Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected driver problem


  • Please log in to reply
41 replies to this topic

#1 _Adi

_Adi

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 04 March 2012 - 01:51 PM

Hi,

Summary thus far:

I have a WinXP machine T500 Lenovo laptop, that which started behaving strangely. A virus scan (Avast) found some infected files and root-kit and quarantined a bunch (8) of .sys files:
- afd.sys,
- cdrom.sys,
- redbook.sys,
- serial.sys,
- ipsec.sys,
- netbt.sys,
- i8042prt.sys
- mrxsmb.sys

Once rebooted, there is no keyboard and track point since i8042prt.sys is gone, there is no CDROM (CDROM.sys), and no Internet connection (IPSec.sys).
I tried restoring the missing files with the following methods (as suggested in various posts here and elsewhere): copy from another machine, use regsvr32 to register them (fails), expand from xp cd install dir, use sfc. None of these methods made any difference.

Not knowing the forum rules, I also ran various additional cleanup tools including ComboFix and TDDSKiller, but to no avail.

Along the way I occasionally get the dreaded bluescreen of death.

Additionaly the the access connections service AcSvc.exe and it's child SvcGuiHlpr.exe processes immediately begin consuming 50% CPU each choking my pc. I can only resume work by suspending them using Process Explorer.
I have disabled the AcSvc service to allow things to run without interference.

Preparation Guide:

DDS ran without trouble. Log below and Attached.txt attached.
After running for over 1 hour (file scanning phase) GMER produced an error dialog saying that drive c: cannot be found (I couldn't save it), then similarly other app did not see C:. There was some mention of /$Directory but I can't recall exactly what.
I attache the GMER log (ark.txt) up to the file scanning phase, which while it ran did not add anything to this list.

******** DDS Log ********:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by adish at 16:12:55 on 2012-03-04
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1033.18.2026.1430 [GMT 2:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\MMTaskbar\MultiMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.poony.info/
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - c:\program files\agat\agform\AGFormsHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: AGForms Toolbar: {8fe28f46-37ad-47b2-8258-34c128636ace} - mscoree.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
uRun: [VirtualDiskAutomount] rundll32 "c:\program files\totalcmd\plugins\wfx\virtualdisk\VirtualDisk.wfx",MountAfterReboot
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\adish\startm~1\programs\startup\passwo~1.lnk - c:\program files\password safe\pwsafe.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\colorvisionstartup\ColorVisionStartup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} - hxxps://join.bankhapoalim.co.il/reg/pk/cabs/arpkcom.cab
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9F1C0B35-8230-4176-8B99-5C2485121A4E} - hxxp://192.168.1.12/program/SNCActiveXViewer.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.1.15/activex/AMC.cab
TCP: DhcpNameServer = 192.168.1.1 194.90.1.5 212.143.212.143
TCP: Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031} : DhcpNameServer = 192.168.1.1 194.90.1.5 212.143.212.143
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
IFEO: taskmgr.exe - "c:\public\download\processexplorer\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-15 19496]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-3-2 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-3 337112]
R1 hwinterface32B01;hwinterface32B01;c:\windows\system32\drivers\hwinterface32B01.sys [2010-5-2 4930]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2010-11-22 16640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-3 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-3 44768]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-12-8 94208]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-12-8 2058776]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [2009-12-8 72448]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-8 475136]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-12-8 239760]
R3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-23 37312]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2010-5-16 27904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-5-10 1160440]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2010-5-16 53888]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-5-10 102400]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-4 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-4 136176]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\adish\locals~1\temp\mfe_rr.sys --> c:\docume~1\adish\locals~1\temp\mfe_rr.sys [?]
S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [2007-7-11 13824]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PGRCAM;PGRCAM;c:\windows\system32\drivers\pgrcam.sys [2010-7-15 29440]
S3 PGRUSBCam;PGR USB Camera;c:\windows\system32\drivers\PGRUSBCam.sys [2009-12-15 18944]
S3 PORTMON;PORTMON;\??\c:\public\download\portmon\portmsys.sys --> c:\public\download\portmon\PORTMSYS.SYS [?]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\drivers\procexp150.sys --> c:\windows\system32\drivers\PROCEXP150.SYS [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2009-3-11 12288]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2011-3-14 25856]
S3 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-15 520192]
S3 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 253952]
S3 USA19H;USA19H;c:\windows\system32\drivers\usa19h2k.sys --> c:\windows\system32\drivers\USA19H2k.sys [?]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\usa19h2kp.sys --> c:\windows\system32\drivers\USA19H2kp.SYS [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-12-1 111152]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2011-1-18 54144]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]
.
=============== Created Last 30 ================
.
2012-03-04 11:25:03 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-03-04 11:25:03 23040 ----a-w- c:\windows\system32\dllcache\OLDDBD.tmp
2012-03-04 11:25:03 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-03-04 11:25:03 116224 ----a-w- c:\windows\system32\dllcache\OLDDC1.tmp
2012-03-04 11:25:00 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-03-04 11:25:00 27648 ----a-w- c:\windows\system32\dllcache\OLDDB5.tmp
2012-03-04 11:25:00 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-03-04 11:25:00 18944 ----a-w- c:\windows\system32\dllcache\OLDDB9.tmp
2012-03-04 11:23:59 41600 ----a-w- c:\windows\system32\dllcache\weitekp9.dll
2012-03-04 11:22:59 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2012-03-04 11:21:59 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2012-03-04 11:20:59 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2012-03-04 11:19:58 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2012-03-04 11:18:59 6912 ----a-w- c:\windows\system32\dllcache\seaddsmc.sys
2012-03-04 11:17:57 9216 ----a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2012-03-04 11:16:58 79360 ----a-w- c:\windows\system32\dllcache\OLD9D3.tmp
2012-03-04 11:15:58 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2012-03-04 11:14:59 35392 ----a-w- c:\windows\system32\dllcache\OLD8E1.tmp
2012-03-04 11:13:59 235648 ----a-w- c:\windows\system32\dllcache\OLD880.tmp
2012-03-04 11:12:58 8704 ----a-w- c:\windows\system32\dllcache\OLD7CE.tmp
2012-03-04 11:11:51 372824 ----a-w- c:\windows\system32\dllcache\OLD705.tmp
2012-03-04 11:10:58 9759 ----a-w- c:\windows\system32\dllcache\OLD68E.tmp
2012-03-04 11:09:59 470144 ----a-w- c:\windows\system32\dllcache\OLD5FA.tmp
2012-03-04 11:08:59 53248 ----a-w- c:\windows\system32\dllcache\OLD4FA.tmp
2012-03-04 11:07:59 229462 ----a-w- c:\windows\system32\dllcache\OLD429.tmp
2012-03-04 11:06:59 22044 ----a-w- c:\windows\system32\dllcache\OLD306.tmp
2012-03-04 11:05:58 96128 ----a-w- c:\windows\system32\dllcache\OLD12F.tmp
2012-03-04 11:04:59 102509 ----a-w- c:\windows\system32\dllcache\OLD2F.tmp
2012-03-04 09:24:53 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-04 09:24:53 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-03-04 09:22:16 -------- d-----w- C:\ComboFix
2012-03-04 09:11:12 98816 ----a-w- c:\windows\sed.exe
2012-03-04 09:11:12 518144 ----a-w- c:\windows\SWREG.exe
2012-03-04 09:11:12 256000 ----a-w- c:\windows\PEV.exe
2012-03-04 09:11:12 208896 ----a-w- c:\windows\MBR.exe
2012-03-04 07:50:20 -------- d-----w- c:\documents and settings\adish\application data\DriverCure
2012-03-04 07:50:19 -------- d-----w- c:\documents and settings\adish\application data\SpeedyPC Software
2012-03-04 07:50:13 -------- d-----w- c:\documents and settings\all users\application data\SpeedyPC Software
2012-03-03 21:39:18 -------- d-----w- c:\program files\DLLSuite
2012-03-02 21:03:54 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-02 20:52:18 -------- d-----w- c:\documents and settings\adish\application data\Yjpaqi
2012-03-02 20:52:18 -------- d-----w- c:\documents and settings\adish\application data\Tuuj
2012-03-02 20:52:16 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-16 02:28:05 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-16 02:28:05 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-14 20:01:38 -------- d-----w- c:\documents and settings\adish\application data\Govert's Tools
2012-02-12 09:05:18 -------- d-----w- c:\documents and settings\adish\local settings\application data\Macroplant
.
==================== Find3M ====================
.
2012-02-23 16:23:26 41184 ----a-w- c:\windows\avastSS.scr
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 13:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 16:14:54.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 06 March 2012 - 10:34 AM

Hello _Adi and welcome to BC.


You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.


=================================


:step1: Please post the resulting log of Combofix when you run it, the log is located at C:\Combofix.txt.


:step2: Download OTL to your Desktop.
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan/Fixes box.

    %systemroot%\*. /rp /s
    netsvcs
    CREATERESTOREPOINT
    /md5start
    afd.sys,
    cdrom.sys,
    redbook.sys,
    serial.sys,
    ipsec.sys,
    netbt.sys,
    i8042prt.sys
    mrxsmb.sys
    /md5stop
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 _Adi

_Adi
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 06 March 2012 - 04:29 PM

Hi Semp,

Yes, I know about independent running of ComboFix. Sorry, I had not seen the instructions before I tried it.
Anyway, as per your instructions:

ComboFix.txt:


ComboFix 12-03-03.02 - adish 06/03/2012 21:13:09.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1033.18.2026.1537 [GMT 2:00]
Running from: c:\documents and settings\adish\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB63038$
c:\windows\$NtUninstallKB63038$\238444639
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
2012-03-04 15:05 . 2012-03-04 15:05 52360 ---ha-w- c:\windows\system32\drivers\PROCMON20.SYS
2012-03-04 11:06 . 2001-08-17 10:13 22044 ----a-w- c:\windows\system32\dllcache\cem33n5.sys
2012-03-04 11:05 . 2001-08-17 12:55 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2012-03-04 11:04 . 2008-04-14 00:11 46592 ----a-w- c:\windows\system32\dllcache\coadmin.dll
2012-03-04 11:04 . 2008-04-14 00:12 188480 ----a-w- c:\windows\system32\dllcache\cfgwiz.exe
2012-03-04 11:04 . 2008-04-14 00:12 16439 ----a-w- c:\windows\system32\dllcache\author.exe
2012-03-04 11:04 . 2008-04-14 00:11 20540 ----a-w- c:\windows\system32\dllcache\author.dll
2012-03-04 11:04 . 2008-04-14 00:11 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2012-03-04 11:04 . 2008-04-14 00:11 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2012-03-04 11:04 . 2008-04-14 00:12 16439 ----a-w- c:\windows\system32\dllcache\admin.exe
2012-03-04 11:04 . 2008-04-14 00:11 20540 ----a-w- c:\windows\system32\dllcache\admin.dll
2012-03-04 09:24 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-04 09:24 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-03-04 07:50 . 2012-03-04 07:50 -------- d-----w- c:\documents and settings\adish\Application Data\DriverCure
2012-03-04 07:50 . 2012-03-04 07:50 -------- d-----w- c:\documents and settings\adish\Application Data\SpeedyPC Software
2012-03-04 07:50 . 2012-03-04 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC Software
2012-03-03 21:39 . 2012-03-03 21:39 -------- d-----w- c:\program files\DLLSuite
2012-03-03 18:20 . 2008-04-13 22:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-03-03 18:20 . 2008-04-13 22:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-03 18:20 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-03 18:20 . 2011-07-15 13:29 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-03 18:20 . 2008-04-13 22:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-03 18:20 . 2008-04-13 22:10 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-03 18:20 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-03 18:20 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-03-02 21:03 . 2012-02-23 16:12 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-02 20:52 . 2012-03-03 18:59 -------- d-----w- c:\documents and settings\adish\Application Data\Yjpaqi
2012-03-02 20:52 . 2012-03-02 21:10 -------- d-----w- c:\documents and settings\adish\Application Data\Tuuj
2012-03-02 20:52 . 2012-03-02 20:52 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-16 02:28 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 20:01 . 2012-02-14 20:03 -------- d-----w- c:\documents and settings\adish\Application Data\Govert's Tools
2012-02-12 09:05 . 2012-02-12 09:05 -------- d-----w- c:\documents and settings\adish\Local Settings\Application Data\Macroplant
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 16:23 . 2010-11-03 21:08 41184 ----a-w- c:\windows\avastSS.scr
2012-02-23 16:23 . 2010-11-03 21:08 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-23 16:12 . 2010-11-03 21:08 337112 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-23 16:10 . 2010-11-03 21:08 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-23 16:10 . 2010-11-03 21:08 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-23 16:10 . 2010-11-03 21:08 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-02-23 16:10 . 2010-11-03 21:08 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-02-23 16:10 . 2010-11-03 21:08 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-23 16:07 . 2010-11-03 21:08 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-01-25 01:03 . 2010-04-14 15:29 918240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-01-12 16:53 . 2006-04-30 06:55 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2006-04-30 06:56 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2006-04-30 06:55 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2006-04-30 06:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2006-04-30 06:55 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 13:24 . 2011-08-03 14:14 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8fe28f46-37ad-47b2-8258-34c128636ace}"= "mscoree.dll" [2010-03-18 297808]
.
[HKEY_CLASSES_ROOT\clsid\{8fe28f46-37ad-47b2-8258-34c128636ace}]
[HKEY_CLASSES_ROOT\Agat.AGForms.Toolbar.AGFormsToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\adish\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\adish\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\adish\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\adish\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualDiskAutomount"="c:\program files\totalcmd\plugins\wfx\VirtualDisk\VirtualDisk.wfx" [2009-08-24 139264]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-21 718720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-04-22 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-06-08 60192]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-06-15 311296]
"Dimension4"="c:\program files\D4\D4.exe" [2004-02-03 200704]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-20 519584]
.
c:\documents and settings\adish\Start Menu\Programs\Startup\
Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2011-3-17 3545600]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\ColorVision\ColorVisionStartup\ColorVisionStartup.exe [2009-3-12 385024]
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2011-9-21 294912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-13 113664]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-3-28 596584]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-8 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 07:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tree\\tvtak-sources\\Source\\Pc\\TvTakCuesMaker\\Release\\TvTakCuesMaker.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tree\\tvtak-sources\\Source\\Pc\\TvTakCuesMaker\\Debug\\TvTakCuesMaker.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\adish\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tree\\tvtak-sources\\Source\\Pc\\BackOffice\\build\\BackOfficeCore\\Release\\ModularServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\D4\\D4.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tree\\tvtak-sources\\Source\\Pc\\BackOffice\\build\\BackOfficeCore\\Debug\\ModularServer.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Documents and Settings\\adish\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Named Pipe TCP Proxy\\piped.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tests\\BoostAsio\\BoostEchoServers\\Debug\\blocking_tcp_echo_server.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tests\\BoostAsio\\BoostEchoServers\\Debug\\blocking_udp_echo_server.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tree\\tvtak-sources\\Source\\Pc\\BackOffice\\build\\BackOfficeCore\\Debug\\FrameworkUnitTests.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tree\\tvtak-sources\\Source\\Pc\\BackOffice\\build\\BackOfficeCore\\Release\\FrameworkUnitTests.exe"=
"c:\\users\\adish\\Consulting\\2011\\1010-TvTak\\CodeAndDocs\\src\\Tree\\tvtak-sources\\Source\\Pc\\BackOffice\\build\\BackOfficeCore\\Debug\\UDP2Pipe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23837:UDP"= 23837:UDP:UDP 23837
"28020:TCP"= 28020:TCP:TCP 28020
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [15/05/2008 02:21 19496]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [02/03/2012 23:03 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [03/11/2010 23:08 337112]
R1 hwinterface32B01;hwinterface32B01;c:\windows\system32\drivers\hwinterface32B01.sys [02/05/2010 22:01 4930]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [09/05/2008 15:50 46144]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [22/11/2010 12:58 16640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/11/2010 23:08 20696]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [08/12/2009 10:15 94208]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [08/12/2009 09:50 2058776]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [08/12/2009 09:54 72448]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [08/12/2009 10:04 475136]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [08/12/2009 09:26 239760]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [23/02/2008 01:54 37312]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [16/05/2010 09:43 27904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [10/05/2008 17:11 1160440]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 09:58 11336]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [16/05/2010 09:44 53888]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [10/05/2008 17:24 102400]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [04/05/2010 22:49 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [04/05/2010 22:49 136176]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\adish\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\adish\LOCALS~1\Temp\mfe_rr.sys [?]
S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [11/07/2007 18:06 13824]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 19:07 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
S3 PGRCAM;PGRCAM;c:\windows\system32\drivers\pgrcam.sys [15/07/2010 16:00 29440]
S3 PGRUSBCam;PGR USB Camera;c:\windows\system32\drivers\PGRUSBCam.sys [15/12/2009 18:31 18944]
S3 PORTMON;PORTMON;\??\c:\public\download\PortMon\PORTMSYS.SYS --> c:\public\download\PortMon\PORTMSYS.SYS [?]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\Drivers\PROCEXP150.SYS --> c:\windows\system32\Drivers\PROCEXP150.SYS [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [25/04/2008 18:15 1120752]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [11/03/2009 15:34 12288]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [01/10/2006 14:37 26624]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [14/03/2011 11:23 25856]
S3 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [15/05/2008 02:25 520192]
S3 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [09/05/2008 15:50 253952]
S3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys --> c:\windows\system32\DRIVERS\USA19H2k.sys [?]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS --> c:\windows\system32\DRIVERS\USA19H2kp.SYS [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [01/12/2010 13:44 111152]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [18/01/2011 17:38 54144]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [04/09/2007 16:53 55664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S4 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
w300bus
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 14:57]
.
2012-03-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-12-08 16:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.poony.info/
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1 194.90.1.5 212.143.212.143
DPF: {3EA00DAB-812E-4894-A7D2-E9B0F80E94AE} - hxxps://join.bankhapoalim.co.il/reg/pk/cabs/arpkcom.cab
DPF: {9F1C0B35-8230-4176-8B99-5C2485121A4E} - hxxp://192.168.1.12/program/SNCActiveXViewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.1.15/activex/AMC.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-06 21:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2252662881-1241298625-2388572291-1006\Software\OpenCV\HighGUI\Windows\@* *]
"Left"=dword:00000084
"Top"=dword:000000ae
"Width"=dword:00000287
"Height"=dword:00000201
.
[HKEY_USERS\S-1-5-21-2252662881-1241298625-2388572291-1006\Software\OpenCV\HighGUI\Windows\ p**]
"Left"=dword:0000006e
"Top"=dword:00000091
"Width"=dword:00000287
"Height"=dword:00000201
.
[HKEY_USERS\S-1-5-21-2252662881-1241298625-2388572291-1006\Software\OpenCV\HighGUI\Windows\ w**]
"Left"=dword:00000101
"Top"=dword:0000006c
"Width"=dword:00000287
"Height"=dword:00000201
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
- - - - - - - > 'explorer.exe'(3024)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\documents and settings\adish\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-06 21:41:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-06 19:41
ComboFix2.txt 2012-03-04 10:08
.
Pre-Run: 61,012,324,352 bytes free
Post-Run: 60,994,777,088 bytes free
.
- - End Of File - - E6055594169E519186427642F67DB933



It also threw up a few dialog boxes as in the attached.

I get a "Your post was too long. Please go back and shorten it a little." so the OTL is in the next post...

Adi

Attached Files



#4 _Adi

_Adi
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 06 March 2012 - 04:40 PM

Continuing from the previous post...

As for OTL, I ran it with the code you asked, but I think the commas separating the first 6 drivers caused OTL to not scan for these files (as I saw in the resulting log).
I then removed the commas to get a full scan.

The forum is not accepting my log file - ~355K ("Your post was too long. Please go back and shorten it a little.").
Even uploading the log file is giving me "Error This file was too big to upload".
Please see the attached (and zipped) OTL log file OTL.zip.
I hope zipping was OK, I could not upload it otherwise.
If not, please let me know what other options there are for such large log files.

Thanks a lot. I look forward to your reply.
Adi

PS, if you want the log of the run with the commas, I can upload it too.

Attached Files

  • Attached File  OTL.zip   34.01KB   6 downloads


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 06 March 2012 - 08:25 PM

Hello Adi,

Sorry about the OTL script as I forgot to remove the commas when I copy-paste them from your initial post. Anyway, very good initiative :thumbup2:

Also, it's better not to attach logs unless instructed. If the log is long you can split the log into 2-3 post, in that way I can read the logs more easily.


:step1: Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.poony.info/
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost; 127.0.0.1; <local>
    O2 - BHO: (no name) - {54B02808-B60E-44CD-A72D-9865117E4E62} - No CLSID value found.
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\2afda789
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\2ad0c9e3
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\27ff26a9
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\27db1f6c
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\27b615ae
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\2545bee6
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\251a05f8
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\229ee867
    [2011/11/21 22:14:45 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\22704cb3
    [2011/11/21 22:14:44 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\f5c052c9
    [2011/11/21 22:14:44 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\f597c29e
    [2011/11/21 22:14:44 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\f47cb8ee
    [2011/11/21 22:14:44 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\f453da76
    [2011/11/21 22:14:44 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\f41b4371
    [2011/11/21 22:14:44 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\f0ca2c3f
    [2011/11/17 15:46:28 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\2c19ffdb
    [2011/11/17 15:46:28 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\2be7f91e
    [2011/11/17 15:45:32 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\e64b5ce
    [2011/11/17 15:45:32 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\e2c501b
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\4595f92b
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\455e9a20
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\44e84b20
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\44be0aee
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\4492d88f
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\43e305ee
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\43afb81b
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\42c9199d
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\4299c3e2
    [2011/11/17 15:45:26 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\37b9eb6a
    [2011/11/17 15:45:25 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\3788f90f
    [2011/11/17 15:45:25 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\37122104
    [2011/11/17 15:45:25 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\36e88d28
    [2011/11/17 15:45:25 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\36bb1417
    [2011/11/17 15:45:25 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\368c8f2d
    [2011/11/17 15:45:06 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\ad122a5a
    [2011/11/17 15:45:06 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\ace9cd5b
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\bfdaacca
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\bfacbe92
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\bf23dcc8
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\beee2575
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\beb6e613
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\bdf1755d
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\bdc7b703
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\bcf09059
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\bb5e5ba4
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\b2bebc0d
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\b2987059
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\b26892e8
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\b2418834
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\b211d608
    [2011/11/17 15:44:40 | 000,004,638 | ---- | C] () -- C:\Documents and Settings\adish\Application Data\b1e52b4c
    [2011/06/06 13:04:53 | 000,000,085 | ---- | C] () -- C:\WINDOWS\lagarith.ini
    [2011/06/05 14:08:20 | 000,000,134 | ---- | C] () -- C:\WINDOWS\huffyuv.ini
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [EmptyJava]
    [EMPTYTEMP] 
    [CREATERESTOREPOINT] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.


:step2: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 _Adi

_Adi
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 07 March 2012 - 02:27 AM

Hi,

The new OTL log (I didn't get the messgae "Fix complete! Click OK to open the fix log." after the reboot.)



All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54B02808-B60E-44CD-A72D-9865117E4E62}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54B02808-B60E-44CD-A72D-9865117E4E62}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\ deleted successfully.
C:\Documents and Settings\adish\Application Data\2afda789 moved successfully.
C:\Documents and Settings\adish\Application Data\2ad0c9e3 moved successfully.
C:\Documents and Settings\adish\Application Data\27ff26a9 moved successfully.
C:\Documents and Settings\adish\Application Data\27db1f6c moved successfully.
C:\Documents and Settings\adish\Application Data\27b615ae moved successfully.
C:\Documents and Settings\adish\Application Data\2545bee6 moved successfully.
C:\Documents and Settings\adish\Application Data\251a05f8 moved successfully.
C:\Documents and Settings\adish\Application Data\229ee867 moved successfully.
C:\Documents and Settings\adish\Application Data\22704cb3 moved successfully.
C:\Documents and Settings\adish\Application Data\f5c052c9 moved successfully.
C:\Documents and Settings\adish\Application Data\f597c29e moved successfully.
C:\Documents and Settings\adish\Application Data\f47cb8ee moved successfully.
C:\Documents and Settings\adish\Application Data\f453da76 moved successfully.
C:\Documents and Settings\adish\Application Data\f41b4371 moved successfully.
C:\Documents and Settings\adish\Application Data\f0ca2c3f moved successfully.
C:\Documents and Settings\adish\Application Data\2c19ffdb moved successfully.
C:\Documents and Settings\adish\Application Data\2be7f91e moved successfully.
C:\Documents and Settings\adish\Application Data\e64b5ce moved successfully.
C:\Documents and Settings\adish\Application Data\e2c501b moved successfully.
C:\Documents and Settings\adish\Application Data\4595f92b moved successfully.
C:\Documents and Settings\adish\Application Data\455e9a20 moved successfully.
C:\Documents and Settings\adish\Application Data\44e84b20 moved successfully.
C:\Documents and Settings\adish\Application Data\44be0aee moved successfully.
C:\Documents and Settings\adish\Application Data\4492d88f moved successfully.
C:\Documents and Settings\adish\Application Data\43e305ee moved successfully.
C:\Documents and Settings\adish\Application Data\43afb81b moved successfully.
C:\Documents and Settings\adish\Application Data\42c9199d moved successfully.
C:\Documents and Settings\adish\Application Data\4299c3e2 moved successfully.
C:\Documents and Settings\adish\Application Data\37b9eb6a moved successfully.
C:\Documents and Settings\adish\Application Data\3788f90f moved successfully.
C:\Documents and Settings\adish\Application Data\37122104 moved successfully.
C:\Documents and Settings\adish\Application Data\36e88d28 moved successfully.
C:\Documents and Settings\adish\Application Data\36bb1417 moved successfully.
C:\Documents and Settings\adish\Application Data\368c8f2d moved successfully.
C:\Documents and Settings\adish\Application Data\ad122a5a moved successfully.
C:\Documents and Settings\adish\Application Data\ace9cd5b moved successfully.
C:\Documents and Settings\adish\Application Data\bfdaacca moved successfully.
C:\Documents and Settings\adish\Application Data\bfacbe92 moved successfully.
C:\Documents and Settings\adish\Application Data\bf23dcc8 moved successfully.
C:\Documents and Settings\adish\Application Data\beee2575 moved successfully.
C:\Documents and Settings\adish\Application Data\beb6e613 moved successfully.
C:\Documents and Settings\adish\Application Data\bdf1755d moved successfully.
C:\Documents and Settings\adish\Application Data\bdc7b703 moved successfully.
C:\Documents and Settings\adish\Application Data\bcf09059 moved successfully.
C:\Documents and Settings\adish\Application Data\bb5e5ba4 moved successfully.
C:\Documents and Settings\adish\Application Data\b2bebc0d moved successfully.
C:\Documents and Settings\adish\Application Data\b2987059 moved successfully.
C:\Documents and Settings\adish\Application Data\b26892e8 moved successfully.
C:\Documents and Settings\adish\Application Data\b2418834 moved successfully.
C:\Documents and Settings\adish\Application Data\b211d608 moved successfully.
C:\Documents and Settings\adish\Application Data\b1e52b4c moved successfully.
C:\WINDOWS\lagarith.ini moved successfully.
C:\WINDOWS\huffyuv.ini moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
C:\Documents and Settings\adish\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\adish\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: adish
->Java cache emptied: 0 bytes

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user

Total Java Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: adish
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 35974 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 422835231 bytes
->Flash cache emptied: 1482 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 57482 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: user

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39138 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 150547071 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 547.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.35.1 log created on 03072012_091714

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


FSS log:


Farbar Service Scanner Version: 01-03-2012
Ran by adish (administrator) on 07-03-2012 at 09:22:26
Running from "C:\Documents and Settings\adish\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(9) Gpc(6) NetBT(12) PSched(7) Tcpip(3) VBoxNetFlt(10)
0x0B0000000400000001000000020000000300000009000000050000000600000007000000080000000A0000000B000000
Attention! IpSec Tag value should be 4. Attention! IpSec Tag value is missing and it should be 4.

**** End of log ****


Looking fwd to your reply,
Adi

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 07 March 2012 - 05:35 AM

Hi,

Please do not change the default font style/size when posting the log so that I can read them more easily.

Please run Farbar Service Scanner.
Type the following in the search box:

IpSec

Click "Export Service" and attach the log it makes (FSS.txt).

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 _Adi

_Adi
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 07 March 2012 - 05:58 AM

FSS.TXT:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\IpSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
00,73,00,79,00,73,00,00,00
"Group"="PNP_TDI"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\IpSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IpSec]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IpSec\0000]
"Service"="IPSec"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="IPSEC driver"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0012"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IpSec\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IpSec\0000\Control]
"ActiveService"="IPSec"

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 07 March 2012 - 06:28 AM

Let's re-install TCP/IP in your machine.
  • Click start > Run > cmd > OK (new black window will open)
  • Now type: netsh int ip reset c:\resetlog.txt
  • Press ENTER
  • Type EXIT and press ENTER key.
  • Restart your computer
  • Post the contents of c:\resetlog.txt

If an error "TCP/IP network transport not installed" pops-up after the reboot... Please do the instruction below.

  • Click start > Run > cmd > OK (new black window will open)
  • Now type: netsh winsock reset
  • Press ENTER
  • You must receive the message "Successfully reset the Winsock Catalog" once completed.
  • Type EXIT and press ENTER key.
  • Restart your computer

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 _Adi

_Adi
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 07 March 2012 - 06:42 AM

Hi Sempai,

I did as you asked. The first reboot got stuck and I had to do a hard reboot.
When it came up I chose start normally and the boot succeeded.
No error "TCP/IP network transport not installed".

resetlog.txt:
reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
old REG_MULTI_SZ =
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\BcastNameQueryCount
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\BcastQueryTimeout
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\CacheTimeout
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NameServerPort
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NameSrvQueryCount
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NameSrvQueryTimeout
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NbProvider
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\SessionKeepAlive
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Size/Small/Medium/Large
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1FCAC8FF-F704-4F1E-A978-1489628567F9}\NameServer
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\AddressType
old REG_DWORD = 1

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\DefaultGateway
old REG_MULTI_SZ =
<empty>

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4924B083-B103-48DE-8532-71D67427CB37}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4924B083-B103-48DE-8532-71D67427CB37}\DisableDynamicUpdate
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4924B083-B103-48DE-8532-71D67427CB37}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4924B083-B103-48DE-8532-71D67427CB37}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4924B083-B103-48DE-8532-71D67427CB37}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91781658-FAB2-4EAF-A544-C7037FF2F77A}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91781658-FAB2-4EAF-A544-C7037FF2F77A}\DisableDynamicUpdate
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91781658-FAB2-4EAF-A544-C7037FF2F77A}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91781658-FAB2-4EAF-A544-C7037FF2F77A}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91781658-FAB2-4EAF-A544-C7037FF2F77A}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}\DisableDynamicUpdate
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDhcpMediaSense
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset Linkage\Bind for ms_netbt. bad value was:
REG_MULTI_SZ =
\Device\{4924B083-B103-48DE-8532-71D67427CB37}
\Device\{91781658-FAB2-4EAF-A544-C7037FF2F77A}
\Device\{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}
\Device\{222FA908-0CAE-4A75-9C75-05A7608DE3B7}
\Device\{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}
\Device\NdisWanIp

reset Linkage\Route for ms_netbt. bad value was:
REG_MULTI_SZ =
"{4924B083-B103-48DE-8532-71D67427CB37}"
"{91781658-FAB2-4EAF-A544-C7037FF2F77A}"
"{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}"
"{222FA908-0CAE-4A75-9C75-05A7608DE3B7}"
"{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}"
"NdisWanIp"

reset Linkage\Export for ms_netbt. bad value was:
REG_MULTI_SZ =
\Device\Tcpip_{4924B083-B103-48DE-8532-71D67427CB37}
\Device\Tcpip_{91781658-FAB2-4EAF-A544-C7037FF2F77A}
\Device\Tcpip_{3DBAB46B-0F9E-470B-8C19-ABF7710F7031}
\Device\Tcpip_{222FA908-0CAE-4A75-9C75-05A7608DE3B7}
\Device\Tcpip_{D55EE426-D61B-4B20-B5B7-0ADD7950CCBD}
\Device\Tcpip_{1FCAC8FF-F704-4F1E-A978-1489628567F9}
\Device\Tcpip_{AB3A4F7A-9679-4140-9037-7CB0ED9E0D14}

reset Linkage\UpperBind for {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_8086&DEV_4236&SUBSYS_10118086&REV_00\4&318470AD&0&00E1. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_8086&DEV_10F5&SUBSYS_20EE17AA&REV_03\3&B1BFB68&0&C8. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
REG_MULTI_SZ =
PSched

<completed>

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 07 March 2012 - 06:44 AM

How's the internet connection?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 _Adi

_Adi
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 07 March 2012 - 07:01 AM

Hi,

There is no connection. It sees the WiFi net but does not succeed in connecting.
I also restarted the AcSvc.exe service (see my first post), in case that helps, but that jumped to max CPU again and did not help.

Adi

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 07 March 2012 - 07:06 AM

Do you have the Windows XP CD?


:step1: Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.


:step2: Launch Notepad, and copy-paste the contents of the codebox below into a new text file. Save it on your Desktop as fixme.reg. For the "save as type" choose all files

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Tag"=dword:00000004

  • Locate fixme.reg on your Desktop and double-click on it.
  • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
  • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
  • Restart your computer.

:step3: Check the internet connection please.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 _Adi

_Adi
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 07 March 2012 - 07:21 AM

Yes!! Got the Internet back.
Seems like all Chrome settings were forgotten.

I do have a WinXP CD, but the driver does not work so there is no access to the drive from Windows.
I can boot from it, but I had some BSoD while it was loading.

Also, the laptop KB and trackpoint still aren't working (I don't think we fixed this yet).

Have we done anything with the rootkit yet?

Thanks,
Adi

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 07 March 2012 - 07:57 AM

Yes, the Rootkit was taken care of when you run Combofix and what we removed are just left overs. Now that the internet connection is back we can easily search for possible malware remnants that are lurking around.

Is it possible for you to uninstall-reinstall Chrome?


Also, the laptop KB and trackpoint still aren't working (I don't think we fixed this yet).

This is actually are our next goal that's why I asked if you have the XP CD.


==============================


Please click Start > Run > copy-paste the bolded text below then press Enter.

SFC.EXE /SCANNOW

  • The program may (or it may not) ask you for your Windows XP installation CD, please insert it at the prompt.
  • If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.

Edited by sempai, 07 March 2012 - 08:00 AM.
typos

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users