Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ntos.exe Causing Problems For User


  • This topic is locked This topic is locked
5 replies to this topic

#1 MC_Shortbus

MC_Shortbus

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 14 July 2008 - 01:36 PM

A user opened an attachment from an unknown source today, which of course started to cause problems. After running HijackThis I noticed a F2 which included ntos.exe. Googling it brought me to a topic circa April 07. After trying to replicate the fix there using SUPERAntiSpyware and HijackThis it proved unsuccesful so I can only guess that I have the pleasure of dealing with a new varient. In any case, when restarting the computer explorer.exe does not come right up, so I have to do it via task manager at the moment.

Also please note I did have to redact certain information, which should hopefuly not impact someone's ability to assist. Here are the log files and thank you in advance.

Deckard's System Scanner v20071014.68
Run by [USERNAME] on 2008-07-14 13:35:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-14 17:35:46 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as [USERNAME].exe) -----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-14 13:36:50
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Compaq\ACLIENT\AClient.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\COMPAQ\Compaq Management Agents\Cpqalert.exe
C:\WINDOWS\Cpqdiag\CPQDFWAG.EXE
C:\Program Files\COMPAQ\Compaq Management Agents\cpqWebDmi\Webdmi.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NMSSvc.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\COMPAQ\Compaq Management Agents\Cpqdmi.exe
C:\Program Files\Network Associates\VirusScan\VSStat.exe
C:\Program Files\Network Associates\VirusScan\vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMPAQ\Easy Access Button Support\STARTEAK.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\COMPAQ\Compaq Management Agents\Chkadmin.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Compaq\eakdrv\EAUSBKBD.exe
C:\Program Files\COMPAQ\Easy Access Button Support\BttnServ.exe
C:\Documents and Settings\[USERNAME].[NEW DOMAIN CONTROLLER]\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,


[HOSTS SECTION REDACTED] I HAVE SCANNED THESE AND THE HOSTS ARE NORMAL


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UPS OnLine PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\UOWS\Messages\WSDMessaging.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.[NEW DOMAIN CONTROLLER].com (HKCU)
O16 - DPF: {20DD1B9E-87C4-11D1-8BE3-0000F8754DA1} (Microsoft Date and Time Picker Control 6.0 (SP4)) - [INTERNAL ACTIVE X CONTROL FOR INTRANET SITE]
O17 - HKLM\Software\..\Telephony: DomainName = [NEW DOMAIN CONTROLLER].int
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = [NEW DOMAIN CONTROLLER].int
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = [NEW DOMAIN CONTROLLER].int
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Compaq\ACLIENT\AClient.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\COMPAQ\Compaq Management Agents\Cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\CPQDFWAG.EXE
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\Program Files\COMPAQ\Compaq Management Agents\Cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\Compaq Management Agents\cpqWebDmi\Webdmi.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.Exe
O23 - Service: WIN32SL - Intel - C:\Program Files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


--
End of file - 12413 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ARICHA~1.NRS\Desktop\backups\) --------

backup-20080714-103151-821 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
backup-20080714-115737-922 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
backup-20080714-121713-225 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
backup-20080714-122104-922 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NaiFsRec - c:\windows\system32\drivers\naifsrec.sys
R1 ClntMgmt (Compaq Client Management Driver) - c:\windows\system32\drivers\clntmgmt.sys <Not Verified; Compaq Computer Corp; Compaq Client Management Driver>
R3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys
R3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>

S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AClient (Altiris Client Service) - c:\compaq\aclient\aclient.exe -service <Not Verified; Altiris, Inc.; Altiris Client Agent for Windows>
R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"
R2 CPQALERT (Compaq Local Alerter) - c:\program files\compaq\compaq management agents\cpqalert.exe <Not Verified; Compaq Computer Corporation; Compaq Management Agents>
R2 CpqDfwWebAgent (Compaq Remote Diagnostics Enabling Agent) - c:\windows\cpqdiag\cpqdfwag.exe <Not Verified; Compaq Computer Corporation; Compaq Remote Diagnostics Enabling Agent>
R2 cpqdmi - c:\progra~1\compaq\compaq~1\cpqdmi.exe <Not Verified; Compaq Computer Corporation; Compaq Management Agents>
R2 cpqWebDmi (Compaq DMI Web Agent) - c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe <Not Verified; Compaq Computer Corporation; Compaq Management Agents>
R2 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>
R2 WIN32SL - c:\program files\compaq\compaq management agents\dmi\win32\bin\win32sl.exe <Not Verified; Intel; DMI 2.0 SDK>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-14 12:13:54 0 dr------- C:\Documents and Settings\[USERNAME].[NEW DOMAIN CONTROLLER]\Application Data\Brother
2008-07-14 11:55:07 0 d--hs---- C:\WINDOWS\System32\wsnpoem
2008-07-14 10:55:17 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-14 10:55:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-14 10:55:11 0 d-------- C:\Documents and Settings\[USERNAME].[NEW DOMAIN CONTROLLER]\Application Data\SUPERAntiSpyware.com
2008-07-14 10:54:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 10:21:09 0 d-------- C:\backups
2008-07-14 10:19:00 0 d--h----- C:\WINDOWS\PIF
2008-07-14 10:18:26 218112 --a------ C:\HijackThis.exe <HIJACK~1.EXE> <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2008-07-14 09:21:16 0 d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem


-- Find3M Report ---------------------------------------------------------------

2008-07-14 10:54:42 0 d-------- C:\Program Files\Common Files
2008-07-08 10:02:09 0 d-------- C:\Documents and Settings\[USERNAME].[NEW DOMAIN CONTROLLER]\Application Data\Adobe
2008-05-20 13:49:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-20 13:43:19 0 d-------- C:\Documents and Settings\[USERNAME].[NEW DOMAIN CONTROLLER]\Application Data\AdobeUM
2008-05-20 13:36:52 0 --a------ C:\WINDOWS\System32\Biport


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [12/14/2001 07:01 PM]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [01/30/2002 10:01 PM]
"PROMon.exe"="PROMon.exe" [03/25/2002 03:36 PM C:\WINDOWS\system32\PROMon.exe]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [01/24/2002 10:03 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/24/2002 07:28 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/24/2002 07:20 PM]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/18/2001 02:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/12/2007 12:59 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 11:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 03:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 04:04 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [01/07/2005 06:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
UPS OnLine PLD Reminder Utility.lnk - C:\UPS\UOWS\PldReminder.exe [1/15/2007 4:47:29 PM]
UPS WorldShip Messaging Utility.lnk - C:\UPS\UOWS\Messages\WSDMessaging.exe [1/15/2008 5:21:38 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Puy50.sys]
@="Driver"

*Newly Created Service* - NMSCFG



-- Hosts -----------------------------------------------------------------------

[HOSTS REDACTED]


-- End of Deckard's System Scanner: finished at 2008-07-14 13:37:27 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 503.48 MiB / 193.42 MiB
Pagefile Memory (total/avail): 1230.62 MiB / 931.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.57 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 38.28 GiB total, 29.64 GiB free.
D: is CDROM (CDFS)
E: is Network (Unformatted)
J: is Network (Unformatted)
L: is Network (Unformatted)
Z: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - Maxtor 6E040L0 - 38.28 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 38.28 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

;Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\[USERNAME].[NEW DOMAIN]\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=[USERNAME]2
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\[USERNAME].[NEW DOMAIN]
LOGONSERVER=\\NRSCTDC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\Bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\BINN
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\[USER ABBRV].[NEW DOMAIN ABBRV]\LOCALS~1\Temp
TMP=C:\DOCUME~1\[USER ABBRV]~1.[NEW DOMAIN ABRV]\LOCALS~1\Temp
USERDNSDOMAIN=
USERDOMAIN=
USERNAME=
USERPROFILE=C:\Documents and Settings\[USERNAME].[NEW DOMAIN]
WIN32DMIPATH=C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
[USERNAME] (admin)
administrator.[OLD DOMAIN CONTROLLER] (new local, admin, net ready)
[USERNAME].[NEW DOMAIN] (admin)
administrator.[NEW DOMAIN] (new local, admin, net ready)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
--> "C:\Program Files\InstallShield Installation Information\{11B95B0C-D13F-4E5D-B375-D98C9B6CE7B9}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{11B95B0C-D13F-4E5D-B375-D98C9B6CE7B9}\setup.iss" -f2C:\WINDOWS\Setup.log
--> "C:\Program Files\InstallShield Installation Information\{52C1E6E3-85EB-448E-9004-F5EB14DEF22B}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{52C1E6E3-85EB-448E-9004-F5EB14DEF22B}\setup.iss" -f2C:\WINDOWS\Setup.log
--> "C:\Program Files\InstallShield Installation Information\{6C6965D1-799C-4136-AE06-ACF80A311D35}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{6C6965D1-799C-4136-AE06-ACF80A311D35}\setup.iss" -f2C:\WINDOWS\Setup.log
--> "C:\Program Files\InstallShield Installation Information\{871D9278-C4DE-4B83-9B31-FDE1BE4B7096}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{871D9278-C4DE-4B83-9B31-FDE1BE4B7096}\setup.iss" -f2C:\WINDOWS\Setup.log
--> "C:\Program Files\InstallShield Installation Information\{8A549839-FC1C-4A24-A209-EC27AACE75E5}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{8A549839-FC1C-4A24-A209-EC27AACE75E5}\setup.iss" -f2C:\WINDOWS\Setup.log
--> "C:\Program Files\InstallShield Installation Information\{9614DAD1-A91F-4225-9907-59D68336BC04}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{9614DAD1-A91F-4225-9907-59D68336BC04}\setup.iss" -f2C:\WINDOWS\Setup.log
--> "C:\Program Files\InstallShield Installation Information\{C02D7C81-8AEA-4155-B665-5271BA7877BA}\setup.exe" -WSD -s -f1"C:\Program Files\InstallShield Installation Information\{C02D7C81-8AEA-4155-B665-5271BA7877BA}\setup.iss" -f2C:\WINDOWS\Setup.log
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{854A5F01-D692-11D4-A984-009027EC0A9C}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{945E2519-C2B9-11D3-9D56-0060B0A4823E}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD47EFC1-D692-11D4-A984-009027EC0A9C}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13FC0634-B6EE-4518-9589-AB50B5C079AD}\Setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B785F89C-FD1A-466F-9AF3-32A060A1099A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3DD1358-7E23-44CB-BC72-791C390269F0}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
Compaq Management Agents --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Compaq Management Agents\DeIsL1.isu" -c"C:\Program Files\Compaq\Compaq Management Agents\cpqdmun.dll"
Compaq Remote Diagnostics Enabling Agent --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71A470E1-27E7-424E-803A-F9C0D41968D3}\SETUP.EXE" -l0x9
Easy Access Button Support --> C:\Program Files\COMPAQ\Easy Access Button Support\Uninst.exe
HijackThis 1.99.1 --> D:\HijackThis.exe /uninstall
Intel® 845G Chipset Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
McAfee VirusScan --> MsiExec.exe /I{87AEFD84-BC0D-11D4-B885-00508B022A51}
Merriam-Webster Online Toolbar --> C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\_MWOLTB.DLL"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\80\Tools\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\80\Tools\sqlsun.dll" -msql.mif
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Setup Compaq Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\COMPAQ\Setup Compaq Software\Uninst.isu" -c"C:\Program Files\COMPAQ\Setup Compaq Software\CPQUNST.DLL"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
UPS WorldShip® (US Origin) --> C:\UPS\UOWS\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4409 / Error
Event Submitted/Written: 07/14/2008 01:33:52 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application svchost.exe, version 5.1.2600.0, faulting module advapi32.dll, version 5.1.2600.1106, fault address 0x00016439.

Event Record #/Type4408 / Error
Event Submitted/Written: 07/14/2008 01:33:41 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type4406 / Error
Event Submitted/Written: 07/14/2008 00:24:44 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type4402 / Error
Event Submitted/Written: 07/14/2008 00:19:03 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type4401 / Error
Event Submitted/Written: 07/14/2008 00:19:03 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7082 / Warning
Event Submitted/Written: 07/14/2008 01:34:37 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VM Network Connection: Adapter Link Down

Event Record #/Type7074 / Error
Event Submitted/Written: 07/14/2008 01:34:02 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The DNS Client service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type7067 / Error
Event Submitted/Written: 07/14/2008 01:33:41 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Event Record #/Type7066 / Warning
Event Submitted/Written: 07/14/2008 01:33:41 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type7065 / Error
Event Submitted/Written: 07/14/2008 01:33:41 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-07-14 13:37:27 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 14 July 2008 - 05:44 PM

Hello MC_Shortbus,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 MC_Shortbus

MC_Shortbus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 15 July 2008 - 08:14 AM

I monitored ComboFix running and it deleted several files, including ntos.exe and wsnpoem. I left and came back and it was at the login screen. After trying to login it attempted to sync with a file server (which normally does not happen). After failing, it went straight back to the login screen. Nothing happens beyond that. I try logging in, it goes right back to the login screen. Wash, rinse, repeat.

Thoughts?

Edited by MC_Shortbus, 15 July 2008 - 08:30 AM.


#4 MC_Shortbus

MC_Shortbus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 15 July 2008 - 11:12 AM

I have slaved the HD to another machine and have succesfully moved all vital data to a network drive. I am just going to do a fresh install of XP on the machine and call it at that. Thank you for your effort teacup.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 15 July 2008 - 12:22 PM

Hello,

I'm sorry it came to that, but perhaps with that kind of malware it was best. :) I'm so glad you got to get all your data! :thumbsup:

You're welcome, and take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 07 August 2008 - 07:23 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by teacup61, 07 August 2008 - 07:24 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users