Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Possible Virus (dun-dun-DUN!!)

This is a discussion on Possible Virus (dun-dun-DUN!!) within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, everyone. So I might have one, maybe not. Anyway, I was web-surfing and suddenly a new tab came up


 
 
Thread Tools Search this Thread
Old 10-13-2015, 03:21 PM   #1
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hi, everyone.

So I might have one, maybe not. Anyway, I was web-surfing and suddenly a new tab came up with both visual and audio messages saying something like, "You have a virus! Click here to remove it NAOW!!" Naturally, I simply did "Show Desktop" and ran the Temp File Cleaner to end my surfing session instead.

Still, I'm a-feared that something wormed its way in. So I followed the "Do before posting for malware help", downloaded DDS.scr and ran it, now awaiting instructions if we have to proceed further.

And just in case I don't have a virus, my sincere apologies in advance.

So, the dds.txt log pasted in here first, then the attachment log err...attached.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Keith at 14:41:38 on 2015-10-13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.236 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe
C:\Program Files\Novatel Wireless\LTE Support\VZWMSConfig.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -
TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} -
TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} -
uRun: [Uploader] c:\program files\seagate\seagate dashboard 2.0\Seagate.Dashboard.Uploader.exe
mRun: [AmIcoSinglun] c:\program files\amicosinglun\AmIcoSinglun.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [DBAgent] "c:\program files\seagate\seagate dashboard 2.0\DBAgent.exe" /WinStart
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\keith\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\keith\application data\leadertech\powerregister\Seagate NA77HH4Z Product Registration.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1350322420296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\45.0.2454.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 0.0.0.0 fr.a2dfp.net
Hosts: 0.0.0.0 m.fr.a2dfp.net
Hosts: 0.0.0.0 mfr.a2dfp.net
Hosts: 0.0.0.0 ad.a8.net
Hosts: 0.0.0.0 asy.a8ww.net
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-4-17 49776]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-4-17 208664]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2015-3-18 26096]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-4-17 789296]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-4-17 434184]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-4-20 24016]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-4-17 76000]
R2 avast! Antivirus;Avast Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-4-17 146600]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2012-3-6 54760]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files\seagate\seagate dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2014-2-10 16000]
R2 Seagate MobileBackup Service;Seagate MobileBackup Service;c:\program files\seagate\seagate dashboard 2.0\MobileService.exe [2014-2-10 157264]
R2 VZWConfigService;VZW Config Service;c:\program files\novatel wireless\lte support\VZWMSConfig.exe [2011-3-21 148016]
R3 aswStmXP;Avast StreamFilter Driver;c:\windows\system32\drivers\aswStmXP.sys [2015-7-13 157888]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files\hp\common\HPSupportSolutionsFrameworkService.exe [2014-3-6 49464]
S2 ofcservice;Websensecamreportserver;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.sys [2009-5-8 25600]
S3 DrvAgent32;DrvAgent32;\??\c:\windows\system32\drivers\drvagent32.sys --> c:\windows\system32\drivers\DrvAgent32.sys [?]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2014-3-6 35256]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\drivers\gbalink.sys [2010-10-7 19677]
S3 NWRmNet_001;Novatel Wireless Verizon RmNet Network Adapter;c:\windows\system32\drivers\NWRmNet_001.sys [2011-6-14 287744]
S3 NWUSBModem_001;Novatel Wireless Verizon USB Modem Driver;c:\windows\system32\drivers\nwusbmdm_001.sys [2011-6-14 176384]
S3 NWUSBPort_001;Novatel Wireless Verizon USB Status Port Driver;c:\windows\system32\drivers\nwusbser_001.sys [2011-6-14 176384]
S3 NWUSBPort2_001;Novatel Wireless Verizon USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2_001.sys [2011-6-14 176384]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2012-6-13 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2012-6-13 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2012-6-13 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2012-6-13 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2012-6-13 113680]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
ShellExec: Cdj.exe: null="c:\program files\padus\discjuggler\Cdj.exe"
.
=============== Created Last 30 ================
.
2015-09-26 05:57:12 43112 ----a-w- c:\windows\avastSS.scr
.
==================== Find3M ====================
.
2015-10-11 15:55:11 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-10-11 15:52:18 121560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-09-26 05:57:17 157888 ----a-w- c:\windows\system32\drivers\aswStmXP.sys
2015-09-26 05:57:16 76000 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-09-26 05:57:16 49776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-09-26 05:57:16 24016 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-09-26 05:57:16 208664 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-09-26 05:57:05 789296 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-09-26 05:57:05 26096 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2015-09-23 02:36:13 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-09-23 02:36:13 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 14:42:27.60 ===============
Attached Files
File Type: txt attach.txt (530.7 KB, 49 views)
KeithEKimball is offline  
Sponsored Links
Advertisement
 
Old 10-14-2015, 09:47 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-14-2015, 09:13 PM   #3
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hi! First, thanks for your help; I appreciate it.

Next, the AdwCleaner log as requested:
# AdwCleaner v5.013 - Logfile created 14/10/2015 at 20:34:13
# Updated 09/10/2015 by Xplode
# Database : 2015-10-04.3 [Local]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Keith - KIMBALL-PC
# Running from : C:\Documents and Settings\Keith\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Documents and Settings\Charles\Application Data\Yahoo!\Companion

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\YMERemote.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{525F116F-04AD-40A2-AE2F-A0C4E1AFEF98}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9852A670-F845-491B-9BE6-EBD841B8A613}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ACE4747B-35BD-4E97-9DD7-1D4245B0695C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CE77C59C-CFD2-429F-868C-8B04D23F94CA}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F544E0F5-CA3C-47EA-A64D-35FCF1602396}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B722ED8B-0B38-408E-BB89-260C73BCF3D4}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{21FA44EF-376D-4D53-9B0F-8A89D3229068}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{21FA44EF-376D-4D53-9B0F-8A89D3229068}
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{21FA44EF-376D-4D53-9B0F-8A89D3229068}]
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion

***** [ Web browsers ] *****

[-] [C:\Documents and Settings\Lois\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Documents and Settings\Lois\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2649 bytes] ##########


Finally, the ComboFix log as requested:
ComboFix 15-10-09.01 - Keith 10/14/2015 20:48:32.32.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.521 [GMT -7:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Keith\Recent\Thumbs.db
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2015-09-15 to 2015-10-15 )))))))))))))))))))))))))))))))
.
.
2015-10-15 03:30 . 2015-10-15 03:34 -------- d-----w- C:\AdwCleaner
2015-09-26 05:57 . 2015-09-26 05:57 313472 ----a-w- c:\windows\system32\aswBoot.exe
2015-09-26 05:57 . 2015-09-26 05:57 43112 ----a-w- c:\windows\avastSS.scr
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-11 15:55 . 2015-07-27 03:36 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-10-11 15:52 . 2015-07-27 03:34 121560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-09-26 05:57 . 2015-07-14 03:04 157888 ----a-w- c:\windows\system32\drivers\aswStmXP.sys
2015-09-26 05:57 . 2014-04-17 17:52 57888 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2015-09-26 05:57 . 2014-04-20 10:40 24016 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-09-26 05:57 . 2014-04-17 17:52 76000 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-09-26 05:57 . 2014-04-17 17:52 49776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-09-26 05:57 . 2014-04-17 17:52 434184 ----a-w- c:\windows\system32\drivers\aswSP.sys
2015-09-26 05:57 . 2014-04-17 17:52 208664 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-09-26 05:57 . 2014-04-17 17:52 55200 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2015-09-26 05:57 . 2015-03-18 23:44 26096 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2015-09-26 05:57 . 2014-04-17 17:52 789296 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-09-23 02:36 . 2013-02-05 18:22 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-09-23 02:36 . 2011-09-22 21:51 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-09-26 05:57 696120 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uploader"="c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe" [2014-02-10 126056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2009-04-10 237568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-06 13578240]
"nwiz"="nwiz.exe" [2009-07-06 1630208]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-09-26 6134544]
"DBAgent"="c:\program files\Seagate\Seagate Dashboard 2.0\DBAgent.exe" [2014-02-10 1519176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2015-04-11 271744]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Lois\Start Menu\Programs\Startup\
OpenOffice 4.0.0.lnk - c:\program files\OpenOffice 4\program\quickstart.exe [2014-7-29 117248]
OpenOffice 4.0.1.lnk - c:\program files\OpenOffice 4\program\quickstart.exe [2014-7-29 117248]
OpenOffice 4.1.1.lnk - c:\program files\OpenOffice 4\program\quickstart.exe [2014-7-29 117248]
.
c:\documents and settings\Keith\Start Menu\Programs\Startup\
Seagate NA77HH4Z Product Registration.lnk - c:\documents and settings\Keith\Application Data\Leadertech\PowerRegister\Seagate NA77HH4Z Product Registration.exe /remind /language=ENU /SRNM="NA77HH4Z" /BRND="Seagate" /BDSR="Seagate NA77HH4Z" /loadsrnm="NA77HH4Z" [2014-10-3 3423744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
"SoftwareSASGeneration"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Keith^Start Menu^Programs^Startup^Seagate NA77HH4Z Product Registration.lnk]
path=c:\documents and settings\Keith\Start Menu\Programs\Startup\Seagate NA77HH4Z Product Registration.lnk
backup=c:\windows\pss\Seagate NA77HH4Z Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 02:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DBAgent]
2014-02-10 20:49 1519176 ----a-w- c:\program files\Seagate\Seagate Dashboard 2.0\DBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 03:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]
2010-05-26 02:16 619008 ----a-w- c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 10:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2008-07-17 20:10 888832 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-04-15 11:41 1040384 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2015-04-11 01:44 271744 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uploader]
2014-02-10 20:55 126056 ----a-w- c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Seagate Dashboard Services"=3 (0x3)
"Seagate MobileBackup Service"=3 (0x3)
"ACDaemon"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [4/17/2014 10:52 AM 49776]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [4/17/2014 10:52 AM 208664]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [3/18/2015 4:44 PM 26096]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/17/2014 10:52 AM 789296]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2014 10:52 AM 434184]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [4/20/2014 3:40 AM 24016]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [4/17/2014 10:52 AM 76000]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [6/28/2013 5:48 PM 14624]
R2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2/10/2014 1:50 PM 16000]
R2 Seagate MobileBackup Service;Seagate MobileBackup Service;c:\program files\Seagate\Seagate Dashboard 2.0\MobileService.exe [2/10/2014 1:51 PM 157264]
R2 VZWConfigService;VZW Config Service;c:\program files\Novatel Wireless\LTE Support\VZWMSConfig.exe [3/21/2011 12:41 PM 148016]
R3 aswStmXP;Avast StreamFilter Driver;c:\windows\system32\drivers\aswStmXP.sys [7/13/2015 8:04 PM 157888]
S2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files\HP\Common\HPSupportSolutionsFrameworkService.exe [3/6/2014 3:47 PM 49464]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [10/23/2013 8:15 AM 172192]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.sys [5/8/2009 6:15 PM 25600]
S3 DrvAgent32;DrvAgent32;\??\c:\windows\system32\Drivers\DrvAgent32.sys --> c:\windows\system32\Drivers\DrvAgent32.sys [?]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [3/6/2014 4:42 PM 35256]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\drivers\gbalink.sys [10/7/2010 12:22 AM 19677]
S3 NWRmNet_001;Novatel Wireless Verizon RmNet Network Adapter;c:\windows\system32\drivers\NWRmNet_001.sys [6/14/2011 6:47 PM 287744]
S3 NWUSBModem_001;Novatel Wireless Verizon USB Modem Driver;c:\windows\system32\drivers\nwusbmdm_001.sys [6/14/2011 6:47 PM 176384]
S3 NWUSBPort_001;Novatel Wireless Verizon USB Status Port Driver;c:\windows\system32\drivers\nwusbser_001.sys [6/14/2011 6:47 PM 176384]
S3 NWUSBPort2_001;Novatel Wireless Verizon USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2_001.sys [6/14/2011 6:47 PM 176384]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [6/13/2012 3:07 PM 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [6/13/2012 3:07 PM 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [6/13/2012 3:07 PM 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [6/13/2012 3:07 PM 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [6/13/2012 3:07 PM 113680]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-09-28 07:00 997704 ----a-w- c:\program files\Google\Chrome\Application\45.0.2454.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-04-17 02:36]
.
2015-10-11 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-17 04:12]
.
2015-10-15 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-17 04:12]
.
2015-10-13 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-17 04:12]
.
2015-10-13 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-17 04:12]
.
2015-10-15 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2015-09-26 05:57]
.
2015-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-11-11 21:47]
.
2015-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-11-11 21:47]
.
2015-04-13 c:\windows\Tasks\Keith DBAgent 2 0.job
- c:\program files\Seagate\Seagate Dashboard 2.0\DBAgent.exe [2014-02-10 20:49]
.
2015-10-15 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-06 01:59]
.
2015-08-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-06 01:59]
.
2015-04-13 c:\windows\Tasks\Seagate_Install_Launch.job
- c:\program files\Seagate\Seagate Dashboard 2.0\Dashboard.exe [2014-02-10 20:50]
.
2015-10-15 c:\windows\Tasks\User_Feed_Synchronization-{68CC664A-8B08-489C-AB81-0442CFA2E441}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2015-10-14 20:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1078081533-1844823847-1801674531-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_185_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2015-10-14 21:00:25
ComboFix-quarantined-files.txt 2015-10-15 04:00
ComboFix2.txt 2015-10-11 16:52
.
Pre-Run: 270,015,631,360 bytes free
Post-Run: 270,060,826,624 bytes free
.
- - End Of File - - 44AC8C8CB3CE0DAEFD70C1B8FD114E92
8F558EB6672622401DA993E1E865C861


Allrighty, tell me what's on tap next.
KeithEKimball is offline  
Sponsored Links
Advertisement
 
Old 10-15-2015, 06:02 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, KeithEKimball. You're very welcome! How is the machine behaving? Any more tabs opening telling you your machine is infected?

Did you know you have no system restore points? Did you turn off System Restore on your machine?

------------------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click mbam-setup-2.2.0.1024.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish
  • At the end of the installation, a database update will be performed.
  • Click on Scan Now
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double-click on the Scan Log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Post that saved log in your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-15-2015, 11:02 PM   #5
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hi!

So, first, I did NOT know that I don't have any System Restore points. How do I enable those?

Second, here is the Malwarebytes log.
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/15/2015
Scan Time: 4:45:32 PM
Logfile: malwarebytes log.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.10.15.05
Rootkit Database: v2015.10.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Keith

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 522752
Time Elapsed: 2 hr, 22 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Finally, I ran the ESET with the option to Remove Threats unchecked (and all my USB drives plugged in and all that). However, ESET didn't find any threats and didn't seem to generate a log. However, if I need to rerun ESET, I can definitely do that.

Okay, let me know what do do next!
KeithEKimball is offline  
Old 10-15-2015, 11:30 PM   #6
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Oh, I forgot to report on system behavior before.

So I haven't seen anything odd since that initial tab popping up claiming I had a virus before. Except maybe those System Restore points. But what do I know? So I came here.
KeithEKimball is offline  
Old 10-16-2015, 08:59 AM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, KeithEKimball. You're very welcome! Glad to hear it's running well again.

https://support.microsoft.com/en-us/kb/310405

Once done, please run dds again, and post/attach the logs as before.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-16-2015, 04:51 PM   #8
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hi!

Perhaps I spoke too soon on system behavior. So I tried to log onto Verizon/the web and check this board and my computer just locked up. I'm staring at the Bing homepage for about twenty minutes, no response to any keyboard or mouse clicks to see if anything's moving. I finally had to just hold the power button in until the system rebooted.

Once it rebooted and I had signed in to the computer as my user name, I saw that now all Hidden Files were visible on the desktop. I went back into "Folder View Options" and found both regular Hidden Files and Protected System Files were set to visible; as well as "Hide Known File Extensions" was also unchecked. I checked them all and ran Temp File Cleaner, which reported it cleaned a whopping 101 mb total of data. This was the first time I'd used this computer today.

By the way, as Microsoft ended support for Windows XP, I have automatic system updates turned off completely.

Even stranger; I followed the instructions in the previous post about reactivating System Restore. According to my computer, System Restore points were NOT off to start with. I turned it off, then right back on just in case.

Anyway, I ran dds again too. Here's the DDS log, and attached please find the second log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Keith at 16:40:40 on 2015-10-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.373 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe
C:\Program Files\Novatel Wireless\LTE Support\VZWMSConfig.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -
TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} -
TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} -
uRun: [Uploader] c:\program files\seagate\seagate dashboard 2.0\Seagate.Dashboard.Uploader.exe
mRun: [AmIcoSinglun] c:\program files\amicosinglun\AmIcoSinglun.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [DBAgent] "c:\program files\seagate\seagate dashboard 2.0\DBAgent.exe" /WinStart
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\keith\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\keith\application data\leadertech\powerregister\Seagate NA77HH4Z Product Registration.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1350322420296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\45.0.2454.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-4-17 49776]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-4-17 208664]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2015-3-18 26096]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-4-17 789296]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-4-17 434184]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-4-20 24016]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-4-17 76000]
R2 avast! Antivirus;Avast Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-4-17 146600]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2012-3-6 54760]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files\seagate\seagate dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2014-2-10 16000]
R2 Seagate MobileBackup Service;Seagate MobileBackup Service;c:\program files\seagate\seagate dashboard 2.0\MobileService.exe [2014-2-10 157264]
R2 VZWConfigService;VZW Config Service;c:\program files\novatel wireless\lte support\VZWMSConfig.exe [2011-3-21 148016]
R3 aswStmXP;Avast StreamFilter Driver;c:\windows\system32\drivers\aswStmXP.sys [2015-7-13 157888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-10-15 23256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files\hp\common\HPSupportSolutionsFrameworkService.exe [2014-3-6 49464]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2015-10-15 1135416]
S2 ofcservice;Websensecamreportserver;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.sys [2009-5-8 25600]
S3 DrvAgent32;DrvAgent32;\??\c:\windows\system32\drivers\drvagent32.sys --> c:\windows\system32\drivers\DrvAgent32.sys [?]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2014-3-6 35256]
S3 eapihdrv;eapihdrv;\??\c:\docume~1\keith\locals~1\temp\ehdrv.sys --> c:\docume~1\keith\locals~1\temp\ehdrv.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\drivers\gbalink.sys [2010-10-7 19677]
S3 NWRmNet_001;Novatel Wireless Verizon RmNet Network Adapter;c:\windows\system32\drivers\NWRmNet_001.sys [2011-6-14 287744]
S3 NWUSBModem_001;Novatel Wireless Verizon USB Modem Driver;c:\windows\system32\drivers\nwusbmdm_001.sys [2011-6-14 176384]
S3 NWUSBPort_001;Novatel Wireless Verizon USB Status Port Driver;c:\windows\system32\drivers\nwusbser_001.sys [2011-6-14 176384]
S3 NWUSBPort2_001;Novatel Wireless Verizon USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2_001.sys [2011-6-14 176384]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2012-6-13 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2012-6-13 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2012-6-13 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2012-6-13 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2012-6-13 113680]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
ShellExec: Cdj.exe: null="c:\program files\padus\discjuggler\Cdj.exe"
.
=============== Created Last 30 ================
.
2015-10-15 23:05:06 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-10-15 23:05:06 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-10-15 03:43:05 98816 ----a-w- c:\windows\sed.exe
2015-10-15 03:43:05 256000 ----a-w- c:\windows\PEV.exe
2015-10-15 03:43:05 208896 ----a-w- c:\windows\MBR.exe
2015-10-15 03:30:11 -------- d-----w- C:\AdwCleaner
2015-09-26 05:57:12 43112 ----a-w- c:\windows\avastSS.scr
.
==================== Find3M ====================
.
2015-10-16 04:35:09 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-10-16 04:35:09 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-10-16 04:05:51 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-10-05 16:50:10 121560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-09-26 05:57:17 157888 ----a-w- c:\windows\system32\drivers\aswStmXP.sys
2015-09-26 05:57:16 76000 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-09-26 05:57:16 49776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-09-26 05:57:16 24016 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-09-26 05:57:16 208664 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-09-26 05:57:05 789296 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-09-26 05:57:05 26096 ----a-w- c:\windows\system32\drivers\aswKbd.sys
.
============= FINISH: 16:40:50.93 ===============
Attached Files
File Type: txt attach2.txt (23.8 KB, 39 views)
KeithEKimball is offline  
Old 10-16-2015, 07:17 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, KeithEKimball. Have you tried rebooting again to see if you get the same behavior?

No System Restore points are showing in the Attach.txt log. Let's check something:

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist peek.txt del /q peek.txt
regedit /a peek.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr" 
notepad peek.txt
del %0
Save this as peek.bat Choose to Save type as - All Files to your desktop then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Copy/paste that information into your next reply, please.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-17-2015, 02:19 PM   #10
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



'allo, 'allo!

Yeah, I always turn my computer off/reboot when I'm done to save electricity. The next time I turned my computer on, which would be right now, I did NOT have any lockups or big problems. Huh. Hey, if TFC cleaned all of that up, I'm happy.

So I did the "peek.bat" thing as requested, here is the result:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,73,72,2e,\
73,79,73,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000001
"DontBackup"=dword:00000000
"MachineGuid"="{C73F66B0-12CF-4922-8D39-F98DDC6862EE}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Also, uh, I don't know if this is related, but I've had one specific registry problem here for a long time. When using Windows Picture Viewer to see a .jpg, there's a menu at the bottom of the screen with the option "close window and open file for editing". It's supposed to open the same image in Paint. It doesn't. It shuts down Windows Picture Viewer and doesn't open anything. I've tried to fix this and haven't been able to do so. Any help there would be wonderful.

I have to go do my grocery shopping now so please don't be offended if I don't reply for a few hours. possibly days....just kidding; hours.
KeithEKimball is offline  
Old 10-17-2015, 08:54 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, KeithEKimball. Not sure about the PicViewer/Paint problem. You may have to seek help in one of our other forums when we are done here.

Is this a business computer? Is this computer managed by another computer using Windows Remote Management?

------------------------------------------------------

What happens if you try to create a system restore point?

Go Start > All Programs > Accessories > System Tools > System Restore.

Click 'Create a restore point' and click 'Next'. Give it a name, like 'test', and click 'Create'.

If successful, you will get a message 'Restore Point Created'. Click 'Close'.

Let me know if you were successful.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the quotebox below into Notepad:

Code:
@echo off
if exist peek*.txt del /q peek*.txt
if exist look.txt del /q look.txt
regedit /a peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"
regedit /a peek2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore"
regedit /a peek3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
type peek*.txt > look.txt
notepad look.txt
del peek*.txt
del %0
Save this as peek.bat Choose to Save type as - All Files to your desktop then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Copy/paste that information into your next reply, please. Please delete the file afterwards.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c peV -ltf "%systemdrive%\sr.sys" "%systemdrive%\DrvAgent32.sys" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-20-2015, 01:37 AM   #12
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hi!

First, my apologies for taking so long to get back to the computer. Had a family medical emergency; thankfully it turned out to be minor in the end but I spent a lot of the weekend waiting in the emergency room.

Anyway, I'll check out the windows picture viewer think on another part of the forum; I apologize for bringing it up here. I just wasn't sure if that was virus related or not.

So, to answer all of your requests:

1.) Is this a business computer? Nope, not at all. It shouldn't have any network connections to other computers at all (save Verizon wireless for the internet.)

2.) Can I create a System Restore point? Apparently not. If I go through Start\All Programs\etc., I get a little window saying, "System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again." I clicked OK in it.

If, as you suggested in an earlier post, I right-click My Computer and check out the System Restore option there, I find the box "Turn OFF System Restore" is UNticked. I deliberately TICKED the box, said "Apply", Close, then went back in and UNticked it again. That should mean System Restore is ON now, right?

Also by right-clicking My Computer, I can bring up a tab saying "Remote". There's the option to Allow Remote Assistance invitations to be sent from this computer, but it is UNticked. Which is fine as I don't want anybody to connect without my permission.

3.) Did the Peek.bat thing, here is the result:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000143
"NoDriveAutoRun"=dword:03ffffff
"NoDrives"=dword:00000000

4.) Did the cmd/c pv thing. Here is the very little content of the log file:

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

Man, do I hope any of this makes sense to you, as it is far over my head.
KeithEKimball is offline  
Old 10-20-2015, 05:43 AM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, KeithEKimball. Yes, System Restore should be on after doing what you did.

No need to apologize for bringing up the PicViewer/Paint problem.

------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (Vista/Win7/Win8 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :filefind
    sr.sys
    DrvAgent32.sys
    
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore /s
    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore /s
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /s
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-20-2015, 03:15 PM   #14
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hello!

Downloaded and ran SystemLook without a hitch, here's the log.
SystemLook 30.07.11 by jpshortstuff
Log created at 15:11 on 20/10/2015 by Keith
Administrator - Elevation successful

========== filefind ==========

Searching for "sr.sys"
C:\WINDOWS\system32\dllcache\sr.sys --a--c- 73472 bytes [19:48 02/02/2010] [12:00 14/04/2008] 76BB022C2FB6902FD5BDD4F78FC13A5D
C:\WINDOWS\system32\drivers\sr.sys --a---- 73472 bytes [19:48 02/02/2010] [12:00 14/04/2008] 76BB022C2FB6902FD5BDD4F78FC13A5D

Searching for "DrvAgent32.sys"
No files found.

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
(Unable to open key - key not found)

[HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore]
(Unable to open key - key not found)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"= 0x0000000143 (323)
"NoDriveAutoRun"= 0x0003ffffff (67108863)
"NoDrives"= 0x0000000000 (0)


-= EOF =-
KeithEKimball is offline  
Old 10-20-2015, 06:56 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, verstellung77. Scroll down to and download sr.reg from here and save it to your desktop:

https://download.bleepingcomputer.com...ices/xp/sr.reg

Double-click on sr.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

Reboot your machine. Are you able to create a system restore point now? Let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-20-2015, 10:10 PM   #16
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hi, Chemist!

Uh...verstellung77? Were you thinking of somebody else?

Anyway, I downloaded and ran the sr.reg. Rebooted and tried to make a new System Restore point (via Start, Accessories).

Nothing. Just that little window saying System Restore cannot protect my computer again.
KeithEKimball is offline  
Old 10-21-2015, 05:13 AM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, KeithEKimball. Yeah, sorry about that.

When running sr.reg, were you prompted to merge/add it to the registry?
  • Double-click SystemLook.exe to run it. (Vista/Win7/Win8 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore /s
    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore /s
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /s
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-22-2015, 12:06 AM   #18
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hi!

Yep, back on Oct. 20th, sr.reg worked just fine. After it opened, I put in the copy-pasted info you asked, hit "Change", sr.reg asked if I wanted to change, and I said yes.

However, I deleted the sr.reg program after my computer rebooted; I was afraid of a registry-changing program just sitting around.

So when I got your instructions tonight, I thought; "No problem, I'll just redownload it from the same link." It seemed to work, but instead of opening up a box to insert data into, it jumps right to the "Do you want to change your registry?" screen. I said "No". I downloaded sr.reg again and got the same thing.

Dang, I'm really messing this up, huh?
KeithEKimball is offline  
Old 10-22-2015, 05:18 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, KeithEKimball. SystemLook is a different program; you ran it a couple of days ago, so it should still be on your desktop.

I wanted you to run SystemLook again like the instructions in post#13 above, except with slightly different data.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-22-2015, 04:07 PM   #20
Registered Member
 
Join Date: Aug 2011
Posts: 127
OS: Windows XP



Hello!

D'oh!! You're right; I was doing the wrong program.


Sooo....here's the updated System Look log.

SystemLook 30.07.11 by jpshortstuff
Log created at 16:07 on 22/10/2015 by Keith
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
(Unable to open key - key not found)

[HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore]
(Unable to open key - key not found)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"= 0x0000000143 (323)
"NoDriveAutoRun"= 0x0003ffffff (67108863)
"NoDrives"= 0x0000000000 (0)


-= EOF =-
KeithEKimball is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Suspecting infection deep in the system
I've had a major problem with my laptop for quite a while now. When I launch certain programs I get the following error -> X.exe - Application Error The application failed to initialize properly (0xc000007b) Click OK to terminate the application. This error comes up if I try to start my...
Starenigma Resolved HJT Threads 17 05-01-2013 04:04 AM
computer freezes redirects to different sites on google
Please help. My computer has been running slow and many times when I upload a page it says it is not responding. The other issue is that when I do a search on google and click on the correct search,it directs me to another soliciting site. I have tried to run GMER both ways and it just will not...
lubo1 Inactive Malware Help Topics 8 02-21-2011 09:28 PM
Browser Redirect Issue
I have been having an issue with both IE and Firefox redirecting Google search results a majority of the time. I had done a scan with Spybot Search & Destroy prior to posting here and "Fraud.WindowsProtectionSuite" (15 entries) and "Microsoft.Windows.RedirectedHosts" (3 entries) were the only...
bob2881 Resolved HJT Threads 21 02-21-2011 06:48 PM
Google Redirect Virus....PLease Help!
Hi, I have managed to contract a a very nasty virus onto my laptop which redirects my google links to other obscure websites. It also blocks me from accessing any antivirus websites such as avg.com. I have looked at other threads and tried combifix, malwarebytes, tdsskiller and everything else...
phil221986 Resolved HJT Threads 8 02-01-2011 03:49 PM
Troubleshoot! A Virus. OH, NO!
:wave: Hello, This first time I have ever gotten a virus on my labtop since I've gotten it. Ugh, very fustrating, also, I'm the type of person whose a do it herself person, plus I literally have no money to spend on professional help or professional programs. I've spend quite a bit of...
Lishy Inactive Malware Help Topics 0 01-25-2011 11:57 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:07 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts