47 replies to this topic

[darklord]

I am getting errors from Ccleaner on the issue scan.

ISSUES: ActiveX/COM Issue MBSA.XmlDb - {66C8912C-5AA8-11D9-89C9-000BDB08B646} | HCKR\MBSA.XmlDb

ActiveX/COM Issue MBSA.XmlDb - {66C8912C-5AA8-11D9-89C9-000BDB08B646} | HCKR\MBSA.XmlDb
They both are the same. I know and well I need to solve this.

I will also attach a Hijackthis! log.
ERROR: The forum will not permit me to attach the log file.

[Blake]

darklord, on Apr 22 2006, 05:38 AM, said:

I will also attach a Hijackthis! log.
ERROR: The forum will not permit me to attach the log file.

Just copy the log and paste it into the post.

[darklord]

Blake, on Apr 22 2006, 06:07 AM, said:

Just copy the log and paste it into the post.

Oh, well majorgeeks does the same thing and does not allow COPY and PASTE.

And I cannot post the log at the moment because I am on my brothers computer.. and my other brother is on the computer with the problem.

[darklord]

Ok, now that I have time here is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:26:53 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = yo
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = bah
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = myspace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = to
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "noty"); (C:\Documents and Settings\Family.... omg!\Application Data\Mozilla\Profiles\default\k15y9gus.slt\prefs.js)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[AndyManchesta]

Hi Darklord

Can you run a couple of scanners to make sure your pc is clean then we can take a closer look at what Ccleaner is finding, MBSA.XmlDb might be a part of the Microsoft Baseline Security Analyzer (MBSA) tool but If Ccleaner cannot remove what it finds you might have to check the permissions on that registry key which I can explain more about after seeing the Malware scan results.


Run Hijack This and choose Do A System Scan then place a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = yo
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = bah
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = to
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Close all open browser and other windows except for Hijack This and press the Fix Checked button


Next Download Ewido Anti-Malware from HERE

• When installing, under "Additional Options" uncheck "Install background guard"
  
• From the main ewido screen, click on update in the left menu, then click the Start update button.
  
• After the update finishes (the status bar at the bottom will display "Update successful"),
  
• Click on the Scanner button in the left menu, then click Complete System Scan.

If ewido finds anything, it will pop up a notification. You can select Remove and check the boxes Perform action with all infections and Create encrypted backup before clicking on OK.
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back


Finally run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Reboot the pc and then please post back the contents of the Ewido log, Panda scan report and a new Hijack This log.

Cheers

Andy

[darklord]

EWIDO ANTI-MALWARE SCAN:

{FULL SYSTEM SCAN}



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:36:06 PM, 4/23/2006
+ Report-Checksum: A954571F

+ Scan result:

HKLM\SOFTWARE\ShudderLTD -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License -> Adware.PSGuard : Cleaned with backup


::Report End
-----------------------------------------------------------------------------------------------------------------------------

[AndyManchesta]

Can you post the contents of your Add/Remove screen and run SmitRem on your pc. The reg keys Ccleaner was having problems with does come from the Microsoft Baseline Security Analyzer tool so it should be simple enough to remove, do you still have the tool installed ?

Please download smitRem.exe from HERE and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

Reboot into Safe Mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter. To return to normal mode just restart your computer as you normally would.

Once in Safe mode open the smitRem folder, then double click the RunThis.bat file to start the tool.
Follow the prompts on screen. Your desktop and icons will disappear and then reappear again when its finished, The tool will create a log and save it to C:\Drive named smitfiles.txt,

Then Reboot back to Normal Mode

You will need to reload your wallpaper after this tool finishes, To change your wallpaper right click desktop and choose properties, Set the Theme to XP then goto the Desktop tab and choose your wallpaper from there.


Open Hijackthis, In the lower right corner click the "Config..." (Configuration) button.
Once in the "Configuration" panel, click "Misc Tools" button.
Then click the "Open Uninstall Manager..." button.
The "Add/Remove Programs Manager" panel should appear.
In this panel click the "Save list" button.

Save the "uninstall_list.txt" file to your desktop and copy and paste the "unistall_list.txt" file back on here with the Smitfiles.txt and the results from the Panda scan if you have run it on your pc.

Thanks

Andy

[DjLizard]

For the original issue, use Dial-a-fix > Tools (hammer button) > Repair permissions

[darklord]

PANDA ACTIVE SCAN REPORT:

FOLLOW THE FILE ATTACHMENT BELOW

*
*
*
\/

It also said there was something else..
I will submit another active scan tomorrow.

(other)
I am getting an error at start up saying ''system error- Isass.exe not found. and if you click it too early it automaticly reboots the computer.
I think it is because of AnswersThatwork's TUT (the ultamate troubleshooter) because I disabled some programs at startup that may be an essential part of this system I would wonder if you can do anything? My trail ran out.. and I can't fix it.

Attached Files

•  Activescan.txt   1.08K   17 downloads

[AndyManchesta]

Delete this file:

C:\Downloads\SpyWareNukerInstaller.exe


The Process.exe found in l2mfix is fine so you do not have to remove it, Its only a threat if its added by malware as it can stop processes on the pc.

Is the system error for Lsass or Isass ?

Lssas.exe (lsass) is a legitimate Windows file, Isass.exe (isass) would be a virus or Trojan file.

When you say it automatically shuts down, does it show this or just reboot the pc?

NT AUTHORITY/SYSTEM
will shut down in 60 seconds...


Im not familiar with AnswersThatwork's TUT but Id be suprised if it would allow you to stop a genuine system file from starting, Do you remember any of the changes it made.

Can you goto Start Menu > Run > type

msconfig

then press OK

On the General Tab that opens press Normal Startup (load all device drivers and services) then press Apply and OK, Reboot the pc and then post a new Hijack This log.

Cheers

[darklord]

Ok, now how do I delete the file?

(other)
It says it's shutting down (but not 60sec) and automatically does it.
And I did the stuff you told me to.

[AndyManchesta]

Can you use the pc that has a problem or is it always shutting down, If its always shutting down does it give any countdown ? when you said it shows the error and if you click it then the system reboots what is it that you click ?

For deleting the file you should be able to goto Start Menu > My Computer > C:\drive > Open the Downloads folder and right click the SpyWareNukerInstaller.exe file and choose Delete.

If you can use the pc and set it to Normal Startup on msconfig can you post a new Hijack This log as it may show items that were hidden in the last log because they were disabled.

let me know if you have your windows disk and if you can use the pc without it restarting so we can check afew things

[darklord]

I can use the PC.

But I click an x, not ok.
And it does not display a 60 sec countdown.

[AndyManchesta]

I'm still having problems understanding whats happening on your pc, Is this right ?

Everytime you reboot it displays an error about Issas.exe being missing, If you click the error it reboots the pc but if you do nothing it doesnt reboot the pc,

When did this problem start ?

Was it after running Ewido or Pandascan ?

Do you have your Windows Disk incase it needed ?

Did you run SmitRem ? if you did can you post the results

Did you set Msconfig to Normal startup ?

If you have set Msconfig to Normal Startup can you post a new Hijack This log.

Next Download SilentRunners from Here

Save it to the desktop and double-click on it. If you get any kind of warning message about scripts from your AntiVirus software, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the contents of the logfile back on the forum.

If you have any problems or questions let me know but to be able to help you I need you to answer the questions above and it would also help if you can post a new Hijack This log, SmitRems log (smitfiles.txt) and the Silent Runners log.

Thanks

[darklord]

The problem started in like November.
Here, I will also add an attachment of a picture I drew with ms paint of what it looks like in a way.
And also give me a link to download SmitRem.


Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:16:56 PM, on 4/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = myspace.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Family.... omg!\Application Data\Mozilla\Profiles\default\k15y9gus.slt\prefs.js)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Attached Files

•  isass.JPG   14.38K   65 downloads

[AndyManchesta]

Cheers for the pic

The link for Smitrem was in one of my ealier replies and the link is in red, it also has the instructions to run it in that reply. Lsass.exe is in your running processes which means the Isass.exe that cannot load is probably malicious and the file may of been removed by some protection program but its left a startup entry somewhere, SilentRunners may show it and SmitRem will remove the PSGuard keys that Ewido couldnt remove but it does need running in safe mode.

I'd also like to check your policy keys to see if the startup entry is in that area but Try running Smitrem and SilentRunners first and then we can check other area's if needed.

Did you use DjLizards tool to fix the permission problem and is that part solved now ?

[darklord]

AndyManchesta, on Apr 24 2006, 11:30 PM, said:

Cheers for the pic

The link for Smitrem was in my ealier replies and the link is in red, it also has the instructions to run it in that reply. Lsass.exe is in your running processes which means the Isass.exe that cannot load is probably malicious and the file may of been removed by some protection program but its left a startup entry somewhere, SilentRunners may show it and SmitRem will remove the PSGuard keys that Ewido couldnt remove but it does need running in safe mode.

I'd also like to check your policy keys to see if the startup entry is in that area but Try running Smitrem and SilentRunners first and then we can check other area's if needed.

Did you use DjLizards tool to fix the permission problem and is that part solved now ?

I will need instructions on running that.
Thankyou in advance,
Darkpain

[AndyManchesta]

If you read DjLizards reply then it sounds very simple:

Quote

For the original issue, use Dial-a-fix > Tools (hammer button) > Repair permissions

The download link is where it shows Dial-a-Fix on his reply.

[darklord]

Here is the silent runners log.
Also, I need instructions on running his tool thing.



<<EDIT>> sorry about that, mislooked it.
Here ya go

Attached Files

•  SR_log.txt   289.24K   41 downloads

[AndyManchesta]

No Silent Runners Log, can you post it again

Ive never used Dial-A-Fix so I cannot give detailed advise on that. Leave that for now and run SilentRunners and then SmitRem in safe mode and post back the logs, We can easily reset your permissions abit later to fix the original problem either using a batch script or the Dial-A-Fix tool.

Are you using the Administrator account on your pc and if there is more than one user account on your system do they use the Admin account or have limited accounts setup ?