Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with what? I don't know


  • Please log in to reply
72 replies to this topic

#1 2yyiam

2yyiam

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 21 January 2009 - 03:17 PM

I posted a thread here regarding my laptop.

Pasting in contents from that post. ~ OB

My laptop has become infected! Either from a website or from a torrent I downloaded.

Initially a ballon popped up saying the CPU memory was being overused, suggesting I scan for malware. I tried to run SUPERAntiSpyware but after detecting some Trojans and malware when it tried to delete/fix the threats it would freeze.

I then re-started the laptop and immediately the internet stopped working, I couldn't access any webpages. I then re-started it again and a message box titled "Error" came up saying the "File is incomplete or corrupt". I pressed on ok and then the screen went blue with a load of txt and before I could read it automatically the laptop re-started itself.

I've tried pressing F8 during the start process, I can't get it to start in safe mode, it takes ages to load and then the laptop re-starts. I selected the option that states not to re-start if there is a system failure.

After loading up, the same error message came up, and then the blue screen - this time I was able to read it:

It states that the system needs to re-start because:
"A problem has been detected and windows has been shut down to prevent damage to your computer"

DRIVER_IRQL_NOT_LESS_OR_EQUAL

It then states to re-start in Safe mode totry and uninstall the cause of the problem, but I can't do that. It also states some code that someone maybe able to decipher:

*** STOP: 0x000000D1 (0xE1C08000, 0x00000002, 0x00000000. 0xAAF5ACC6)

Beginning dump of physical memory
Physical memory dump complete

Contact your system administrator for further assistance

Is anyone able to help me? I'm posting this from my other PC and have no idea what to do next.
Thanks

End of pasted in information. ~ OB

I got it to restart and stay loaded and ran a few scans including malwarebyte anti-malware and dds scan.
Following the advice in this forum I've attached the txt files below from the scans.

Can someone help me please?

Attached Files


Edited by Orange Blossom, 21 January 2009 - 03:28 PM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:02 PM

Posted 29 January 2009 - 05:32 PM

Hello 2yyiam and welcome to Bleeping Computer,

Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 2yyiam

2yyiam
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 29 January 2009 - 07:33 PM

Thanks for getting in touch

In anticipation of this request for a CombiFix log, I attempted a Combofix run a few days ago. However when I ran the scan I was unable to install Windows Recovery Console because the computer couldn't connect to the internet.

The log file is below. Since reading the tutorial link that you provided, I see that there are other ways of installing Recovery Console, so I can do that later today and post a new ComboFix log then. In the meantime, perhaps the log I've already generated will provide an indication for the malware that is currently affecting my laptop.

I can't find my XP CD, so I'm going to try installing the Recovery Console via the microsoft website on my working computer and transfer the file to the infected laptop to install it.

By the way, I think the Trojan is a DNS changer one because everytime I run Malware Antimalware scan it detects the Trojans but then cannot delete them.
Thanks for the help and let me know if you need me to do a proper ComboFix run.

ComboFix 09-01-21.04 - Miriam Abedi 2009-01-23 15:13:31.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.258 [GMT 0:00]
Running from: c:\documents and settings\Miriam Abedi\My Documents\My Received Files\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Miriam Abedi\ResErrors.log
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tpBe12
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekatvkvfoyj.sys
c:\windows\system32\senekaekcuootj.dll
c:\windows\system32\senekapop.dll
c:\windows\system32\senekarkkghrxx.dat
c:\windows\system32\senekasvaioaeo.dat
c:\windows\system32\senekayslsrkcj.dll
D:\Autorun.inf
D:\resycled
d:\resycled\ntldr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_dhlp


((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-21 18:31 . 2009-01-21 18:31 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2009-01-21 18:31 . 2009-01-21 18:31 <DIR> d-------- c:\documents and settings\Miriam Abedi\Application Data\Malwarebytes
2009-01-21 18:31 . 2009-01-21 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 18:31 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 18:31 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-21 14:57 . 2009-01-21 14:57 0 --a------ C:\vfxhjbv.exe
2009-01-21 14:57 . 2009-01-21 14:57 0 --a------ C:\ufwh.exe
2009-01-21 14:57 . 2009-01-21 14:57 0 --a------ C:\oswebt.exe
2009-01-21 14:57 . 2009-01-21 14:57 0 --a------ C:\lbcwqu.exe
2009-01-21 14:56 . 2009-01-21 14:56 0 --a------ C:\359142397
2009-01-18 18:52 . 2009-01-18 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-14 13:14 . 2009-01-14 13:14 <DIR> d--hs---- C:\FOUND.014
2009-01-10 22:44 . 2004-02-22 10:11 719,872 --a------ c:\windows\system32\devil.dll
2009-01-10 22:44 . 2007-05-17 17:30 318,976 --a------ c:\windows\system32\avisynth.dll
2009-01-07 16:15 . 2009-01-07 16:15 <DIR> d--hs---- C:\FOUND.013
2009-01-06 18:23 . 2009-01-06 18:23 <DIR> d-------- C:\Absolute MP3 Splitter
2009-01-04 22:45 . 2009-01-04 22:45 <DIR> d-------- C:\Easy Video Splitter
2009-01-04 11:47 . 2009-01-04 11:47 <DIR> d-------- c:\windows\Replay Converter 3
2009-01-04 11:47 . 2009-01-04 11:47 <DIR> d-------- C:\Replay Converter 3
2009-01-03 23:43 . 2009-01-03 23:43 <DIR> d-------- C:\CCCP
2009-01-03 20:05 . 2009-01-03 20:05 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-02 20:34 . 2009-01-03 20:05 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-01 18:36 . 2009-01-01 18:36 <DIR> d-------- C:\AVIcodec
2009-01-01 13:58 . 2004-09-14 13:03 <DIR> d-------- c:\program files\AviSynth 2.5
2009-01-01 13:58 . 2006-10-07 17:43 502,784 --a------ c:\windows\x2.64.exe
2009-01-01 13:58 . 2005-02-28 13:16 240,128 --a------ c:\windows\system32\x.264.exe
2009-01-01 13:58 . 2006-04-12 09:47 217,073 --a------ c:\windows\meta4.exe
2009-01-01 13:58 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\yv12vfw.dll
2009-01-01 13:58 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2009-01-01 13:58 . 2006-04-05 08:09 66,560 --a------ c:\windows\MOTA113.exe
2009-01-01 13:58 . 2005-07-14 12:31 27,648 --a------ c:\windows\system32\AVSredirect.dll
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- C:\DVD Decrypter
2008-12-30 22:55 . 2008-12-30 22:55 <DIR> d-------- C:\AviSynth 2.5
2008-12-29 20:30 . 2008-12-29 20:30 <DIR> d-------- c:\documents and settings\Miriam Abedi\Application Data\vlc
2008-12-29 20:29 . 2008-12-29 20:29 <DIR> d-------- c:\program files\VideoLAN
2008-12-27 16:21 . 2008-12-27 16:21 <DIR> d-------- C:\Magic Video Converter
2008-12-27 16:21 . 2008-12-27 16:21 <DIR> d-------- c:\documents and settings\Miriam Abedi\Application Data\Vso
2008-12-27 16:21 . 2008-12-27 16:21 81,920 --a------ c:\documents and settings\Miriam Abedi\Application Data\ezpinst.exe
2008-12-27 16:21 . 2008-12-27 16:21 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-27 16:21 . 2008-12-27 16:21 47,360 --a------ c:\documents and settings\Miriam Abedi\Application Data\pcouffin.sys
2008-12-25 15:35 . 2008-12-25 15:35 <DIR> d--hs---- C:\FOUND.012
2008-12-24 18:07 . 2008-12-24 18:07 <DIR> d-------- c:\documents and settings\Miriam Abedi\Application Data\DivX
2008-12-24 17:31 . 2008-11-21 21:47 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-24 17:31 . 2008-11-21 21:47 120,056 --------- c:\windows\system32\pxcpyi64.exe
2008-12-24 17:31 . 2008-11-21 21:47 118,520 --------- c:\windows\system32\pxinsi64.exe
2008-12-24 17:30 . 2008-12-24 17:30 <DIR> d-------- C:\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 19:59 90,112 ----a-w c:\windows\DUMP321c.tmp
2009-01-21 19:38 90,112 ----a-w c:\windows\DUMP43bf.tmp
2009-01-21 19:35 90,112 ----a-w c:\windows\DUMP31fc.tmp
2009-01-21 18:53 90,112 ----a-w c:\windows\DUMP31ae.tmp
2009-01-21 17:25 90,112 ----a-w c:\windows\DUMP5256.tmp
2009-01-21 16:51 90,112 ----a-w c:\windows\DUMP536f.tmp
2009-01-21 16:36 90,112 ----a-w c:\windows\DUMP66d8.tmp
2008-12-22 23:39 --------- d-----w c:\program files\MyPublisher
2008-12-22 23:39 --------- d-----w c:\documents and settings\Miriam Abedi\Application Data\MyPublisher
2008-12-17 22:08 --------- d-----w c:\program files\Bonjour
2008-12-17 22:05 --------- d-----w c:\program files\iTunes
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-07 18:08 795,648 ----a-w c:\windows\system32\xvidcore.dll
2008-12-07 18:08 130,048 ----a-w c:\windows\system32\xvidvfw.dll
2008-12-02 23:08 --------- d-----w c:\documents and settings\All Users\Application Data\TomTom
2008-11-29 15:41 --------- d-----w c:\documents and settings\Miriam Abedi\Application Data\Xilisoft Corporation
2008-11-29 11:41 2,294,291 ----a-w c:\windows\system32\x264vfw.dll
2008-11-08 18:16 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe
2008-11-06 16:37 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-06 16:37 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-06 16:35 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-06 16:35 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-11-06 16:33 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-11-06 16:33 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-11-06 16:33 684,032 ----a-w c:\windows\system32\DivX.dll
2008-11-06 16:33 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
2008-10-22 14:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102220081023\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

NETSVCS REQUIRES REPAIRS - current entries shown

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-23 c:\windows\Tasks\User_Feed_Synchronization-{5E0C3D8A-938D-42CE-BF8E-FE1D61B7B726}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]

2009-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1110105051-3664944901-3127270354-1005.job
- c:\documents and settings\Miriam Abedi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-25 18:58]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 15:19:50
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\seneka.sys 0 bytes
c:\windows\system32\drivers\gaopdxpstrnqgw.sys 98304 bytes
c:\windows\system32\drivers\senekatvkvfoyj.sys 65536 bytes
c:\windows\system32\senekapop.dll 0 bytes
c:\windows\system32\senekasvaioaeo.dat 32768 bytes
c:\windows\system32\gaopdxqbdbaqpv.dll 65536 bytes
c:\windows\system32\senekaekcuootj.dll 65536 bytes
c:\windows\system32\senekarkkghrxx.dat 32768 bytes
c:\windows\system32\senekayslsrkcj.dll 32768 bytes
c:\docume~1\MIRIAM~1\LOCALS~1\Temp\gaopdxserv.sys000 0 bytes
c:\docume~1\MIRIAM~1\LOCALS~1\Temp\seneka000 0 bytes
c:\docume~1\MIRIAM~1\LOCALS~1\Temp\gaopdx000 0 bytes

scan completed successfully
hidden files: 12

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\superantispyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [552]
??\c:\windows\system32\csrss.exe [608]
??\c:\windows\system32\winlogon.exe [632]
c:\windows\system32\services.exe [676]
c:\windows\system32\lsass.exe [688]
c:\windows\system32\svchost.exe [836]
c:\windows\system32\svchost.exe [904]
c:\windows\System32\svchost.exe [944]
c:\windows\system32\svchost.exe [1080]
c:\windows\system32\svchost.exe [1164]
c:\windows\system32\spoolsv.exe [1324]
c:\program files\Citrix\ICA Client\ssonsvr.exe [1644]
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1956]
c:\program files\Bonjour\mDNSResponder.exe [1972]
c:\windows\System32\svchost.exe [2044]
c:\progra~1\BORLAND\INTERB~1\Bin\ibguard.exe [196]
c:\program files\Java\jre6\bin\jqs.exe [220]
c:\progra~1\McAfee\MSC\mcmscsvc.exe [276]
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe [392]
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [496]
c:\program files\McAfee\MPF\MPFSrv.exe [1036]
c:\windows\system32\svchost.exe [792]
c:\progra~1\mcafee.com\agent\mcagent.exe [2736]
c:\progra~1\BORLAND\INTERB~1\Bin\ibserver.exe [3020]
c:\windows\System32\alg.exe [3176]
c:\windows\system32\CF6747.exe [2224]
c:\program files\Synaptics\SynTP\SynTPLpr.exe [3016]
c:\program files\Synaptics\SynTP\SynTPEnh.exe [1452]
c:\program files\Launch Manager\LaunchAp.exe [3284]
c:\program files\Launch Manager\Wbutton.exe [3364]
c:\program files\iTunes\iTunesHelper.exe [3416]
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe [3492]
c:\program files\Java\jre6\bin\jusched.exe [3608]
c:\program files\McAfee\MBK\McAfeeDataBackup.exe [3636]
c:\windows\system32\wbem\wmiprvse.exe [3648]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [3740]
c:\windows\system32\ctfmon.exe [3980]
c:\microsoft activesync\Wcescomm.exe [896]
c:\micros~2\rapimgr.exe [188]
c:\documents and settings\Miriam Abedi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2080]
c:\program files\Windows Media Player\WMPNSCFG.exe [2312]
c:\program files\iPod\bin\iPodService.exe [1012]
c:\combofix\catchme.cfexe [3516]
.
**************************************************************************
.
Completion time: 2009-01-23 15:24:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-23 15:24:52

Pre-Run: 7,189,692,416 bytes free
Post-Run: 7,220,690,944 bytes free

Sets=
240

Edited by 2yyiam, 29 January 2009 - 07:43 PM.


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:02 PM

Posted 30 January 2009 - 05:54 AM

Hello 2yyiam,

Since this log is almost a week old,
it would be nice if you could run the most recent version of ComboFix,
and post a fresh log. :thumbup2:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 2yyiam

2yyiam
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 30 January 2009 - 08:29 AM

I shall do that later today when I get home - would you like me to install Windows Recovery Console before running the ComboFix again or shall I just run it? I haven't touched the laptop in the past week so I don't know if the log will change.

Will post the log soon, Thanks for the help.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:02 PM

Posted 30 January 2009 - 11:27 AM

Hello 2yyiam,

Anyone using ComboFix should ALWAYS install the Recovery Console prior to running ComboFix.
That's why it's integrated in the normal use of the tool, and backup possibilities are provided in case of failing connection.
The RC is very handy to have onboard whenever you run into trouble,
and not just from malware infections. :thumbup2:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 2yyiam

2yyiam
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 30 January 2009 - 08:04 PM

I'm having problems running the ComboFix. I downloaded the XP pack from the microsoft website in order to install Windows Recovery Console. As the tutorial states after transferring the file to the faulty laptop I dragged it into the ComboFix.exe icon.

When I double click on ComboFix, it loads for a few seconds and then a icon pops up in the bottom right-hand corner stating that GSAR.cfexe - Corrupt file. The file or directory \WINDOWS\System32\cmd.execf is corrupt and unreadable. Please run the chkdsk utility.

I ran chkdisk from the Run option and after scanning and finding lots of faulty files, it seems which it attempted to resolve as it went along, - I then tried ComboFix again and the same problem happened with a pop-up stating the same problem as before. I re-started the laptop (again, trying to get it to start in Safe mode, but it doesn't), tried the ComboFix again and the same problem and nothing happens after that.

What should I do know??
Thanks

Edited by 2yyiam, 31 January 2009 - 10:41 AM.


#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:02 PM

Posted 31 January 2009 - 07:24 PM

Hello 2yyiam,

By the looks of it, your ComboFix download somehow got corrupted. :thumbup2:

Please make sure none of your security programs interfere with either the downloa or it's run.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 2yyiam

2yyiam
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 01 February 2009 - 08:06 AM

I've re-downloaded ComboFix on my computer with all security settings off. I then dragged the WRC file into it and the transferred it to my laptop.

I've tried the scan again (with all the security off) and the same problem occurs. These pop-ups of corrupted files first appeared when I ran the ComboFix the first time.

Is it not possible to work with the first scan I did? Or have I done some irreversible damage?

Thanks

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:02 PM

Posted 02 February 2009 - 07:16 AM

Hello 2yyiam,

There can be a number of reasons why ComboFix can't run properly.

I'd like to suggest you try running a renamed version of ComboFix, in safe mode :
Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Then, download a fresh copy of ComboFix on another system, rename it (to Myriam.exe fi.),
transfer it to your laptop and try running it. (make sure your security programs are temporarily disabled at that time !)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 2yyiam

2yyiam
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 02 February 2009 - 08:09 AM

As mentioned previously, for some reason the laptop won't start in Safe Mode. I get to the screen and select Safe Mode, it then takes ages loading and then loads in normal mode.

I'll try the renaming suggestion and get back to you...

Thanks

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:02 PM

Posted 02 February 2009 - 08:34 AM

Hello 2yyiam,

Try this first :
Download SafeBootKeyRepair.exe by sUBs and save it to your Desktop.

Double-click SafeBootKeyRepair.exe to run it.
Follow any prompts that may appear then post the log it produces.
Reboot your system and check if you can boot in safe mode now.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 2yyiam

2yyiam
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 02 February 2009 - 08:57 AM

Here's a log of the safebootrepair.exe program:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\MCODS]
@=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\MpfService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc

I've rebooted and tried to get into Safe Mode... and still no luck. It takes ages as lots of filenames come on the screen and then the laptop re-starts itself.

Does the log show anything?
Thanks

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:02 PM

Posted 02 February 2009 - 09:57 AM

Hello 2yyiam,

Open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\
76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\
65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\
00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\
49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\
57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\
6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\
61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\
52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\
75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\
63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\
68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\
56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\
73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,42,49,54,53,00,77,75,61,75,73,65,\
72,76,00,53,68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,\
76,63,00,57,6d,64,6d,50,6d,53,4e,00,6e,61,70,61,67,65,6e,74,00,68,6b,6d,73,\
76,63,00,4d,48,4e,00,00

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)
Restart your PC.

Did you try running the renamed ComboFix yet ?

If that still won't work, try updating MBAM first and run another scan.
Then see if you can get ComboFix going. :thumbup2:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 2yyiam

2yyiam
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 02 February 2009 - 06:54 PM

No luck I'm afraid.

I created the fix.reg file on my computer, transferred it to the laptop and ran it. After running it I attempted to run ComboFix, but same problem as before. I then tried to re-start in Safe Mode - again it wouldn't - and then ran ComboFix again.

I've run MABM again - I can't update it as I can't connect to the internet - and the log is below if that is of any use! I re-booted the laptop as advised by MABM, but no change!

What now? Are we getting to a dire stage?

Thanks

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2009-02-02 23:53:20
mbam-log-2009-02-02 (23-53-20).txt

Scan type: Quick Scan
Objects scanned: 53757
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp (Rogue.Multiple) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ecf4da1b-4cae-4dbf-9a79-a1854c1c43d0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ecf4da1b-4cae-4dbf-9a79-a1854c1c43d0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ecf4da1b-4cae-4dbf-9a79-a1854c1c43d0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{ecf4da1b-4cae-4dbf-9a79-a1854c1c43d0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.72,85.255.112.212 -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users