BleepingComputer.com: infected with XP Security 2012

I'm talking to an advisor about this issue. Can you run MiniToolBox for some more information.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark following checkboxes:

• Flush DNS
  
• Report IE Proxy Settings
  
• Reset IE Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Users, Partitions and Memory size.
  
• List Minidump Files.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Running MiniToolBox, get this error: "AutoIt Error", Line 5635, Error: Variable must be of type "Object".

Program progress bar says "Getting ipconfig..." (which reports IP Configuration), then crashes.

After experimenting, the only way to get MiniToolBox to run is to NOT select the options that invoke probably ipconfig. So, I can do these:
Flush DNS
List content of Hosts
List last 10 Event Viewer log
List Users, Partitions and Memory size.
List Minidump Files.

NOT THESE:
List IP configuration
Report IE Proxy Settings
Reset IE Proxy Settings

The result is below.

BUT, I can run ipconfig standalone and separately give you the results of ipconfig /all, below.

MiniToolBox by Farbar
Ran by johnh (administrator) on 14-01-2012 at 18:03:59
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Could not flush the DNS Resolver Cache: Function failed during execution.



========================= Hosts content: =================================
::1 localhost

127.0.0.1 localhost


========================= Event log errors: ===============================

Application errors:
==================
Error: (01/14/2012 04:37:39 PM) (Source: Application Error) (User: )
Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Error: (01/14/2012 08:31:33 AM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [explorer.exe!ws!]

Error: (01/14/2012 08:23:31 AM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [explorer.exe!ws!]

Error: (01/14/2012 08:22:08 AM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [explorer.exe!ws!]

Error: (01/11/2012 04:26:38 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [explorer.exe!ws!]

Error: (01/10/2012 05:56:28 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [explorer.exe!ws!]

Error: (01/10/2012 05:55:10 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [explorer.exe!ws!]

Error: (01/10/2012 04:22:07 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (01/10/2012 04:21:59 PM) (Source: Application Error) (User: )
Description: Faulting application xplorer2_uc.exe, version 1.7.0.5, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [xplorer2_uc.exe!ws!]

Error: (01/08/2012 08:25:02 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module jrtools.dll, version 14.0.1.0, fault address 0x00024710.
Processing media-specific event for [explorer.exe!ws!]


System errors:
=============
Error: (01/07/2012 02:50:58 PM) (Source: 0) (User: )
Description: C:

Error: (12/31/2011 08:41:32 AM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for C:\WINDOWS\system32\SHELL32.dll.
Reference error message: The operation completed successfully.
.

Error: (12/31/2011 08:41:32 AM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls.
Reference error message: Insufficient system resources exist to complete the requested service.
.

Error: (12/23/2011 02:38:48 PM) (Source: DCOM) (User: johnh)
Description: DCOM got error "%%1058" attempting to start the service ehSched with arguments "-Service"
in order to run the server:
{4B635ECB-0887-4015-8CA6-D621362F98D1}

Error: (12/23/2011 02:24:54 PM) (Source: 0) (User: )
Description: \Device\LanmanDatagramReceiverE420NetBT_Tcpip_{102151AB-4698-43CA-882D

Error: (12/23/2011 02:19:14 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/23/2011 02:14:57 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/23/2011 02:08:48 PM) (Source: DCOM) (User: johnh)
Description: DCOM got error "%%1058" attempting to start the service ehSched with arguments "-Service"
in order to run the server:
{4B635ECB-0887-4015-8CA6-D621362F98D1}

Error: (12/23/2011 02:08:08 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/23/2011 02:05:36 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127


Microsoft Office Sessions:
=========================
Error: (01/14/2012 04:37:39 PM) (Source: Application Error)(User: )
Description: 0.0.0.0unknown0.0.0.000000000

Error: (01/14/2012 08:31:33 AM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512jrtools.dll14.0.1.000024710

Error: (01/14/2012 08:23:31 AM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512jrtools.dll14.0.1.000024710

Error: (01/14/2012 08:22:08 AM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512jrtools.dll14.0.1.000024710

Error: (01/11/2012 04:26:38 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512jrtools.dll14.0.1.000024710

Error: (01/10/2012 05:56:28 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512jrtools.dll14.0.1.000024710

Error: (01/10/2012 05:55:10 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512jrtools.dll14.0.1.000024710

Error: (01/10/2012 04:22:07 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.55120001295d

Error: (01/10/2012 04:21:59 PM) (Source: Application Error)(User: )
Description: xplorer2_uc.exe1.7.0.5jrtools.dll14.0.1.000024710

Error: (01/08/2012 08:25:02 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512jrtools.dll14.0.1.000024710


========================= Memory info: ===================================

Percentage of memory in use: 18%
Total physical RAM: 1982.48 MB
Available physical RAM: 1618.84 MB
Total Pagefile: 3874.71 MB
Available Pagefile: 3690.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.42 MB

========================= Partitions: =====================================

1 Drive c: (AUDIO-C) (Fixed) (Total:456.76 GB) (Free:286.39 GB) NTFS
2 Drive d: () (Removable) (Total:0.95 GB) (Free:0.95 GB) FAT
7 Drive z: (HP_RECOVERY) (Fixed) (Total:8.99 GB) (Free:0.73 GB) FAT32

========================= Users: ========================================

User accounts for \\

Administrator Guest HelpAssistant
johnh SUPPORT_388945a0 SUPPORT_fddfa904

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini010812-01.dmp
C:\WINDOWS\Minidump\Mini031711-01.dmp
C:\WINDOWS\Minidump\Mini122311-01.dmp

**** End of log ****


IPCONFIG /ALL RESULT

Windows IP Configuration
Host Name . . . . . . . . . . . . : AUDIO
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter {F0F0D72D-7709-4FD1-89EE-70608D553252}:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller - Packet Scheduler Miniport
Physical Address. . . . . . . . . : 00-18-F3-57-21-C1
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 0.0.0.0

This post has been edited by cto: 14 January 2012 - 09:14 PM

ALSO, I tried ipconfig /renew which normally would fresh the computer's IP by contacting the DNS server; this sometimes repairs a bad connection. Instead it reports "The RPC Server is unavailable".

So, I checked Service "Remote Procedure Call (RPC)"; it is set to start Automatically, but it's not running now. I tried to start it manually, but get "Access denied". This might be because the implicit user "Network Service" has a problem. When I try to start it manually, I'm "Local System". Again, I can't access this service's Properties. Perhaps it is a chain of events; maybe something upstream needs to happen that eventually starts RPC, so perhaps looking at RPC is not useful; I don't know the dependencies.

Another mystery is the actual network card. I don't have two of this model computer to compare, but I'm wondering if it is normal. It shows the active Network adapter as "NVIDIA nForce Networking Controller". Maybe, but I haven't seen this device on other systes. If I reveal "hidden devices", I also see HP EN1207TD-TX PCI 10/100 Fast Ethernet Adapter - Packet Scheduler Miniport". That device name is more like what I'd expect, except the "Miniport" part is typically a subset of the main adapter which I'd expect to see as a separate device -- but I don't. Maybe this is all normal, I don't know (and HP's tech docs are of no help).


Would it be possible and prudent to restore a prior version of the Registry -- rewind and try again, so to speak?

This post has been edited by cto: 15 January 2012 - 03:19 PM

MAJOR UPDATE:

We have abandoned the project of removing the virus and found another way to rescue the computer.

We discovered that this computer had its hard drive replaced 9 months ago with a larger drive. We found the original drive, and the key is, it has all the apps installed (they haven't been changed since then). We reinstalled the original drive, and of course it works perfectly. So, we are going to again clone it to a larger drive. After we restore the data files we rescued, we believe the computer (and its user) will be back in action.

Thank you for trying to help us cure the infected computer. We are grateful for your time and expertise.

Thanks for letting me know, CTO. Both myself and the advisor were looking to post something pretty damning about your hard drive so replacing it has saved a long drawn out repair.

I will close the topic. If you have any questions then please PM me, if not Happy Surfing and thanks for the thanks.