Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

used Combofix - PC seriously messed up now


  • This topic is locked This topic is locked
43 replies to this topic

#1 bill713

bill713

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 03 June 2010 - 05:14 AM

Hello. My 32-bit Vista PC was infected with the search-redirect virus. I installed/ran combofix. It found a root-kit and prompted me to reboot. It then proceeded to delete approx 50 enteries and now my PC is seriously messed up....bad.
Combofix deleted ALL my docs, programs, files, games, shortcuts etc.... Windows is totally screwed up and looks like a very early version or (almost) in safe mode. My PC seems fried. I did a system restore but did not work.
Please tell me if there is any way to restore the files and programs combofix erased or if I can do anything.
Yeah, I know, I know. I realize now that after researching more - I've just now read all the warnings. I shouldn't have used combofix without your supervision but I heard soooo many good things about it.
Thanks for any help!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:04 PM

Posted 03 June 2010 - 09:27 AM

Hi Bill,

I will pass word to our MRT team. Someone will be around soon.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 03 June 2010 - 10:58 AM

Hello there,

Thats not nice to hear ohmy.gif

The good news is that Combofix has a few in-build safeguards that allows us to restore things. However first of all I need to see what damage was done exactly. I will move this topic to a more appropriate place.

Please download OTLPE (filesize 120,9 MB)
  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#4 bill713

bill713
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 03 June 2010 - 02:07 PM

Thank you for helping me with this!
When I double-click OTLPE it brings up a box to browse for folders. I tried choosing several, including C: , all users, etc. but it keeps giving me the runscanner error with "No windows installations found" or messages and "Target is not for windows 200 or later".

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 03 June 2010 - 03:07 PM

You need to select your Windows folder there smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 bill713

bill713
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 03 June 2010 - 03:33 PM

That worked! I really appreciate this. Here's the scan file:

OTL logfile created on: 6/3/2010 5:26:21 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Windows Vista ™ Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 916.46 Gb Total Space | 713.00 Gb Free Space | 77.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 15.00 Gb Total Space | 5.02 Gb Free Space | 33.50% Space Free | Partition Type: NTFS
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (Stereo Service)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/25 19:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe -- (NIS)
SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2004/10/22 04:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Roxio\Roxio MyDVD Premier\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System] -- -- (OMCI)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (NAVEX15)
DRV - File not found [Kernel | On_Demand] -- -- (NAVENG)
DRV - File not found [Kernel | Auto] -- -- (MCSTRM)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - [2010/04/29 13:44:04 | 000,537,136 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100429.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/03/16 02:51:59 | 011,573,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/02/28 20:05:12 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/02/26 22:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Windows\system32\drivers\NIS\1106000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/26 22:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System] -- C:\Windows\System32\Drivers\NIS\1106000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 22:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Windows\system32\drivers\NIS\1106000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 19:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Windows\system32\drivers\NIS\1106000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/02/03 21:40:52 | 000,340,016 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Windows\System32\Drivers\NIS\1106000.020\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2010/02/03 21:40:50 | 000,172,592 | ---- | M] (Symantec Corporation) [File_System | Boot] -- C:\Windows\System32\drivers\NIS\1106000.020\symefa.sys -- (SymEFA)
DRV - [2009/10/28 18:37:22 | 000,343,088 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100505.001\IDSvix86.sys -- (IDSVix86)
DRV - [2009/08/29 20:17:18 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\NIS\1106000.020\symds.sys -- (SymDS)
DRV - [2009/08/29 05:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/04/11 02:32:49 | 000,527,848 | ---- | M] () [Kernel | Boot] -- C:\Windows\System32\drivers\ndis.sys -- (NDIS)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2008/01/19 03:42:51 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\iaStorV.sys -- (iaStorV)
DRV - [2007/04/13 14:22:56 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/02/21 15:49:47 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/02/21 15:49:47 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/02/21 15:49:47 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2007/01/06 01:59:34 | 000,086,096 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)
DRV - [2006/11/02 03:41:50 | 000,987,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (VST_DPV)
DRV - [2006/11/02 03:41:48 | 000,654,336 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (winachsf)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CF CA 8B 6D 9E 02 CB 01 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\Freitas_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.thebostonchannel.com/ [binary data]
IE - HKU\Freitas_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\Freitas_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\Freitas_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Freitas_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local




========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2010/06/02 17:51:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/06/02 17:51:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/27 17:31:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/27 17:31:08 | 000,000,000 | ---D | M]

[2010/03/01 09:06:23 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\Mozilla\Extensions
[2010/03/01 09:06:25 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\Mozilla\Firefox\Profiles\n92cvqun.default\extensions
[2010/03/01 09:06:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Freitas\AppData\Roaming\Mozilla\Firefox\Profiles\n92cvqun.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/01 09:06:25 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\Mozilla\Firefox\Profiles\n92cvqun.default\extensions\staged-xpis
[2010/06/02 17:31:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/04/01 06:07:13 | 000,002,829 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 80.67.5.84 www.fpscheats.com
O1 - Hosts: 80.67.5.84 fpscheats.com
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ipsbho.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKU\Freitas_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [qqrrxylx] C:\Windows\System32\config\systemprofile\AppData\Local\pvauprpxx\uxlwlectssd.exe ()
O4 - HKU\Freitas_ON_C..\Run: [EPSON Stylus CX6000 Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\Freitas_ON_C..\Run: [EPSON Stylus CX6000 Series (Copy 1)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE (SEIKO EPSON CORPORATION)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://toad4.inkfrog.com/scripts/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.243.0.12
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{94eea3c7-24cc-11df-9b9f-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{94eea3c7-24cc-11df-9b9f-806e6f6e6963}\Shell\AutoRun\command - "" = E:\tcauto.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/03 14:15:29 | 126,850,486 | ---- | C] (Igor Pavlov) -- C:\Windows\system32\config\systemprofile\Desktop\OTLPENet.exe
[2010/06/02 18:43:22 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/06/02 18:42:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/06/02 18:38:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/06/02 18:38:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/06/02 18:38:51 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/06/02 18:19:51 | 000,000,000 | ---D | C] -- C:\Windows\System32\%LOCALAPPDATA%
[2010/06/02 18:16:03 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Roaming\SystemProc
[2010/06/02 18:00:23 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Local\pvauprpxx
[2010/06/02 17:59:55 | 000,000,000 | -HSD | C] -- C:\Windows\system32\config\systemprofile\Desktop\%APPDATA%
[2010/06/02 17:35:52 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Apple Computer
[2010/06/02 17:35:31 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Identities
[2010/06/02 17:35:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Local\Temp
[2010/06/02 17:32:08 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/06/02 17:32:08 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Local\temp
[2010/06/02 17:10:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/26 05:29:44 | 000,000,000 | ---D | C] -- C:\Users\Freitas\Desktop\New Folder
[2010/05/25 19:18:13 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Local\CrashDumps
[2010/05/25 05:00:04 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Roaming\Tropico 3
[2010/05/24 17:46:40 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2010/05/18 22:57:59 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/05/17 18:47:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps
[2010/05/14 03:33:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Local\Adobe
[2010/05/13 15:39:18 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Roaming\GlarySoft
[2010/05/13 07:02:22 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Local\Symantec
[2010/05/13 06:49:39 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Local\Threat Expert
[2010/05/13 06:32:55 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/05/13 06:32:55 | 000,000,000 | ---D | C] -- C:\Users\Freitas\AppData\Roaming\PC Tools
[2010/05/13 06:32:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/05/13 05:07:14 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia
[2010/05/13 05:07:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/03 14:46:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/03 14:46:11 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/03 14:46:11 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/03 14:46:10 | 001,942,385 | -H-- | M] () -- C:\Windows\system32\config\systemprofile\AppData\Local\IconCache.db
[2010/06/03 14:15:29 | 126,850,486 | ---- | M] (Igor Pavlov) -- C:\Windows\system32\config\systemprofile\Desktop\OTLPENet.exe
[2010/06/02 20:06:26 | 000,000,104 | ---- | M] () -- C:\Windows\system32\config\systemprofile\Desktop\Internet - Shortcut.lnk
[2010/06/02 19:58:47 | 000,000,376 | ---- | M] () -- C:\Windows\ODBC.INI
[2010/06/02 18:41:29 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/02 18:41:29 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/02 18:41:29 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/02 18:36:44 | 003,702,549 | R--- | M] () -- C:\Windows\system32\config\systemprofile\Desktop\ComboFix.exe
[2010/06/02 18:18:14 | 3487,481,856 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/02 18:14:45 | 000,660,480 | ---- | M] () -- C:\Windows\system32\config\systemprofile\Desktop\CFDQ-UsrPrf.exe
[2010/06/02 17:53:15 | 000,410,128 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/02 17:35:44 | 000,116,272 | ---- | M] () -- C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/05/30 17:31:10 | 000,870,128 | ---- | M] () -- C:\Users\Freitas\AppData\Roaming\mcs.rma
[2010/05/30 17:31:10 | 000,000,004 | ---- | M] () -- C:\Users\Freitas\AppData\Roaming\AE6264
[2010/05/27 17:55:28 | 003,595,582 | -H-- | M] () -- C:\Users\Freitas\AppData\Local\IconCache.db
[2010/05/14 19:08:22 | 000,266,030 | ---- | M] () -- C:\Users\Freitas\Documents\PassportApplicationComplete[1].pdf
[2010/05/13 06:44:33 | 000,001,356 | ---- | M] () -- C:\Users\Freitas\AppData\Local\d3d9caps.dat
[2010/05/12 18:14:09 | 000,039,424 | ---- | M] () -- C:\Users\Freitas\Desktop\RESUME (for Word 97-03).doc
[2010/05/12 18:08:22 | 000,026,624 | ---- | M] () -- C:\Users\Freitas\Desktop\cover letter.doc
[2010/05/11 01:40:29 | 001,767,366 | ---- | M] () -- C:\Windows\System32\drivers\NIS\1106000.020\Cat.DB
[2010/05/10 14:29:54 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{C01BB0DD-E653-46D2-8F49-904D51F018CC}.job
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/02 20:06:26 | 000,000,104 | ---- | C] () -- C:\Windows\system32\config\systemprofile\Desktop\Internet - Shortcut.lnk
[2010/06/02 18:38:57 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/06/02 18:38:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/06/02 18:38:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/06/02 18:38:57 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/06/02 18:38:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/06/02 18:36:43 | 003,702,549 | R--- | C] () -- C:\Windows\system32\config\systemprofile\Desktop\ComboFix.exe
[2010/06/02 18:18:13 | 3487,481,856 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/02 18:14:45 | 000,660,480 | ---- | C] () -- C:\Windows\system32\config\systemprofile\Desktop\CFDQ-UsrPrf.exe
[2010/05/14 19:08:22 | 000,266,030 | ---- | C] () -- C:\Users\Freitas\Documents\PassportApplicationComplete[1].pdf
[2010/05/12 18:08:22 | 000,026,624 | ---- | C] () -- C:\Users\Freitas\Desktop\cover letter.doc
[2010/05/12 17:37:18 | 000,039,424 | ---- | C] () -- C:\Users\Freitas\Desktop\RESUME (for Word 97-03).doc
[2010/03/30 16:13:22 | 000,000,004 | ---- | C] () -- C:\Users\Freitas\AppData\Roaming\AE6264
[2010/03/30 16:13:21 | 000,870,128 | ---- | C] () -- C:\Users\Freitas\AppData\Roaming\mcs.rma
[2010/03/24 13:38:53 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/24 13:38:53 | 000,138,056 | ---- | C] () -- C:\Users\Freitas\AppData\Roaming\PnkBstrK.sys
[2010/03/05 08:32:17 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2010/03/01 19:26:10 | 000,005,120 | ---- | C] () -- C:\Users\Freitas\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/01 17:06:05 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/03/01 17:05:58 | 000,527,848 | ---- | C] () -- C:\Windows\System32\drivers\ndis.sys
[2010/02/28 23:02:35 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/02/28 18:12:15 | 000,001,356 | ---- | C] () -- C:\Users\Freitas\AppData\Local\d3d9caps.dat
[2006/11/02 09:02:10 | 000,001,356 | ---- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\d3d9caps.dat
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/04/17 19:47:45 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\EPSON
[2010/05/13 15:39:18 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\GlarySoft
[2010/06/02 17:51:35 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\IrfanView
[2010/03/29 23:50:10 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\ISIS Drivers
[2010/06/02 18:16:03 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\SystemProc
[2010/04/06 23:41:23 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\TaxCut
[2010/04/01 05:30:35 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\Tific
[2010/04/02 15:09:04 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\ToolkitCMA
[2010/05/26 07:16:46 | 000,000,000 | ---D | M] -- C:\Users\Freitas\AppData\Roaming\Tropico 3
[2010/04/27 19:32:52 | 000,010,462 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/05/10 14:29:54 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{C01BB0DD-E653-46D2-8F49-904D51F018CC}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\Freitas\Documents\Slideshowtarasbday.dmss:Roxio EMC Stream
< End of report >


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 04 June 2010 - 03:03 AM

Hi, I really don't believe Combofix deleted your data smile.gif

It looks more like a rootkit removal that hasn't completed succesfully.

First of all we need to find a replacement copy for the infected driver.

Please rerun OTLPE and copy/paste the text in the codebox below into the "run scan/fix" field. Then click the NONE button and after that the Run Scan button. Post me the resulting log.
CODE
/md5start
ndis.sys
/md5stop

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 bill713

bill713
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 June 2010 - 01:05 PM

Elise, Thank you -- thank you -- thank you. Here's the second scan results:

OTL logfile created on: 6/4/2010 2:58:53 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Windows Vista ™ Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 916.46 Gb Total Space | 713.00 Gb Free Space | 77.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 15.00 Gb Total Space | 5.02 Gb Free Space | 33.50% Space Free | Partition Type: NTFS
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Custom Scans ==========





#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 04 June 2010 - 01:30 PM

Did you copy/paste the whole log? It doesn't look like it (I don't see the <end of report> section).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 bill713

bill713
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 June 2010 - 01:57 PM

uggh....sorry. Here it is:


3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 916.46 Gb Total Space | 713.00 Gb Free Space | 77.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 15.00 Gb Total Space | 5.02 Gb Free Space | 33.50% Space Free | Partition Type: NTFS
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Custom Scans ==========



< MD5 for: NDIS.SYS >
[2006/11/02 05:51:42 | 000,500,840 | ---- | M] (Microsoft Corporation) MD5=227C11E1E7CF6EF8AFB2A238D209760C -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6000.16386_none_a59069cb1f23fc44\ndis.sys
[2008/01/19 03:43:31 | 000,529,464 | ---- | M] (Microsoft Corporation) MD5=9BDC71790FA08F0A0B5F10462B1BD0B1 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] () MD5=C3175F4404E82CCFF18AAF586A5F516F -- C:\Windows\System32\drivers\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] () MD5=C3175F4404E82CCFF18AAF586A5F516F -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864\ndis.sys
< End of report >

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 04 June 2010 - 02:27 PM

Hello again,

Please copy/paste the following text into OTLPE's "custom scan/fix" field and click the Run Fix button. Let me know if you can boot normally now.

CODE
:files
C:\Windows\System32\drivers\ndis.sys|C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys /replace

:otl
O4 - HKU\.DEFAULT..\Run: [qqrrxylx] C:\Windows\System32\config\systemprofile\AppData\Local\pvauprpxx\uxlwlectssd.exe ()

:commands
[emptytemp]
[resethosts]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 bill713

bill713
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 June 2010 - 02:46 PM

Hi Elise - Didin't work. sad.gif
Still the same.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:04 AM

Posted 04 June 2010 - 03:00 PM

Please post me the combofix log. You can find it at c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 bill713

bill713
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 June 2010 - 03:16 PM

Elise,
It's not there. I even did a search.

#15 bill713

bill713
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 June 2010 - 03:18 PM

Also, After I ran the fix it propted to restart. Clicked OK and then it hung up for about 30 minutes. So I did a manual restart, was still messed up the same as before. Rebooted to OPLPE, ran fix again and it hung up like before.

When I rebooted to windows, I got the errors "Failed to connect to a windows service" and Host Process for windows services has stopped working".

Edited by bill713, 04 June 2010 - 03:56 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users