EB}\CAPABILITYTABLE.EXE
     C:\WINDOWS.OLD\USERS\DADDY\APPDATA\LOCAL\TEMP\{5BFD45E3-218A-4969-9D63-82B83B6742A1}\{DE4DF4A7-8E12-41EE-B7DD-1A9E6E4117EB}\CAPABILITYTABLE.EXE

    PLEASE PLEASE PLEASE....  Are any of these errors possibly related?  Can you please help?  Why would they all have started on the same day?  I apologize I randomly cut and pasted errors and dd not seperate them.  If you need me to I can.

    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

    DETAIL -

    1 user registry handles leaked from \Registry\User\S-1-5-21-2141844393-1933629333-242707573-500:

    Process 2736 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2141844393-1933629333-242707573-500

    A method call to an object in a COM+ application was rejected because the caller is not properly authorized to make this call. The COM+ application is configured to use Application and Component level access checks, and enforcement of these checks is currently enabled. The remainder of this message provides information about the component method that the caller attempted to invoke and the identity of the caller.Svc/Lvl/Imp = 10/6/3, Identity = Daddy-PC\Daddy

    The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070057 from line 65 of d:\w7rtm\com\complus\src\events\tier1\subscription.cpp. This warning may be expected if the computer is low on resources. If the computer is not low on resources, and these warnings persist, it may indicate a problem in the COM+ Event System.

    DETAIL -

    1 user registry handles leaked from \Registry\User\S-1-5-21-2141844393-1933629333-242707573-1000:

    Process 488 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2141844393-1933629333-242707573-1000

    The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{9624D5E1-FEA9-4331-88B5-64DE4A983718}. The backup browser is stopping.

    The previous system shutdown at 6:10:53 PM on ‎3/‎28/‎2010 was unexpected.

    The IP address lease 192.168.1.100 for the Network Card with network address 0x00248C4F9747 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

    The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003d (0xfffff80003fc7110, 0x0000000000000000, 0x0000000000000000, 0xfffff80002c8810e). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 032910-31527-01.

    The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003d (0xfffff8800f241160, 0x0000000000000000, 0x0000000000000000, 0xfffff88003f64baa). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040610-20404-01.

    The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0xfffffa9a06a73ad0, 0x0000000000000002, 0x0000000000000001, 0xfffff80002a86370). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 041010-18735-01.

    Faulting application name: instgui.exe, version: 0.0.0.0, time stamp: 0x47b4a51a

    Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp: 0x4a5be02b

    Exception code: 0xc0000006

    Fault offset: 0x000000000003548f

    Faulting process id: 0x1134

    Faulting application start time: 0x01cabc11d5104680

    Faulting application path: D:\install\x64\instgui.exe

    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

    Report Id: a8eb9350-2806-11df-988b-00248c4f9747

    Faulting application name: iexplore.exe, version: 8.0.7600.16385, time stamp: 0x4a5bc69e

    Faulting module name: gp.ocx_unloaded, version: 0.0.0.0, time stamp: 0x4b2640f3

    Exception code: 0xc0000005

    Fault offset: 0x71ac0c11

    Faulting process id: 0x3ac

    Faulting application start time: 0x01cabbbf3a4c1220

    Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

    Faulting module path: gp.ocx

    Report Id: 6a889f20-27b3-11df-a016-00248c4f9747

    Processor 0 in group 0 exposes the following:

    1 idle state(s)

    0 performance state(s)

    0 throttle state(s)

    Automatic Updates is now paused.

    Fault bucket , type 0

    Event Name: WindowsUpdateFailure

    Response: Not available

    Cab Id: 0

    The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

    Installation of the Proof of Purchase failed. 0xC004F050

    Partial Pkey=GD4GG

    ACID=?

    Detailed Error[?]

    The attempt by user Daddy-PC\Daddy to restart/shutdown computer DADDY-PC failed

    www.dutchacresequipment.com

      - Provider

       [ Name]  Microsoft-Windows-DNS-Client
       [ Guid]  {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}

    Sunday, April 11, 2010 10:19 PM

Answers

All replies

  • Hey Hey Hey!  Is this relevant?  My girl her computer is hooked to the same DSL as mine.  Our 2 computers > Motorola DSL(In Bridge Mode) > Router> Internet.  Although we have made no effort to share computers we are still networked?  Right?  Right?  She is running Vsta I am running Win7.

     

    It might be unrelated. But... But...  She has had recent privledge errors too.  To the point where she needed to reboot.  Only 2x.  Her event viewer is 100% 'clean'.

    What I have done:

    Ran Memtest on ram

    CPU / HD is not hot

    Ran Dr.Watson

    Ran Western Digitial HD software/ Ran Seagate Software

    Followed the Dcom Error fix instructions here as provided by a mod

    Removed and reinstalled all components

    Ran multiple virus scan/checker

    Dusted

    HD is running 80 degrees F... Chip is not hot

    Installed newest bios

    All fans work

    Ran SiSoftware's Sandra

    Ran Troubleshooting via windows....

    All this and a lot more.  All report back NO!!! ISSUE!!!!

    Sunday, April 11, 2010 10:42 PM
  • I Scanned for viruses I used multiple resources and found none!  However, I am  not a tech/engineer.  The errors/situation I reported could they be signs of a virus?  COuld it be something hiding from the scans or that the scan is missing?  Why did everything start happening on 3/28/2010 or there about.  If not a virus WHAT?
    Monday, April 12, 2010 3:05 PM
  • Service Launched Used Kernel CPU% User CPU% CPU%
    rundll32.exe 2144 97 36 0.1 0.1 0.2
    Monday, April 12, 2010 3:29 PM
  • Anyone at Microsoft?  I posted 3 BSOD errors I have received in the last three weeks.  All of my errors, 20,000 + in the last few days seem to be MS related.  I would GREATLY appreciate if someone could review some of the errors I have posted and give me a little feedback on what a solution might be.  Since I have installed Win 7 all I have had are serious issues. . . .
    Tuesday, April 13, 2010 7:59 PM
  • 1)what chance you could reformat the harddisk and do a fresh install?

    2)my paranoia says online attack and I always switch off remote assistance.

    3)have you been collecting the updates?

    If the installation never worked well I would reccommend a fresh start.

     

    good luck,

    Wednesday, April 14, 2010 1:05 PM
  • Also, you can try the system recovery options in Windows 7 to see if the issue can be repaired:

     

    What are the system recovery options in Windows 7?

    System repair and recovery

     

     

    • Marked as answer by Linda Yan Monday, April 19, 2010 1:31 AM
    Thursday, April 15, 2010 5:55 AM
  • So, you want me to call the person for every piece of hardware in my machine?  Then what do you suggest?  My device manager says everything is find.  I am showing no internal errors.  I have ran Memtest 86.  I have ran Dr Watson.  I have ran western digital.  I have ran speedfan.  I have ran SiSoftware Sandra.  I have ran 5 individual gold standard virus/malware/worm searches.  All come back clean and fine.

    Asus Mobo... Ethernet Onboard

    WD - HD

    Cheap Optical Drive

    GE9800 Sound

    Kingston Ram

    I am using a Sony Bravia 42' as a monitor and an Acer 19'

    AMD Phen 955 chip

    ==================================================================

    I have searched to the best of my ability all the forms and databases.  PLEASE if you have helpful information - PLEASE help.  Holy ____ this is so frustrating.  However, if you have general or vague information.....

    Friday, April 16, 2010 1:34 AM
  • I am curious?  For the errors described here what could be one or two relevant causes?  How could they have happened?  What might I have done wrong?  If I just reinstall with every issue wouldnt it be reasonable to assume the problem will continue?
    Friday, April 16, 2010 1:36 AM
  • Looks like trouble with update 

    "Processor 0 in group 0 exposes the following:

    1 idle state(s)

    0 performance state(s)

    0 throttle state(s)

    Automatic Updates is now paused.

    Fault bucket , type 0

    Event Name: WindowsUpdateFailure

    Response: Not available

    Cab Id: 0

    The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

    Installation of the Proof of Purchase failed. 0xC004F050

    Partial Pkey=GD4GG

    ACID=?"

    says "proof of purchase failed"

    Friday, April 16, 2010 4:01 AM
  • Follow the link

    http://bit.ly/d4Ox6E

    Friday, November 12, 2010 10:55 AM
  • Don't know that this will help but I have same issue and thus far it's been called a remote access trojan. Moslty anti-malware programs cannot find it because it resides in what appear to be normal system files. The free Spybot. MBAM is worthless. Windows Tweaking software (bleepingcomputer.com) & a few other programs from that site might help. 2 problems, though; 1) Even the software that is capable of finding it cannot remove it since it has given itself Domain User status.

    I have tried Windows tools like sfc /scannow but often your admin account will still appear as admin but won't actually be so. (You probably know this but) an admin account will open cmd.exe to C:\Windows\System32 but a standard account will only open to C:\Users\User. Unless you're an admin you cannot run chkdsk, sfc but most importantly, I think is the inability to run net user from standard accounts.

    Windows has one tool called, I believe SubinACL.exe which fixes ACL errors but in my case it was allowed once overridden and is no worthless. If you have tried to download/run top shelf security (paid) that is designed to detect problems like this, you may run into problems like RAT changing .exe extension to ,htm or .jpg and as a result are useless. I purchased 3 MSFT annual maintenance contracts and all 3 were examined by level 2 supervisor techs who did absolutely nothing except promise to send a new installation cd (reset doesn't help as MBR and BIOS are also infected. (Never received the new installation cds. Took to MSFT store butt all the techs there are capable of doing is resetting machine- which you can do by yourself. You need to completely wipe hard drive of everything and get a new bootable installation disk but good luck with that. None of the Windoiws Media Creation tools that create .iso on flash or disk drive help. Good luck, If you can actually get this fixed I'd love to knw how you did so. If you look in your DCOM log you will see hundreds of errors since this attack overrides any DNS settings, router ID ip address (public). You might want to search your machine for www.fund10.info..*.*.ru that seemed to e the source of my infection but I still could do nothing about it. It also leaves open numerous ports (port forwarding software has not helped) so that all kinds of viruses access your machine until you go wtf. MSFT is so behind the curve on this one it is pathetic. Perhaps using new OS 10S software which is clouid based (like Chromebook) might help.

    Thursday, August 24, 2017 8:58 PM