Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan blocking internet access


  • This topic is locked This topic is locked
18 replies to this topic

#1 helpplease224

helpplease224

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 08 December 2011 - 02:51 PM

Hi, can someone help with a trojan that originally began with mass popups warning that my security has been breached? It disabled my avast. I have a Thinkpad R61 and I'm running Microsoft XP. I first ran Malwarebytes and Spybot, and Malwarebytes came up with a trojan.dropper in my local settings temp file and infected registry data items in Microsoft\Security Center\AntiVirusDisableNotifty , FirewallDisableNotify, and UpdatesDisableNotify. But after I quarantined and deleted the items, my internet stopped working altogether and I'm still warned of a disabled firewall and avast is still down. What should I do next? H

ere's my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:10:37 PM, on 12/2/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17103)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\InterVideo\WinDVD\WinDVD.exe
C:\Documents and Settings\lisa moon\Desktop\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\lisa moon\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: (no name) - {90222687-F593-4738-B738-FBEE9C7B26DF} - (no file)
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_SCD7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lisa moon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: sndvol32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - https://essentialsandextras.verizon.com/whatsnext/mainweb_js/vzTCPConfig.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13115 bytes

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 08 December 2011 - 08:20 PM

Do you have access to another computer and a USB where you can download the programs and transfer to the infected PC?

If so please download and run the following programs on the infected PC


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


NEXT


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 helpplease224

helpplease224
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 December 2011 - 06:37 PM

Thanks so much for your response. I've attached the DDS reports.

Attached Files



#4 helpplease224

helpplease224
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 11 December 2011 - 06:50 PM

Here is the aswMBR log:
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-11 18:39:22
-----------------------------
18:39:22.625 OS Version: Windows 5.1.2600 Service Pack 3
18:39:22.625 Number of processors: 2 586 0x1706
18:39:22.625 ComputerName: LISAMOON UserName:
18:39:23.890 Initialize success
18:39:24.687 AVAST engine defs: 11112802
18:39:30.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:39:30.218 Disk 0 Vendor: HITACHI_HTS722016K9SA00 DCDZC75A Size: 152627MB BusType: 3
18:39:32.234 Disk 0 MBR read successfully
18:39:32.234 Disk 0 MBR scan
18:39:32.234 Disk 0 unknown MBR code
18:39:32.250 Disk 0 scanning sectors +312575760
18:39:32.328 Disk 0 scanning C:\WINDOWS\system32\drivers
18:39:48.234 Service scanning
18:39:48.593 Service .afd \* **LOCKED** 123
18:39:49.421 Modules scanning
18:39:58.484 Disk 0 trace - called modules:
18:39:58.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:39:58.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8a7ab8]
18:39:59.078 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000008b[0x8a86f1c0]
18:39:59.078 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a8a6940]
18:39:59.843 AVAST engine scan C:\WINDOWS
18:40:04.734 AVAST engine scan C:\WINDOWS\system32
18:41:28.343 AVAST engine scan C:\WINDOWS\system32\drivers
18:41:38.515 AVAST engine scan C:\Documents and Settings\lisa moon
18:47:38.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\lisa moon\Desktop\MBR.dat"
18:47:38.640 The log file has been saved successfully to "C:\Documents and Settings\lisa moon\Desktop\aswMBR.txt"

And the FSS log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-11 18:39:22
-----------------------------
18:39:22.625 OS Version: Windows 5.1.2600 Service Pack 3
18:39:22.625 Number of processors: 2 586 0x1706
18:39:22.625 ComputerName: LISAMOON UserName:
18:39:23.890 Initialize success
18:39:24.687 AVAST engine defs: 11112802
18:39:30.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:39:30.218 Disk 0 Vendor: HITACHI_HTS722016K9SA00 DCDZC75A Size: 152627MB BusType: 3
18:39:32.234 Disk 0 MBR read successfully
18:39:32.234 Disk 0 MBR scan
18:39:32.234 Disk 0 unknown MBR code
18:39:32.250 Disk 0 scanning sectors +312575760
18:39:32.328 Disk 0 scanning C:\WINDOWS\system32\drivers
18:39:48.234 Service scanning
18:39:48.593 Service .afd \* **LOCKED** 123
18:39:49.421 Modules scanning
18:39:58.484 Disk 0 trace - called modules:
18:39:58.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:39:58.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8a7ab8]
18:39:59.078 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000008b[0x8a86f1c0]
18:39:59.078 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a8a6940]
18:39:59.843 AVAST engine scan C:\WINDOWS
18:40:04.734 AVAST engine scan C:\WINDOWS\system32
18:41:28.343 AVAST engine scan C:\WINDOWS\system32\drivers
18:41:38.515 AVAST engine scan C:\Documents and Settings\lisa moon
18:47:38.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\lisa moon\Desktop\MBR.dat"
18:47:38.640 The log file has been saved successfully to "C:\Documents and Settings\lisa moon\Desktop\aswMBR.txt"

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 11 December 2011 - 06:58 PM

Hi,

the aswMBR log has been duplicated, if you could please run Farbars System Scanner again and post that log, thanks

(sorry to ask you to run so many logs, but the more diagnosis I can get, the easier to pin point the problem)

Already I see that afd.sys is an issue

If you could also fun Farbar's System Scanner to look for alternate files if we need to replace it

In addition to running the normal log, please do this as well: (note: please rename the first log FSS1.txt before running the next scan or this next scan will overwrite the first, thanks)


Please run Farbar Service Scanner.

Type the following in the edit box after "Search:".

afd.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#6 helpplease224

helpplease224
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 13 December 2011 - 09:19 AM

Sorry about that. The aswMBR report was incomplete, too; I saved the log file too early. Here it is:


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-11 18:52:26
-----------------------------
18:52:26.265 OS Version: Windows 5.1.2600 Service Pack 3
18:52:26.265 Number of processors: 2 586 0x1706
18:52:26.265 ComputerName: LISAMOON UserName:
18:52:26.953 Initialize success
18:52:27.078 AVAST engine defs: 11112802
18:52:31.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:52:31.593 Disk 0 Vendor: HITACHI_HTS722016K9SA00 DCDZC75A Size: 152627MB BusType: 3
18:52:33.625 Disk 0 MBR read successfully
18:52:33.625 Disk 0 MBR scan
18:52:33.625 Disk 0 unknown MBR code
18:52:33.640 Disk 0 scanning sectors +312575760
18:52:33.734 Disk 0 scanning C:\WINDOWS\system32\drivers
18:52:51.250 Service scanning
18:52:51.546 Service .afd \* **LOCKED** 123
18:52:52.375 Modules scanning
18:53:09.109 Disk 0 trace - called modules:
18:53:09.140 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:53:09.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8a7ab8]
18:53:09.156 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000008b[0x8a86f1c0]
18:53:09.156 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a8a6940]
18:53:09.906 AVAST engine scan C:\WINDOWS
18:53:22.000 AVAST engine scan C:\WINDOWS\system32
18:55:25.671 AVAST engine scan C:\WINDOWS\system32\drivers
18:55:57.859 AVAST engine scan C:\Documents and Settings\lisa moon
19:05:36.046 AVAST engine scan C:\Documents and Settings\All Users
19:06:13.937 Scan finished successfully
22:54:11.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\lisa moon\Desktop\MBR.dat"
22:54:11.250 The log file has been saved successfully to "C:\Documents and Settings\lisa moon\Desktop\aswMBR.txt"

And the FSS report:

Farbar Service Scanner
Ran by lisa moon (administrator) on 11-12-2011 at 18:41:52
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 13 December 2011 - 09:45 AM

Hi

Please do the following:

Go to Start > Run > copy and paste the following command into the run box > OK:

regedit /e "%userprofile%\desktop\output.txt" "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD"


A new file called output.txt should appear on your Desktop, please post the contents with your next response.


do the same for the AFD Legacy key as well


Go to Start > Run > copy and paste the following command into the run box > OK:

regedit /e "%userprofile%\desktop\output2.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD"


A new file called output2.txt should appear on your Desktop, please post the contents with your next response.

thanks
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#8 helpplease224

helpplease224
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 13 December 2011 - 05:49 PM

With the first command, nothing happens, no file appears on my desktop.

Here is the content of output2.txt:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000]
"Service"="AFD"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="AFD"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0002"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\LogConf]

#9 helpplease224

helpplease224
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 13 December 2011 - 05:56 PM

Also, I forgot to run FSS and search afd.sys so here are the results of that search:

================== Search: afd.sys ===================

C:\WINDOWS\system32\drivers\afd.sys
[2010-02-02 15:44] - [2011-08-17 08:49] - 0138496 ____A (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\system32\dllcache\afd.sys
[2008-06-20 06:40] - [2011-08-17 08:49] - 0138496 ____A (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP3QFE\afd.sys
[2010-04-18 19:30] - [2008-08-14 05:34] - 0138496 ___AC (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP3GDR\afd.sys
[2010-04-18 19:30] - [2008-08-14 05:04] - 0138496 ___AC (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP2QFE\afd.sys
[2010-04-18 19:30] - [2008-08-14 04:48] - 0138368 ___AC (Microsoft Corporation) 6A0397376853E604DE8E1E7A87FC08AC

C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP2GDR\afd.sys
[2010-04-18 19:30] - [2008-08-14 04:51] - 0138368 ___AC (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2008-04-13 14:19] - [2008-04-13 14:19] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB956803_0$\afd.sys
[2010-02-01 01:34] - [2008-06-20 05:44] - 0138368 ____C (Microsoft Corporation) D99DDFFB33DEACDCF20717CB520379F6

C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2010-05-02 00:59] - [2008-06-20 06:40] - 0138496 ____C (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys
[2010-02-01 01:17] - [2004-08-04 07:00] - 0138496 ____C (Microsoft Corporation) 5AC495F4CB807B2B98AD2AD591E6D92E

C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2010-05-02 00:57] - [2008-04-13 14:19] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2011-10-14 07:25] - [2011-02-16 08:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011-04-15 16:57] - [2008-08-14 05:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2011-06-17 03:03] - [2008-10-16 09:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2010-05-02 00:39] - [2008-08-14 04:48] - 0138368 ____C (Microsoft Corporation) 6A0397376853E604DE8E1E7A87FC08AC

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2010-02-01 00:26] - [2008-08-14 05:34] - 0138496 ___AC (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys
[2010-02-01 00:26] - [2008-08-14 05:04] - 0138496 ___AC (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008-06-20 06:48] - [2008-06-20 06:48] - 0138496 ___AC (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
[2008-06-20 06:40] - [2008-06-20 06:40] - 0138496 ___AC (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys
[2011-10-13 17:25] - [2011-08-17 08:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008-10-16 10:07] - [2008-10-16 10:07] - 0138496 ___AC (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2011-06-16 17:04] - [2011-02-16 08:25] - 0138496 ___AC (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

====== End Of Search ======

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 13 December 2011 - 05:59 PM

I expect then that the whole key has been deleted by malware

let's make sure you have the afd.sys file in place properly before I replace the registry key


Please run farbar's system scanner again:


Type the following in the edit box after "Search:".

afd.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 13 December 2011 - 06:00 PM

just saw your post above, give me a minute to check the log

thanks
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 13 December 2011 - 06:05 PM

Hi,

The file appears to be properly in place, so let's recreate that registry key

Please do the following:



Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad




Registry Fix edited as it was designed specifically for this user


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.


Let me know how that goes

Edited by CatByte, 25 December 2011 - 03:33 PM.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#13 helpplease224

helpplease224
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 14 December 2011 - 06:48 PM

It worked! My internet's back up. Thank you so much!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,155 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 14 December 2011 - 06:58 PM

Awesome, :)

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#15 helpplease224

helpplease224
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 December 2011 - 03:05 PM

Hi, I've attached the ComboFix.txt. Thank you!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users