Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit-Pakes.AA Infection


  • This topic is locked This topic is locked
49 replies to this topic

#1 theTHRILL01

theTHRILL01

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 14 October 2010 - 07:06 AM

I'm having virtually the exact same issues as the individual in this post.

So as not to re-type everything out since it has already been done, I'll cut and paste from his/her post the parts that apply to my situation.

Problems picked up by AVG (free edition):

Rootkit-Pakes.AA
Trojan SpamTool.FYS
Trojan Generic17.BKCS


I often (roughly once every hour or two) get an AVG Resident Shield alert with the following info. The only option in the alert popup is "Ignore".

File name: C:\WINDOWS\system32\drivers\ndis.sys
Threat name: Trojan horse Rootkit-Pakes.AA
Detected on open.
Process Name: C:\WINDOWS\system32\svchost.exe

Every time I run an AVG scan, it finds the same problem (Generic17.BKCS in services.exe and SpamTool.FYS in svchost.exe).

System Info:

Samsung N120 netbook
XP Home SP3
Version 2002

I no longer have the original Windows XP CD; however, I do have the Recovery Console on a USB stick.

I also have a dual boot partition that allows me to access Jolicloud (which is performing fine).

Attached:

GMER log not attached. I tried running GMER on three separate occasions. Twice it froze during the scan and once it crashed to a blue screen during the scan.

DDS.txt


DDS (Ver_10-10-10.03) - NTFSx86
Run by The Crabtrees at 14:38:32.09 on Wed 10/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1220 [GMT 3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k yksvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Launchy\Launchy.exe
C:\Documents and Settings\The Crabtrees\Application Data\Dropbox\bin\Dropbox.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Crabtrees\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\The Crabtrees\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:8118
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [BatteryLifeExtender] c:\program files\samsung\batterylifeextender\BatteryLifeExtender.exe /2
uRun: [Google Update] "c:\documents and settings\the crabtrees\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
StartupFolder: c:\docume~1\thecra~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\the crabtrees\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\thecra~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {1EAC9DEA-75CD-4BAB-A437-A881042B3F9B} = 10.51.40.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ahqvifqe - ahqvifqe.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: fnpipe - fnpipe.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 208.65.153.238 youtube.com
Hosts: 208.65.153.238 www.youtube.com
Hosts: 74.125.43.136 picasaweb.google.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thecra~1\applic~1\mozilla\firefox\profiles\rtdqdshm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\documents and settings\the crabtrees\application data\mozilla\firefox\profiles\rtdqdshm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\the crabtrees\application data\mozilla\firefox\profiles\rtdqdshm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\the crabtrees\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\the crabtrees\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\the crabtrees\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-23 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-23 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-23 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-3-25 14336]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-10-13 67584]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-3-25 4300]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\srs labs\srs wow xt and tsxt\SRS_PostInstaller.exe [2009-5-19 66792]
R2 yksvc;Marvell Yukon Service;c:\windows\system32\svchost.exe -k yksvcs [2009-3-25 14336]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-8-1 20480]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2010-2-23 233512]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-3-25 238464]
S0 sqnskr;sqnskr; [x]
S0 ygilalj;ygilalj;c:\windows\system32\drivers\lddrrr.sys --> c:\windows\system32\drivers\lddrrr.sys [?]
S1 aytdkwtg;aytdkwtg; [x]
S1 bialtisn;bialtisn; [x]
S1 cduvyhjm;cduvyhjm; [x]
S1 dnswtpse;dnswtpse; [x]
S1 ekebownw;ekebownw; [x]
S1 fvfjdqyo;fvfjdqyo; [x]
S1 gvzibyro;gvzibyro; [x]
S1 hbshgqpt;hbshgqpt; [x]
S1 hxbqrgpq;hxbqrgpq; [x]
S1 imwojjjs;imwojjjs; [x]
S1 mblnjmfc;mblnjmfc; [x]
S1 npxflkui;npxflkui; [x]
S1 ojqxhjae;ojqxhjae; [x]
S1 qbwsehmk;qbwsehmk; [x]
S1 rmwumjty;rmwumjty; [x]
S1 taozacvm;taozacvm; [x]
S1 ulvomzcj;ulvomzcj; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]
S2 svxnaycherq;svxnaycherq;\??\c:\windows\temp\sncyph.sys --> c:\windows\temp\sncyph.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [2009-3-25 1684736]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-9-10 430152]
S3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\drivers\gbridge.sys [2009-5-10 41216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-2 19840]

=============== Created Last 30 ================


==================== Find3M ====================

2010-08-15 16:27:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-15 16:27:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 10:36:16 12536 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 14:39:48.73 ===============


Thanks in advance for any help you can provide.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:59 AM

Posted 22 October 2010 - 07:26 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 theTHRILL01

theTHRILL01
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 23 October 2010 - 01:51 AM

Ready when you are.

I should add that since I posted the original message my Network Connections file disappeared. Additionally, in Device Manager -> Network Connections a yellow exclamation mark appears beside each item. Under Device Status I get the following message: Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:59 AM

Posted 23 October 2010 - 09:50 AM

You have been attacked but whatever you use as security has fought back somewhat.

Please run Combofix so we can remove the wounded drivers and see what's hooked into the svchost process

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 theTHRILL01

theTHRILL01
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 23 October 2010 - 10:35 AM

I don't have Recovery Console installed, so ComboFix attempts to install it. However, because I can't access the internet through Windows, I'm unload to download it. ComboFix then displays a message stating that it can't perform a complete scan without first installing the Recovery Console. I have a copy of the Recovery Console on a bootable USB stick, but not physically on my computer. Should I go through with the ComboFix scan?

Please advise what I should do now.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:59 AM

Posted 23 October 2010 - 03:44 PM

Go ahead with the first scan if it allows it. If not, plug in the USB stick and download the Recovery Console.
Posted Image
m0le is a proud member of UNITE

#7 theTHRILL01

theTHRILL01
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 24 October 2010 - 09:10 AM

ComboFix 10-10-22.05 - The Crabtrees 10/24/2010 9:37.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1360 [GMT 3:00]
Running from: c:\documents and settings\The Crabtrees\Desktop\comfix.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\desktop
c:\windows\desktop\EA Hot Titles!.exe
c:\windows\SEC
c:\windows\SEC\DelMt.cmd
c:\windows\SEC\JRE150.exe
c:\windows\SEC\Marker.exe
c:\windows\SEC\MEMIO.sys
c:\windows\SEC\MEMIO.vxd
c:\windows\SEC\MP10ENG.exe
c:\windows\SEC\Region.vbs
c:\windows\SEC\SECINSTALL.EXE
c:\windows\SEC\SECINSTALL.INI
c:\windows\SEC\StartMem.exe
c:\windows\system32\drivers\str.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GOOGLEUPDATEBETA
-------\Legacy_SYNSEND
-------\Service_ndisrd


((((((((((((((((((((((((( Files Created from 2010-09-24 to 2010-10-24 )))))))))))))))))))))))))))))))
.

2010-10-15 20:27 . 2001-08-17 11:07 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2010-10-15 20:27 . 2001-08-17 11:07 28384 -c--a-w- c:\windows\system32\dllcache\sym_hi.sys
2010-10-15 20:27 . 2001-08-17 19:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2010-10-15 20:27 . 2001-08-17 10:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2010-10-15 20:27 . 2001-08-17 11:02 3968 -c--a-w- c:\windows\system32\dllcache\swusbflt.sys
2010-10-15 20:27 . 2001-08-17 19:36 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2010-10-15 20:27 . 2001-08-17 19:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2010-10-15 20:27 . 2001-08-17 19:36 53760 -c--a-w- c:\windows\system32\dllcache\sw_wheel.dll
2010-10-15 20:26 . 2001-08-17 19:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2010-10-15 20:26 . 2001-08-17 19:36 155648 -c--a-w- c:\windows\system32\dllcache\stlnprop.dll
2010-10-15 20:26 . 2001-08-17 19:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2010-10-15 20:26 . 2001-08-17 09:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2010-10-15 20:26 . 2001-08-17 10:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2010-10-15 20:26 . 2001-08-17 09:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-10-15 20:26 . 2008-04-14 12:00 101376 -c--a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-10-15 20:26 . 2001-08-17 19:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-10-15 20:26 . 2001-08-17 19:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-10-15 20:26 . 2001-08-17 10:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-10-15 20:26 . 2001-08-17 19:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-10-15 20:26 . 2001-08-17 11:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-10-15 20:24 . 2008-04-14 12:00 236544 -c--a-w- c:\windows\system32\dllcache\smi2smir.exe
2010-10-15 20:23 . 2008-04-13 20:53 404990 -c--a-w- c:\windows\system32\dllcache\slntamr.sys
2010-10-15 20:22 . 2001-07-21 11:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-10-15 20:21 . 2001-08-17 10:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-10-15 20:21 . 2001-08-17 10:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-10-15 20:21 . 2008-04-13 21:10 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-10-15 20:21 . 2001-08-17 19:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-10-15 20:21 . 2001-08-17 09:50 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-10-15 20:21 . 2001-08-17 11:56 245632 -c--a-w- c:\windows\system32\dllcache\s3savmx.dll
2010-10-15 20:21 . 2001-08-17 09:50 77824 -c--a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-10-15 20:21 . 2001-08-17 11:56 198400 -c--a-w- c:\windows\system32\dllcache\s3sav4.dll
2010-10-15 20:21 . 2001-08-17 09:50 61504 -c--a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2010-10-15 20:21 . 2001-08-17 11:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-10-15 20:21 . 2001-08-17 11:56 210496 -c--a-w- c:\windows\system32\dllcache\s3mvirge.dll
2010-10-15 20:21 . 2001-08-17 19:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2010-10-15 20:21 . 2001-08-17 09:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2010-10-15 20:19 . 2008-04-13 21:16 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2010-10-15 20:18 . 2001-08-17 10:52 40320 -c--a-w- c:\windows\system32\dllcache\ql1080.sys
2010-10-15 20:17 . 2001-08-17 11:07 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys
2010-10-15 20:16 . 2001-08-17 09:12 26153 -c--a-w- c:\windows\system32\dllcache\pcmlm56.sys
2010-10-15 20:15 . 2001-08-17 11:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-10-15 20:14 . 2001-08-17 09:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2010-10-15 20:13 . 2001-08-17 11:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2010-10-15 20:12 . 2001-08-17 11:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-10-15 20:11 . 2001-08-17 19:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-10-15 20:10 . 2001-08-17 09:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2010-10-15 20:09 . 2008-04-13 21:24 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2010-10-15 20:08 . 2001-08-17 19:36 61952 -c--a-w- c:\windows\system32\dllcache\icam4ext.dll
2010-10-15 20:07 . 2001-08-17 10:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-10-15 20:06 . 2001-08-17 19:36 324608 -c--a-w- c:\windows\system32\dllcache\hpojwia.dll
2010-10-15 20:05 . 2008-04-14 12:00 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-10-15 20:04 . 2001-08-17 19:36 71680 -c--a-w- c:\windows\system32\dllcache\fnfilter.dll
2010-10-15 20:03 . 2001-08-17 09:19 174464 -c--a-w- c:\windows\system32\dllcache\es198x.sys
2010-10-15 20:02 . 2001-08-17 10:28 634134 -c--a-w- c:\windows\system32\dllcache\el656ct5.sys
2010-10-15 20:01 . 2001-08-17 19:36 31305 -c--a-w- c:\windows\system32\dllcache\disrvpp.dll
2010-10-15 20:00 . 2001-08-17 10:50 49792 -c--a-w- c:\windows\system32\dllcache\cyzport.sys
2010-10-15 19:59 . 2008-04-14 02:41 15423 -c--a-w- c:\windows\system32\dllcache\ch7xxnt5.dll
2010-10-15 19:58 . 2001-08-17 09:11 26568 -c--a-w- c:\windows\system32\dllcache\bcm4e5.sys
2010-10-15 19:57 . 2008-04-13 19:04 56623 -c--a-w- c:\windows\system32\dllcache\ati1btxx.sys
2010-10-15 19:56 . 2001-08-17 11:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-10-14 18:25 . 2010-10-14 18:25 -------- d-----w- c:\windows\system32\MpEngineStore
2010-10-13 08:39 . 2010-10-13 08:39 -------- d-----w- c:\documents and settings\The Crabtrees\Local Settings\Application Data\Safe mirror
2010-10-13 08:38 . 2010-10-13 08:39 -------- d-----w- c:\program files\Cobian Backup 10
2010-10-12 15:58 . 2010-10-12 16:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2010-10-12 15:58 . 2010-10-12 15:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-04 07:26 . 2010-10-04 07:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-10-02 18:23 . 2010-10-02 18:23 -------- d-----w- c:\program files\Windows Media Connect 2
2010-10-02 18:21 . 2010-10-02 18:22 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-10-01 19:07 . 2010-10-01 19:07 -------- d-----w- c:\documents and settings\The Crabtrees\Application Data\StreamTorrent
2010-10-01 19:07 . 2010-10-01 19:07 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-10-01 18:48 . 2010-10-01 18:48 -------- d-----w- c:\program files\TVAnts
2010-10-01 13:08 . 2010-10-01 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-10-01 13:08 . 2010-10-01 13:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-09-29 12:23 . 2010-09-29 12:23 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2010-09-27 09:29 . 2010-09-27 09:30 -------- d-----w- c:\program files\Defraggler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-22 19:19 . 2010-01-08 23:42 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2010-09-18 09:23 . 2009-03-25 00:08 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-03-25 00:08 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-03-25 00:08 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-03-25 00:08 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-03-25 00:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-03-25 00:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-03-25 00:08 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2009-03-25 00:08 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2009-03-25 00:08 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2009-03-25 00:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2009-03-25 00:08 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2009-03-25 00:08 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-02-23 07:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2009-03-25 00:08 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2009-03-25 00:08 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2009-03-25 00:08 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-15 16:27 . 2010-08-15 16:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-15 16:27 . 2010-08-15 16:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-01 08:36 . 2010-08-01 08:36 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
.
<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\program files\Google\Gmail Notifier\gnotify .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Samsung\Easy Display Manager\DMLoader .exe
c:\program files\Samsung\MagicKBD\PreMKBD .exe
c:\program files\Samsung\Samsung Battery Manager\BatteryManager .exe
c:\program files\Samsung\Samsung Update Plus\SUPBackGround .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
</pre>

------- Sigcheck -------

[7] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB952117-v2$\ndis.sys
[7] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys

c:\windows\System32\drivers\ndis.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 07:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The Crabtrees\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The Crabtrees\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\The Crabtrees\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-14 550912]
"Google Update"="c:\documents and settings\The Crabtrees\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-22 135664]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

c:\documents and settings\The Crabtrees\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\The Crabtrees\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-22 275768]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2010-3-9 286720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 12:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 10:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-08-10 12:10 2349776 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 12:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\The Crabtrees\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Documents and Settings\\The Crabtrees\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\The Crabtrees\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Samsung\\Easy Network Manager\\ENM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6004:TCP"= 6004:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2010 11:29 AM 216400]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [3/25/2009 3:08 AM 14336]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 1:35 PM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 1:36 PM 308136]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [10/13/2010 11:39 AM 67584]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [3/25/2009 4:34 AM 4300]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe [5/19/2009 6:39 PM 66792]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2/23/2010 2:19 AM 233512]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [3/25/2009 4:38 AM 238464]
S0 sqnskr;sqnskr; [x]
S0 ygilalj;ygilalj;c:\windows\system32\drivers\lddrrr.sys --> c:\windows\system32\drivers\lddrrr.sys [?]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2010 11:29 AM 243024]
S1 aytdkwtg;aytdkwtg; [x]
S1 bialtisn;bialtisn; [x]
S1 cduvyhjm;cduvyhjm; [x]
S1 dnswtpse;dnswtpse; [x]
S1 ekebownw;ekebownw; [x]
S1 fvfjdqyo;fvfjdqyo; [x]
S1 gvzibyro;gvzibyro; [x]
S1 hbshgqpt;hbshgqpt; [x]
S1 hxbqrgpq;hxbqrgpq; [x]
S1 imwojjjs;imwojjjs; [x]
S1 mblnjmfc;mblnjmfc; [x]
S1 npxflkui;npxflkui; [x]
S1 ojqxhjae;ojqxhjae; [x]
S1 qbwsehmk;qbwsehmk; [x]
S1 rmwumjty;rmwumjty; [x]
S1 taozacvm;taozacvm; [x]
S1 ulvomzcj;ulvomzcj; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]
S2 svxnaycherq;svxnaycherq; [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [3/25/2009 3:08 AM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [3/25/2009 4:35 AM 1684736]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [9/10/2010 3:58 PM 430152]
S3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\drivers\gbridge.sys [5/10/2009 8:46 PM 41216]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [8/2/2006 2:57 AM 19840]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/29/2010 9:03 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs REG_MULTI_SZ yksvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2005194363-3438987874-4133210165-1005Core.job
- c:\documents and settings\The Crabtrees\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-22 21:52]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2005194363-3438987874-4133210165-1005UA.job
- c:\documents and settings\The Crabtrees\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-22 21:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:8118
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\The Crabtrees\Application Data\Mozilla\Firefox\Profiles\rtdqdshm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - component: c:\documents and settings\The Crabtrees\Application Data\Mozilla\Firefox\Profiles\rtdqdshm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\The Crabtrees\Application Data\Mozilla\Firefox\Profiles\rtdqdshm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\The Crabtrees\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\The Crabtrees\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\The Crabtrees\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

Notify-ahqvifqe - ahqvifqe.dll
Notify-fnpipe - fnpipe.dll
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-24 09:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(288)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(792)
c:\windows\system32\WININET.dll
c:\documents and settings\The Crabtrees\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\documents and settings\The Crabtrees\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-10-24 09:57:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-24 06:57

Pre-Run: 52,760,612,864 bytes free
Post-Run: 52,805,238,784 bytes free

- - End Of File - - 2ED204E351CF4E0E589A2275582EA652

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:59 AM

Posted 24 October 2010 - 11:40 AM

Now you must plug in the USB and download the Recovery Console. We need to rerun Combofix to remove a file infector (and a few other things) and I cannot be held responsible if the fix goes wrong and you haven't done that.

When it has been installed please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

RenV::
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\program files\Google\Gmail Notifier\gnotify .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Samsung\Easy Display Manager\DMLoader .exe
c:\program files\Samsung\MagicKBD\PreMKBD .exe
c:\program files\Samsung\Samsung Battery Manager\BatteryManager .exe
c:\program files\Samsung\Samsung Update Plus\SUPBackGround .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe

FCopy::
c:\windows\system32\dllcache\ndis.sys | c:\windows\System32\drivers\ndis.sys

File::
c:\windows\system32\drivers\lddrrr.sys

DDS::
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:8118

Driver::
sqnskr
ygilalj
aytdkwtg
bialtisn
cduvyhjm
dnswtpse
ekebownw
fvfjdqyo
gvzibyro
hbshgqpt
hxbqrgpq
imwojjjs
mblnjmfc
npxflkui
ojqxhjae
qbwsehmk
rmwumjty
taozacvm
ulvomzcj
svxnaycherq

Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 theTHRILL01

theTHRILL01
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 24 October 2010 - 12:37 PM

I did as you instructed. ComboFix ran and my computer restarted. Now after the XP logo it boots to blue screen for a split second and then reverts to the dual-boot screen where I choose if I want to boot to XP or Jolicloud. Again, choosing XP brings up the blue screen for a split second and then the dual-boot screen again.

I can access Windows Recovery Console, but I don't really know how to intelligently maneuver around in there. Please advise.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:59 AM

Posted 25 October 2010 - 06:16 PM

Okay, we are going to attempt to restore the PC.

1) Reboot and press the F8 key immediately before the first Windows screen appears, then select the "Last Known Good" option from the menu and see if Windows boots up with this option. If it does let me know.

2) If not, reboot again with F8, and select the option "Safe Mode". If Windows boots up in safe mode, you can restore a registry backup just as you would in normal mode

3) If that also fails, then here's the instructions from the ERDNT website:

Restoring the registry with ERDNT - Emergency Scenario II
---------------------------------------------------------

2. The Windows Recovery Console (Windows 2000 and higher)
Note that you can use this method only if you saved the registry
backup inside the Windows folder, and that using this procedure only
the system registry is restored. This should however get you back into
Windows, from where you can run the ERDNT program to restore user
registries, if necessary.
- Boot your system from the Windows 2000/2003/XP CD-ROM.
- At the welcome screen, press "R" (Windows 2000: "R" then "C").
- Type in the number of the Windows installation you want to repair
(usually 1), then press ENTER.
- Type in the Administrator password (leave blank if you are unsure
what it is) and press ENTER.
- At the command prompt type
cd erdnt
or whatever you named your restore folder, then press ENTER.
- If you enabled automatic registry backup on system boot during ERUNT
installation and want to restore one of these backups, type
cd autobackup <ENTER>
- If you created subfolders for different registry backups (for
example, with the different creation dates), type
dir <ENTER>
to see a list of available folders, then type
cd foldername <ENTER>
where foldername is the name of a folder listed by the dir command,
to open that folder.
- Now type
batch erdnt.con <ENTER>
to restore the system registry from that folder.
- Type
exit <ENTER>
and remove the CD from the CD-ROM drive. The system will now reboot
with the restored registry.


Posted Image
m0le is a proud member of UNITE

#11 theTHRILL01

theTHRILL01
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 26 October 2010 - 12:31 AM

Using the "Last known good" option doesn't work, but I can access Safe Mode. #2 in your previous post states, "If Windows boots up in safe mode, you can restore a registry backup just as you would in normal mode." How do I go about doing that?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:59 AM

Posted 26 October 2010 - 01:47 PM

In safe mode navigate to this folder: C:\WINDOWS\ERDNT

Find the date/time directory (should look like 10-25-2010 if it was done on the 25th)

Double click the ERDNT icon

At the Welcome window click "OK"

At the next screen you should be using the default values that are presented to you. But make sure that both “System registry” and “Current user registry” are both checked. Then press the “OK” button

When it requests to reboot click "Yes"

This should allow the PC to boot normally with the original restored registry. Let me know what happens.
Posted Image
m0le is a proud member of UNITE

#13 theTHRILL01

theTHRILL01
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 26 October 2010 - 04:45 PM

I accessed Safe Mode by both signing in as administrator and using my regular profile with the same results....

I followed your directions in Safe Mode, except there was no date/time directory under C:\WINDOWS\ERDNT...instead I found the ERDNT icon under the "subs" folder. (I'm not sure if that's a big deal or not.) The other issue not mentioned in your instructions (again, I don't know if it matters much) is that once I clicked OK on the "System Registry" and "Current User Registry" screen, a message appeared stating, "No restoration entries found for the current user. Restoration of the remaining registries will continue." (This only happened when I signed in as administrator.) I clicked OK and the "Restoring Registry" proceeded.

Upon reboot, I was again met with the momentary blue screen after the XP logo, and I was again taken to the dual-boot option screen. If I choose "Windows Vista (Loader)" I'm taken to the screen that allows me to choose Safe Mode, Last Known Good, etc.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:59 AM

Posted 26 October 2010 - 05:02 PM

That was probably going to happen. Go to the Recovery Console results above, below the second option, in the quote box.

If you aren't sure of any steps then post me before you continue.
Posted Image
m0le is a proud member of UNITE

#15 theTHRILL01

theTHRILL01
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 27 October 2010 - 02:25 AM

I followed the instructions from the post above regarding entering the ERDNT folder in Recovery Console. Everything seemed to work as it should (messages were displayed saying files were being restored), but when I exited and rebooted I got the same old blue screen as before.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users