Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Boot and network issues from Blaster worm

This is a discussion on Boot and network issues from Blaster worm within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, This post is for my Dell D600 Latitude Windows XP laptop. I have a related issue from the same


 
 
Thread Tools Search this Thread
Old 07-18-2011, 05:16 PM   #1
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



Hello,

This post is for my Dell D600 Latitude Windows XP laptop. I have a related issue from the same virus on my Windows 7 desktop computer, which is in a different post.

Issues started after I got the W32.Blaster.Worm virus: the fake scanner came up and everything. I tried cleaning it by booting into Safe Mode and running Malware Byte's Antimalware, Spybot S&D, and Adaware. I thought I was okay until Windows started to hang during login and after logging in, at random time intervals.

Then, the computer wouldn't boot at all. The message was regarding the windows/system32/config/system file, which was corrupted. After looking through the knowledge base, I discovered how to recover an old registry set through the System Volume Information folder.

I copied an old registry set from February 2011 into a special folder and copy it to my to the system32/config folder when I have this issue. I use a special boot CD to let me get to a command prompt to do this. This issue recurs at irregular intervals. Sometimes it does this while I am using the computer: the system will lose internet connectivity. It is then that I know that when I restart I will have to recopy the registry over again, and I can start over. Sometimes I've had to do this multiple times in an hour.

Also, during startup, I get a "Generic host process for Win 32 services is no longer working" dialog box. The details of the failure reference svchost.exe. Per the knowledge base, I thought this might be a Windows Update problem. I tried running through the list of issues here Error messages when you start a Windows XP-based computer and then try to download Windows Updates but the folder was in use when I tried to delete it. Attempting to run Windows Update and downloading anything just stalls that program. I had this issue before the current virus attack.

Finally, the DDS program that I was asked to run and post a log from stalls my computer. When it says "Two logs shall be placed on your desktop" an hourglass appears, nothing happens when I click Start or anything on the toolbar, the console doesn't appear when I press or hold Ctr-Alt-Delete, and I have to power down the laptop by holding the power button.

I do NOT have access to my Windows XP installation CD.

Thank you very much for helping me!
Attached Files
File Type: zip ark.zip (970 Bytes, 35 views)
sphenoid12 is offline  
Sponsored Links
Advertisement
 
Old 07-21-2011, 02:08 PM   #2
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



Bump, please.

I am also getting redirects when clicking on search links from Google.

It'd be great if someone could just help clean my system and I'll worry about the other issues.
sphenoid12 is offline  
Old 07-21-2011, 07:38 PM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Do you know if this laptop has a recovery partition?

Try running dds in Safe Mode. If you still have trouble getting the logs...
  • Download RSIT by random/random and Save it to your Desktop.
  • Double-click RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
  • Please copy/paste the contents of log.txt in your next reply.
  • Please attach info.txt to your reply.
To attach a file to a reply, simply
  • Click the Manage Attachments button under Additional Options > Attach Files on the post composition page, and
  • Copy and Paste the following into the Upload File from your Computer box:
    C:\rsit\info.txt
  • Click Upload
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Sponsored Links
Advertisement
 
Old 07-23-2011, 09:25 AM   #4
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



I don't know if my laptop has a recovery partition.

Thanks for helping me!

log.txt:

Run by Damian at 2011-07-23 12:20:37
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (16%) free of 38 GB
Total RAM: 1279 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:20:59 PM, on 7/23/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Damian\Desktop\RSIT.exe
C:\Program Files\trend micro\Damian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google News
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/wind...?1209007185599
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://www.update.microsoft.com/micr...?1209043868761
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4241 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\lvsyc.job

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\Damian\Application Data\Mozilla\Firefox\Profiles\9ypbw5ic.default

prefs.js - "browser.search.useDBForOrder" - true
prefs.js - "browser.startup.homepage" - "https://slashdot.org/"
prefs.js - "extensions.enabledItems" - "{0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5, [email protected]:1.0, {20a82645-c095-46ed-80e3-08825760534b}:1.2.1, {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21, {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22, {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23, {fe0258ab-4f74-43a1-8781-bcdf340f9ee9}:2.6.4, {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.18"

"{20a82645-c095-46ed-80e3-08825760534b}"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
"[email protected]"=C:\Program Files\Java\jre6\lib\deploy\jqs\ff


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10
"Path"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=]
"Description"=iTunes Detector Plug-in
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=1.0]
"Description"=
"Path"=C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin]
"Description"=Oracle® Next Generation Java™ Plug-In
"Path"=C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
"Description"=Windows Presentation Foundation plug-in for Mozilla browsers
"Path"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

C:\Program Files\Mozilla Firefox\components\
browser.xpt
browser.xpt.moz-backup
browserdirprovider.dll
browserdirprovider.dll.moz-backup
brwsrcmp.dll
brwsrcmp.dll.moz-backup
components.list
components.list.moz-backup
compreg.dat
FeedConverter.js
FeedConverter.js.moz-backup
FeedProcessor.js
FeedProcessor.js.moz-backup
FeedWriter.js
FeedWriter.js.moz-backup
fuelApplication.js
fuelApplication.js.moz-backup
GPSDGeolocationProvider.js
GPSDGeolocationProvider.js.moz-backup
jsconsole-clhandler.js
jsconsole-clhandler.js.moz-backup
NetworkGeolocationProvider.js
NetworkGeolocationProvider.js.moz-backup
nsAddonRepository.js
nsAddonRepository.js.moz-backup
nsBadCertHandler.js
nsBadCertHandler.js.moz-backup
nsBlocklistService.js
nsBlocklistService.js.moz-backup
nsBrowserContentHandler.js
nsBrowserContentHandler.js.moz-backup
nsBrowserGlue.js
nsBrowserGlue.js.moz-backup
nsContentDispatchChooser.js
nsContentDispatchChooser.js.moz-backup
nsContentPrefService.js
nsContentPrefService.js.moz-backup
nsDefaultCLH.js
nsDefaultCLH.js.moz-backup
nsDownloadManagerUI.js
nsDownloadManagerUI.js.moz-backup
nsExtensionManager.js
nsExtensionManager.js.moz-backup
nsFormAutoComplete.js
nsFormAutoComplete.js.moz-backup
nsHandlerService.js
nsHandlerService.js.moz-backup
nsHelperAppDlg.js
nsHelperAppDlg.js.moz-backup
nsINIProcessor.js
nsINIProcessor.js.moz-backup
nsIQTScriptablePlugin.xpt
nsLivemarkService.js
nsLivemarkService.js.moz-backup
nsLoginInfo.js
nsLoginInfo.js.moz-backup
nsLoginManager.js
nsLoginManager.js.moz-backup
nsLoginManagerPrompter.js
nsLoginManagerPrompter.js.moz-backup
nsMicrosummaryService.js
nsMicrosummaryService.js.moz-backup
nsPlacesAutoComplete.js
nsPlacesAutoComplete.js.moz-backup
nsPlacesDBFlush.js
nsPlacesDBFlush.js.moz-backup
nsPlacesTransactionsService.js
nsPlacesTransactionsService.js.moz-backup
nsPrivateBrowsingService.js
nsPrivateBrowsingService.js.moz-backup
nsProxyAutoConfig.js
nsProxyAutoConfig.js.moz-backup
nsSafebrowsingApplication.js
nsSafebrowsingApplication.js.moz-backup
nsSearchService.js
nsSearchService.js.moz-backup
nsSearchSuggestions.js
nsSearchSuggestions.js.moz-backup
nsSessionStartup.js
nsSessionStartup.js.moz-backup
nsSessionStore.js
nsSessionStore.js.moz-backup
nsSetDefaultBrowser.js
nsSetDefaultBrowser.js.moz-backup
nsSidebar.js
nsSidebar.js.moz-backup
nsTaggingService.js
nsTaggingService.js.moz-backup
nsTryToClose.js
nsTryToClose.js.moz-backup
nsUpdateService.js
nsUpdateService.js.moz-backup
nsUpdateServiceStub.js
nsUpdateServiceStub.js.moz-backup
nsUpdateTimerManager.js
nsUpdateTimerManager.js.moz-backup
nsUrlClassifierLib.js
nsUrlClassifierLib.js.moz-backup
nsUrlClassifierListManager.js
nsUrlClassifierListManager.js.moz-backup
nsURLFormatter.js
nsURLFormatter.js.moz-backup
nsWebHandlerApp.js
nsWebHandlerApp.js.moz-backup
pluginGlue.js
pluginGlue.js.moz-backup
storage-Legacy.js
storage-Legacy.js.moz-backup
storage-mozStorage.js
storage-mozStorage.js.moz-backup
txEXSLTRegExFunctions.js
txEXSLTRegExFunctions.js.moz-backup
WebContentConverter.js
WebContentConverter.js.moz-backup
xpti.dat

C:\Program Files\Mozilla Firefox\plugins\
npdeployJava1.dll
npnul32.dll
NPOFFICE.DLL
nppdf32.dll
npqtplugin.dll
npqtplugin2.dll
npqtplugin3.dll
npqtplugin4.dll
npqtplugin5.dll
npqtplugin6.dll
npqtplugin7.dll
npwachk.dll
QuickTimePlugin.class

C:\Program Files\Mozilla Firefox\searchplugins\
amazondotcom.xml
answers.xml
creativecommons.xml
eBay.xml
google.xml
wikipedia.xml
yahoo.xml

C:\Documents and Settings\Damian\Application Data\Mozilla\Firefox\Profiles\9ypbw5ic.default\extensions\
{0545b830-f0aa-4d7e-8820-50a4629a56fe}
{20a82645-c095-46ed-80e3-08825760534b}
{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}

C:\Documents and Settings\Damian\Application Data\Mozilla\Firefox\Profiles\9ypbw5ic.default\searchplugins\
webster.xml
wikipedia-eng.xml
winamp-search.xml

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-01-05 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-01-05 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-11-11 344064]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2007-03-16 1392640]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2010-12-09 74752]
"PSUNMain"=C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe [2011-02-24 423232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-12 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Damian^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
C:\PROGRA~1\OPENOF~1.4\program\QUICKS~1.EXE [2008-01-21 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-11-11 47616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2009-01-30 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Damian\Desktop\utorrent.exe"="C:\Documents and Settings\Damian\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\System32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\System32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"msacm.voxacm160"=vct3216.acm
"msacm.scg726"=scg726.acm
"msacm.alf2cd"=alf2cd.acm
"msacm.ac3acm"=AC3ACM.acm
"vidc.dvsd"=mcdvd_32.dll
"vidc.xvid"=xvidvfw.dll
"vidc.DIVX"=DivX.dll
"vidc.mpg4"=mpg4c32.dll
"vidc.mp42"=mpg4c32.dll
"vidc.mp43"=mpg4c32.dll

======List of files/folders created in the last 1 month======

2011-07-23 12:20:40 ----D---- C:\Program Files\trend micro
2011-07-23 12:20:37 ----D---- C:\rsit
2011-07-23 12:13:16 ----ASH---- C:\hiberfil.sys
2011-07-20 19:30:58 ----D---- C:\Documents and Settings\Damian\Application Data\ElevatedDiagnostics
2011-07-20 19:27:33 ----D---- C:\WINDOWS\system32\windowspowershell
2011-07-20 19:27:29 ----HDC---- C:\WINDOWS\$NtUninstallKB926139-v2$
2011-07-16 17:58:16 ----D---- C:\WINDOWS\Old Registry Files Feb 2011
2011-07-13 00:57:23 ----A---- C:\WINDOWS\WORDPAD.INI
2011-07-12 14:40:54 ----D---- C:\WINDOWS\system32\config OLD
2011-06-30 19:12:55 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 month======

2011-07-23 12:20:40 ----RD---- C:\Program Files
2011-07-23 12:15:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-07-23 12:14:12 ----D---- C:\WINDOWS\Temp
2011-07-23 12:14:04 ----D---- C:\WINDOWS
2011-07-23 12:13:56 ----D---- C:\WINDOWS\system32\CatRoot2
2011-07-23 12:13:56 ----A---- C:\WINDOWS\system32\temp.txt
2011-07-23 01:47:11 ----D---- C:\Documents and Settings\Damian\Application Data\OpenOffice.org2
2011-07-23 01:07:58 ----D---- C:\WINDOWS\system32\drivers
2011-07-23 00:50:33 ----HD---- C:\WINDOWS\inf
2011-07-23 00:49:31 ----D---- C:\WINDOWS\system32\CatRoot
2011-07-22 15:30:02 ----D---- C:\WINDOWS\system32
2011-07-22 15:30:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-07-22 15:29:52 ----HD---- C:\WINDOWS\$hf_mig$
2011-07-22 15:29:03 ----D---- C:\WINDOWS\Prefetch
2011-07-21 16:50:31 ----D---- C:\WINDOWS\system32\config
2011-07-20 21:11:07 ----D---- C:\WINDOWS\Microsoft.NET
2011-07-20 21:11:06 ----RSD---- C:\WINDOWS\assembly
2011-07-20 19:32:36 ----D---- C:\WINDOWS\AppPatch
2011-07-20 19:22:43 ----RSHDC---- C:\WINDOWS\system32\dllcache
2011-07-20 18:28:08 ----D---- C:\Program Files\Mozilla Firefox
2011-07-18 16:07:29 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-16 10:49:02 ----D---- C:\Program Files\Spyware Terminator
2011-07-16 10:49:02 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2011-07-16 10:41:01 ----D---- C:\Documents and Settings\Damian\Application Data\Spyware Terminator
2011-07-12 22:01:27 ----A---- C:\WINDOWS\OEWABLog.txt
2011-07-12 22:01:22 ----A---- C:\WINDOWS\win.ini
2011-07-12 22:01:05 ----D---- C:\Documents and Settings
2011-07-12 21:45:36 ----D---- C:\WINDOWS\system32\Restore
2011-07-12 14:38:50 ----D---- C:\WINDOWS\system32\Com
2011-07-01 11:18:02 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2008-04-13 42368]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2009-04-28 44944]
R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2008-03-06 3840]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 PSINKNC;PSINKNC; C:\WINDOWS\system32\DRIVERS\psinknc.sys [2010-12-16 130376]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 PSINAflt;PSINAflt; C:\WINDOWS\system32\DRIVERS\PSINAflt.sys [2010-12-16 141768]
R2 PSINFile;PSINFile; C:\WINDOWS\system32\DRIVERS\PSINFile.sys [2010-12-16 97352]
R2 PSINProc;PSINProc; C:\WINDOWS\system32\DRIVERS\PSINProc.sys [2010-12-16 111944]
R2 PSINProt;PSINProt; C:\WINDOWS\system32\DRIVERS\PSINProt.sys [2010-12-16 113096]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2005-11-11 1406464]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2006-05-10 156160]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-03-16 604928]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS [2005-05-03 1033728]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2005-05-03 208384]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader; C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-22 92550]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\stac97.sys [2004-11-15 264440]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-05-03 705408]
S0 xleceb;xleceb; C:\WINDOWS\System32\drivers\clmbip.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2005-11-11 389120]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-11-12 153376]
R2 NanoServiceMain;Panda Cloud Antivirus Service; C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-12-16 140608]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2009-01-30 913408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-06-29 800040]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-03-16 20480]

-----------------EOF-----------------
Attached Files
File Type: txt info.txt (25.8 KB, 54 views)
sphenoid12 is offline  
Old 07-23-2011, 11:04 AM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello sphenoid12. Is this a Dell? What is the model number?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

It appears that you have two antivirus programs installed, Ad-Watch Live and Panda Cloud. Even though Panda Cloud isn't enabled, pieces of it are still running, and they can conflict with Ad-Watch and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download Details - Microsoft Download Center - Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-23-2011, 03:09 PM   #6
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



Okay, definitely ran into some issues here.

I'm having trouble getting rid of Ad-Watch Live. Actually, I couldn't find how any of the programs thought it was running, because I don't see it in my processes nor in the system tray. It doesn't register as running in Windows Security. Neither Ad-Watch Live nor Adaware nor Lavasoft is listed in the Uninstall Programs list. I even looked at the list under Spybot S&D's startup manager and uninstall manager, but didn't see it there either. When I tried to uninstall it under the Programs menu, it actually started the installation for it. I tried to complete this anyhow, but it eventually got stuck and asked me to select the folder where the uninstall setup files are located. I tried selecting the Lavasoft and subsequent folders under Program Files, as well as the setup files in Application Data, but they weren't usable. I looked for unwise.exe in Explorer with all files viewable, but didn't find that program or any other definite uninstall program. I couldn't find any uninstall log of any sort. I downloaded an uninstall program but it also couldn't find the uninstall files needed.

Trying to run Adaware stalls because it can't connect to the server. Maybe this is because of some of my networking issues on this computer. (When I go to standby and then log back in, the internet doesn't work. Also the Win 32 processes fail, as written above.) So I couldn't figure out how to uninstall it or even stop it. The instructions given on your link depend on the icon being in the system tray, but it's not there.

I tried to fun Combofix anyways. The Windows Recovery Console appeared to install successfully. A warning came up that Ad-Watch Live was still running, but I tried to run it anyways. The blue screen window appeared, saying that the scan might take 10 minutes or longer. Then, the system stalled. The window was movable, but the taskbar wasn't clickable, ctrl-alt-delete did nothing, and the clock in the taskbar was slow by an hour when I came back to check on it. I had to power down. During reboot, the recovery console came up as an option to boot up, and my system appeared to work as it normally does when Windows came up. There is no c:\combofix.txt unfortunately.

Any ideas on how to get rid of Ad-watch Live?

Thanks.
sphenoid12 is offline  
Old 07-23-2011, 05:48 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, sphenoid12. Is this a Dell? What is the model number?

------------------------------------------------------

Sorry, I failed to notice there was no Add/Remove entry for Ad-Watch.

See if this file exists:

C:\program files\lavasoft\ad-aware\unregaaw.exe

If so, please double-click it to run it.

Do a search for any Lavasoft folders and delete them.

------------------------------------------------------

Check to see if Ad-Watch is still registered by doing the following:

**Note: Make sure you only delete Lavasoft/Ad-Watch products.
  • Go Start > Run and copy/paste wbemtest into the Run box and click 'OK'.
  • Click 'Connect'.
  • Copy/paste root\securitycenter into the box and click 'Connect'.
  • Click 'Query'.
  • Copy/paste SELECT * FROM AntiVirusProduct under 'Enter Query' and click 'Apply'.
  • If there is more than one result, it means there is more than one Antivirus program registered.
  • Double-click on each result to view the properties for that Antivirus product.
  • Identify the product(s) registered by scrolling down to 'companyName' then click 'Close'.
  • In the 'Query Result' window, click 'Delete' for any Antivirus software that is no longer installed.
  • Click 'Close', then 'Exit' and let me know if it worked.
------------------------------------------------------

Reboot your computer. Disable Panda Cloud.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

"%userprofile%\desktop\combofix.exe" /nombr

ComboFix should run now. Let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-24-2011, 06:43 PM   #8
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



I have a Dell Latitude D600.

I got the log.txt but not in the most perfect way.

The techniques to take care of Ad-watch Live worked. But when trying to run Combofix, it still said that Panda was running, even though I shut it off (had red X on icon). I tried to end the Panda process but it wouldn't let me. Tried to look through the program but there was no way to take it any further out of memory. So I ran Combofix anyways.

Here's my log.txt:

ComboFix 11-07-24.01 - Damian 07/24/2011 14:58:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.868 [GMT -4:00]
Running from: c:\documents and settings\Damian\desktop\combofix.exe
Command switches used :: /nombr
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Damian\Local Settings\Application Data\{B8B27969-E096-4737-99D5-F58D3A81FE76}
c:\documents and settings\Damian\Local Settings\Application Data\{B8B27969-E096-4737-99D5-F58D3A81FE76}\chrome.manifest
c:\documents and settings\Damian\Local Settings\Application Data\{B8B27969-E096-4737-99D5-F58D3A81FE76}\chrome\content\_cfg.js
c:\documents and settings\Damian\Local Settings\Application Data\{B8B27969-E096-4737-99D5-F58D3A81FE76}\chrome\content\overlay.xul
c:\documents and settings\Damian\Local Settings\Application Data\{B8B27969-E096-4737-99D5-F58D3A81FE76}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-24 to 2011-07-24 )))))))))))))))))))))))))))))))
.
.
2011-07-23 20:37 . 2011-07-23 20:37 -------- d-----w- c:\documents and settings\Damian\Local Settings\Application Data\Sunbelt Software
2011-07-23 20:20 . 2011-07-23 20:20 -------- d-----w- c:\program files\VS Revo Group
2011-07-23 16:20 . 2011-07-23 16:20 -------- d-----w- c:\program files\trend micro
2011-07-23 16:20 . 2011-07-23 16:21 -------- d-----w- C:\rsit
2011-07-20 23:30 . 2011-07-20 23:30 -------- d-----w- c:\documents and settings\Damian\Application Data\ElevatedDiagnostics
2011-07-16 21:58 . 2011-07-16 21:58 -------- d-----w- c:\windows\Old Registry Files Feb 2011
2011-07-16 15:22 . 2011-07-16 15:22 -------- d-----w- c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Pan8.tmp
2011-07-13 02:01 . 2011-07-13 02:01 -------- d-----w- c:\documents and settings\Administrator
2011-07-13 01:45 . 2011-07-13 01:45 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY
2011-07-13 01:45 . 2011-07-13 01:45 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY
2011-07-12 18:40 . 2011-07-12 18:41 -------- d-----w- c:\windows\system32\config OLD
2011-06-29 00:15 . 2011-06-29 00:15 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-13 01:54 . 2011-05-30 21:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 02:09 . 2001-08-23 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-12-09 74752]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-02-24 423232]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Damian^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Damian\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 00:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 xleceb;xleceb;c:\windows\System32\drivers\clmbip.sys [x]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2010-12-16 130376]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-12-16 140608]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2010-12-16 141768]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2010-12-16 97352]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2010-12-16 111944]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2010-12-16 113096]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2005-04-22 92550]
.
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Damian\Application Data\Mozilla\Firefox\Profiles\9ypbw5ic.default\
FF - prefs.js: browser.startup.homepage - hxxp://slashdot.org/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-07-24 15:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-07-24 15:25:19
ComboFix-quarantined-files.txt 2011-07-24 19:25
.
Pre-Run: 9,748,705,280 bytes free
Post-Run: 10,020,073,472 bytes free
.
- - End Of File - - 4E8F78C5E4EDA3A5B81DD905860B8F75
sphenoid12 is offline  
Old 07-24-2011, 07:10 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, sphenoid12.

Download TDSSKiller.exe and Save it to your Desktop.

Double-click TDSSKiller.exe then click 'Start scan'.

If no infection is found, click 'Close' twice and let me know.

If an infection is found, click 'Continue' to Cure the infection.

**Note: If you do not see the 'Cure' option, you MUST select 'Skip'.

**Note: If asked to re-write standard MS boot code, please choose 'Yes'.

Once the system scan is completed, click 'Reboot now'.

It will produce a log here > C:\TDSSKiller.2.5.11.0_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-25-2011, 01:27 PM   #10
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



Looking good.....

2011/07/25 16:03:30.0527 2852 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/25 16:03:30.0787 2852 ================================================================================
2011/07/25 16:03:30.0787 2852 SystemInfo:
2011/07/25 16:03:30.0807 2852
2011/07/25 16:03:30.0807 2852 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/25 16:03:30.0807 2852 Product type: Workstation
2011/07/25 16:03:30.0807 2852 ComputerName: LAPTOP
2011/07/25 16:03:30.0807 2852 UserName: Damian
2011/07/25 16:03:30.0807 2852 Windows directory: C:\WINDOWS
2011/07/25 16:03:30.0807 2852 System windows directory: C:\WINDOWS
2011/07/25 16:03:30.0807 2852 Processor architecture: Intel x86
2011/07/25 16:03:30.0807 2852 Number of processors: 1
2011/07/25 16:03:30.0807 2852 Page size: 0x1000
2011/07/25 16:03:30.0807 2852 Boot type: Normal boot
2011/07/25 16:03:30.0807 2852 ================================================================================
2011/07/25 16:03:34.0762 2852 Initialize success
2011/07/25 16:03:39.0979 3720 ================================================================================
2011/07/25 16:03:39.0979 3720 Scan started
2011/07/25 16:03:39.0979 3720 Mode: Manual;
2011/07/25 16:03:39.0979 3720 ================================================================================
2011/07/25 16:03:42.0052 3720 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/25 16:03:42.0152 3720 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/25 16:03:42.0322 3720 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/25 16:03:42.0422 3720 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/07/25 16:03:42.0462 3720 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/25 16:03:43.0313 3720 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/25 16:03:43.0443 3720 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/25 16:03:43.0724 3720 ati2mtag (246248aada156450be611eceaa5fe033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/07/25 16:03:44.0134 3720 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/25 16:03:44.0725 3720 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/25 16:03:45.0196 3720 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/07/25 16:03:45.0556 3720 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/07/25 16:03:45.0696 3720 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/07/25 16:03:46.0177 3720 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/25 16:03:47.0098 3720 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/25 16:03:47.0759 3720 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/25 16:03:48.0300 3720 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/25 16:03:48.0790 3720 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/25 16:03:49.0671 3720 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/25 16:03:50.0753 3720 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/25 16:03:52.0785 3720 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/25 16:03:53.0306 3720 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/25 16:03:54.0117 3720 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/25 16:03:54.0558 3720 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/25 16:03:55.0048 3720 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/25 16:03:56.0160 3720 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/25 16:03:56.0981 3720 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/25 16:03:57.0502 3720 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/25 16:03:58.0803 3720 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/25 16:03:59.0654 3720 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/25 16:04:01.0226 3720 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/25 16:04:02.0358 3720 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/25 16:04:03.0149 3720 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/25 16:04:03.0569 3720 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/07/25 16:04:04.0350 3720 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/25 16:04:05.0382 3720 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/25 16:04:06.0824 3720 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2011/07/25 16:04:07.0685 3720 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
2011/07/25 16:04:09.0137 3720 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/25 16:04:10.0789 3720 i8042prt (2fa7afaa8ef0d3fb0a4035278efc7043) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/25 16:04:10.0799 3720 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: 2fa7afaa8ef0d3fb0a4035278efc7043, Fake md5: 4a0b06aa8943c1e332520f7440c0aa30
2011/07/25 16:04:10.0969 3720 i8042prt - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/07/25 16:04:12.0090 3720 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
2011/07/25 16:04:14.0483 3720 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/25 16:04:15.0535 3720 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/25 16:04:16.0085 3720 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/25 16:04:16.0656 3720 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/25 16:04:17.0177 3720 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/25 16:04:17.0698 3720 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/25 16:04:18.0118 3720 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/25 16:04:18.0809 3720 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/25 16:04:19.0300 3720 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/25 16:04:20.0091 3720 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/25 16:04:20.0802 3720 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/25 16:04:22.0063 3720 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/25 16:04:22.0484 3720 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/25 16:04:22.0644 3720 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/25 16:04:22.0834 3720 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/25 16:04:22.0934 3720 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/25 16:04:23.0014 3720 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/25 16:04:23.0175 3720 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/25 16:04:23.0385 3720 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/25 16:04:23.0575 3720 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/25 16:04:23.0655 3720 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/25 16:04:23.0685 3720 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/25 16:04:23.0765 3720 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/25 16:04:23.0876 3720 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/25 16:04:23.0936 3720 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/25 16:04:24.0026 3720 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/25 16:04:24.0216 3720 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/25 16:04:24.0286 3720 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/25 16:04:24.0406 3720 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/25 16:04:24.0546 3720 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/25 16:04:24.0616 3720 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/25 16:04:24.0707 3720 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/25 16:04:24.0827 3720 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/25 16:04:24.0937 3720 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/25 16:04:25.0107 3720 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/25 16:04:25.0498 3720 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/25 16:04:25.0628 3720 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/25 16:04:25.0948 3720 OZSCR (ab2b07ac4afd38f574d903eaf9e98a60) C:\WINDOWS\system32\DRIVERS\ozscr.sys
2011/07/25 16:04:26.0098 3720 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/25 16:04:26.0209 3720 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/25 16:04:26.0429 3720 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/25 16:04:26.0479 3720 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/25 16:04:26.0769 3720 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/25 16:04:26.0879 3720 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/07/25 16:04:30.0083 3720 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/25 16:04:30.0564 3720 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/25 16:04:31.0535 3720 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/25 16:04:32.0577 3720 PSINAflt (fdc5fbcc24fff63b0dc8057f77224bdc) C:\WINDOWS\system32\DRIVERS\PSINAflt.sys
2011/07/25 16:04:33.0268 3720 PSINFile (21340bae4746bb87685eb7b0340e37f4) C:\WINDOWS\system32\DRIVERS\PSINFile.sys
2011/07/25 16:04:33.0748 3720 PSINKNC (043bb8afcb1fad95046f4cc9374fddf3) C:\WINDOWS\system32\DRIVERS\psinknc.sys
2011/07/25 16:04:34.0329 3720 PSINProc (a821bb25b89ced1999eaf40feb9e3fec) C:\WINDOWS\system32\DRIVERS\PSINProc.sys
2011/07/25 16:04:34.0760 3720 PSINProt (fdb3745e5458ef8e1a39edd65c0d4dec) C:\WINDOWS\system32\DRIVERS\PSINProt.sys
2011/07/25 16:04:34.0860 3720 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/25 16:04:35.0020 3720 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/25 16:04:35.0300 3720 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/25 16:04:35.0420 3720 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/25 16:04:35.0521 3720 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/25 16:04:35.0571 3720 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/25 16:04:35.0701 3720 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/25 16:04:35.0761 3720 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/25 16:04:35.0931 3720 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/25 16:04:36.0211 3720 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/25 16:04:36.0422 3720 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/25 16:04:36.0792 3720 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/25 16:04:36.0912 3720 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/25 16:04:36.0972 3720 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/25 16:04:37.0133 3720 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/25 16:04:37.0533 3720 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/25 16:04:37.0643 3720 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/25 16:04:37.0783 3720 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/25 16:04:38.0054 3720 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys
2011/07/25 16:04:38.0174 3720 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/25 16:04:38.0234 3720 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/25 16:04:38.0885 3720 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/25 16:04:39.0416 3720 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/25 16:04:40.0016 3720 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/25 16:04:40.0727 3720 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/25 16:04:41.0268 3720 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/25 16:04:42.0089 3720 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/25 16:04:43.0441 3720 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/25 16:04:44.0512 3720 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/25 16:04:45.0013 3720 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/25 16:04:45.0513 3720 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/25 16:04:46.0314 3720 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/25 16:04:46.0765 3720 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/25 16:04:47.0356 3720 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/25 16:04:47.0776 3720 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/25 16:04:48.0557 3720 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/25 16:04:49.0018 3720 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/25 16:04:50.0500 3720 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/25 16:04:51.0912 3720 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/07/25 16:04:52.0883 3720 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/25 16:04:53.0514 3720 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/25 16:04:54.0165 3720 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/25 16:05:06.0480 3720 Boot (0x1200) (34cbc589847ee520246aa9b318d72307) \Device\Harddisk0\DR0\Partition0
2011/07/25 16:05:06.0520 3720 ================================================================================
2011/07/25 16:05:06.0540 3720 Scan finished
2011/07/25 16:05:06.0540 3720 ================================================================================
2011/07/25 16:05:06.0560 2052 Detected object count: 1
2011/07/25 16:05:06.0560 2052 Actual detected object count: 1
2011/07/25 16:05:38.0091 2052 i8042prt (2fa7afaa8ef0d3fb0a4035278efc7043) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/25 16:05:38.0091 2052 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: 2fa7afaa8ef0d3fb0a4035278efc7043, Fake md5: 4a0b06aa8943c1e332520f7440c0aa30
2011/07/25 1609.0153 2052 Backup copy found, using it..
2011/07/25 1609.0694 2052 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured after reboot
2011/07/25 1609.0694 2052 Rootkit.Win32.TDSS.tdl3(i8042prt) - User select action: Cure
2011/07/25 16:08:07.0954 3748 Deinitialize success
sphenoid12 is offline  
Old 07-25-2011, 01:45 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, sphenoid12. Yep, the redirects should be gone. Let me know.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard] 
"ShellNext"=-
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

I see you already have MBAM on your machine.
  • Launch Malwarebytes' Anti-Malware
  • Under the Update tab, click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 23 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-26-2011, 02:59 AM   #12
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



System Behavior:

No more redirects.
Still getting Win 32 process failure on startup.
Haven't been able to check Windows Update yet, but it also wasn't working before.
We've made great progress. Thanks!!


=========
MBAM:

Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7278

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/25/2011 9:08:02 PM
mbam-log-2011-07-25 (21-08-02).txt

Scan type: Quick scan
Objects scanned: 197818
Time elapsed: 9 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==================

ESET Log:

[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9b80f2c300d2aa4aa00ff191238773d9
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-07-26 02:04:04
# local_time=2011-07-25 10:04:04 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 80758289 80758289 0 0
# compatibility_mode=1538 16774118 20 3 10774366 139251881 0 0
# compatibility_mode=7937 16777214 14 100 0 20066235 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=6789
# found=1
# cleaned=1
# scan_time=254
C:\Documents and Settings\Damian\Application Data\Sun\Java\Deployment\cache\6.0\42\53ba4baa-68132d2d Win32/Adware.XPAntiSpyware.AB application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
[email protected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9b80f2c300d2aa4aa00ff191238773d9
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-26 03:03:16
# local_time=2011-07-25 11:03:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 80758799 80758799 0 0
# compatibility_mode=1538 16774118 20 3 10774876 139252391 0 0
# compatibility_mode=7937 16777214 14 100 0 20066745 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=52475
# found=7
# cleaned=0
# scan_time=3306
C:\Documents and Settings\Damian\Application Data\Sun\Java\Deployment\cache\6.0\16\5a187610-35ef7858 a variant of Java/TrojanDownloader.OpenStream.NBF trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Damian\Application Data\Sun\Java\Deployment\cache\6.0\37\5d3445e5-22356b3b multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Damian\Application Data\Sun\Java\Deployment\cache\6.0\39\18b35727-5703f5c7 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Damian\Application Data\Sun\Java\Deployment\cache\6.0\40\3b022968-664f85d9 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Damian\Application Data\Sun\Java\Deployment\cache\6.0\7\2a769347-11d13652 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Damian\Application Data\Sun\Java\Deployment\cache\6.0\7\3c30cc87-67eff04d multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Panda Security\Panda Cloud Antivirus\LostandFound\c_10082H.dll a variant of Win32/Kryptik.NDF trojan (unable to clean) 00000000000000000000000000000000 I
sphenoid12 is offline  
Old 07-26-2011, 12:25 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, sphenoid12. You're welcome. To fix all your problems, you may have to start all over:

Using the Dell Backup and Recovery Manager - KB Article - 370333 | Dell

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c del /a/f/q "C:\Program Files\Panda Security\Panda Cloud Antivirus\LostandFound\c_10082H.dll"

A DOS window will open and close again, this is normal.

------------------------------------------------------

This will take care of the Java exploits:

Please download Temp File Cleaner and save it to your desktop.
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run it then click 'Run' then 'Start'.
  • Your desktop will disappear, this is normal, it will return.
  • If prompted, click "Yes" to reboot.
------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc stop xleceb

A DOS window will open and close again, this is normal.

Repeat for the following:

sc delete xleceb

Reboot. Is the Win32 error gone?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-26-2011, 01:00 PM   #14
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



Actually, Windows Update appears to be working now. I'll post later about the other things.
sphenoid12 is offline  
Old 07-26-2011, 01:17 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



This is what I was referring to:

Quote:
I copied an old registry set from February 2011 into a special folder and copy it to my to the system32/config folder when I have this issue. I use a special boot CD to let me get to a command prompt to do this. This issue recurs at irregular intervals. Sometimes it does this while I am using the computer: the system will lose internet connectivity. It is then that I know that when I restart I will have to recopy the registry over again, and I can start over. Sometimes I've had to do this multiple times in an hour.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-26-2011, 06:06 PM   #16
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



Actually, it's been a while since I had to copy the registry over. That issue stopped when you started working with me. Also, since the last 2 steps or so, the Win 32 messages stopped. Perhaps Windows Update helped, as well.

I also completed all of the above steps. My system is now working pretty good. Sometimes it seems like there's a lag to Windows Explorer, but that's about it.

Is there anything else for me to do? I REALLY appreciate your help. :)
sphenoid12 is offline  
Old 07-26-2011, 06:17 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, sphenoid12. You're very welcome! Glad to hear it. If there are no remaining problems...

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable Panda before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-27-2011, 04:27 PM   #18
Registered Member
 
Join Date: Jul 2011
Posts: 58
OS: Win 7, Win XP



Resolved.

Thanks a million! Very professional service! 5/5 stars!

:)
sphenoid12 is offline  
Old 07-27-2011, 04:58 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, sphenoid12! Glad to have helped.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
TP-Link network card ISSUES
Hi . . . I have recently bought a TP-link WN350G network card and installed it and it works LONG STORY SHORT the card works just fine after restarting (so it worked in the first time of installing software, cuz restart is required upon software install) but it will not work and the pc wont even...
tenchu8 Cabling and Network Cards 46 01-27-2012 04:16 PM
[SOLVED] Rootkit problem: hidden boot sector.
Dearest Techies: I have Windows 7 Home Premium on a Dell Inspiron N7010 Notebook. A few days ago the computer would not start and took me to the windows 7 startup repair utility, and it was unsuccessful in repairing the problem. I ended up having to restore the system to factory settings to get...
Raygumm Resolved HJT Threads 60 07-03-2011 09:07 PM
[SOLVED] New Dell XPS 17 with network issues
I got an unmodified $889.00 Dell XPS (Only the nVidia driver had been changed to a 555m), and for some odd reason, my internet has become slow. On rare occasions, it works fine, but now I'm not so sure. On Steam, I've been getting a 29.3 ~ 150.5 KB/s download speed, YouTube loads slowly, and...
DellXPSMan Networking Support 12 06-30-2011 03:10 PM
W32 Blaster Worm
Please help. This thing just hijacked my computer a few hours ago. It said W32 Blaster Worm. Now I can only boot my computer in safe mode. Thank you. DDS (Ver_10-12-12.02) - NTFSx86 NETWORK Run by jcboy460 at 18:58:26.06 on Thu 02/03/2011 Internet Explorer: 8.0.6001.18999...
jcboy460 Resolved HJT Threads 35 04-02-2011 09:25 PM
Dual boot with Windows Server 2003 and Vista leads to no network connectivity
Hello everyone. Heres my problem. I am a student helping manage a student lab at my current college. Right now my teacher wants me to install a Master Virtual Machine (IE: Virtual Box) that contains a daul boot of Windows Server 2003 and Windows Vista for an IT 103 class. It works beautifully...
Armymanis Windows 7 , Windows Vista Support 3 03-06-2011 08:28 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 04:24 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts