Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe 0x001a61ae error


  • This topic is locked This topic is locked
14 replies to this topic

#1 dwdawg

dwdawg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 February 2011 - 02:19 PM

I read the materials associated with this topic. Downloaded the tools, including ComboFix. I ran ComboFix (had to rename it to run it). It found "TDL3" rootkit, removed it and restarted the computer. I ran from SAFE MODE. The system hung up after awhile, as a anti-spyware, STOPzilla, loaded. I uninstalled that, disabled Vipre until manually started and upon computer reboot. The I restarted the system, which started normally ... hooray! I then ran ComboFix again. It completed normally and gave me this log. Would you please review it and let me know if there are other steps I need to take? The system is running much, much faster and I am not getting the continual svchost.exe error messages.

---Start log---
ComboFix 11-02-05.01 - kloyer 02/06/2011 10:47:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.165 [GMT -8:00]
Running from: c:\documents and settings\kloyer\Desktop\innocuous.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~WRD1054.tmp
C:\~WRD1130.tmp
C:\~WRD1764.tmp
c:\documents and settings\kloyer\Application Data\alot
c:\documents and settings\kloyer\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\kloyer\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\kloyer\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\kloyer\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\kloyer\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\kloyer\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\kloyer\Application Data\alot\configurator\configurator.xml
c:\documents and settings\kloyer\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\kloyer\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\kloyer\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\kloyer\Application Data\alot\preferencesLayout\preferencesLayout.xml
c:\documents and settings\kloyer\Application Data\alot\preferencesLayout\preferencesLayout.xml.backup
c:\documents and settings\kloyer\Application Data\alot\products\products.xml
c:\documents and settings\kloyer\Application Data\alot\products\products.xml.backup
c:\documents and settings\kloyer\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\kloyer\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_image_search.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_news_search.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_1\images\alot_web_search.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_2\images\alot_configure.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_2\images\alot_configure.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_3\images\default_2236_alot_boo_booksearch.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_3\images\default_2236_alot_boo_booksearch.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_4\images\default_2335_dictionary_spellcheck.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_4\images\default_2335_dictionary_spellcheck.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_5\images\default_1512_alot_ref_wordrss.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_5\images\default_1512_alot_ref_wordrss.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_6\images\default_2336_spec_dictionaries.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_6\images\default_2336_spec_dictionaries.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_7\images\2658_icon.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_8\images\1129_icon.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Button_9\images\1130_icon.png
c:\documents and settings\kloyer\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\kloyer\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\intro_popup.png
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\kloyer\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\kloyer\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\kloyer\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\kloyer\Application Data\alot\toolbar.xml
c:\documents and settings\kloyer\Application Data\alot\toolbar.xml.backup
c:\documents and settings\kloyer\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\kloyer\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\kloyer\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\kloyer\Application Data\alot\Updater\Updater.xml
c:\documents and settings\kloyer\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\kloyer\g2mdlhlpx.exe
c:\windows\UNWISE.EXE

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-05 19:20 . 2011-02-05 19:20 -------- d-----w- c:\documents and settings\kloyer\Local Settings\Application Data\PackageAware
2011-01-31 07:31 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-31 07:26 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-01-08 09:57 . 2011-01-08 09:57 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-01-08 09:57 . 2011-01-08 09:57 -------- d-----w- c:\program files\Microsoft Silverlight
2011-01-08 09:46 . 2011-01-08 09:46 -------- d-----w- c:\windows\system32\winrm
2011-01-08 09:28 . 2010-08-16 08:45 590848 ----a-w- c:\windows\system32\SET379.tmp
2011-01-08 09:27 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-01-08 09:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-01-08 09:22 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-01-08 09:18 . 2009-12-09 05:53 726528 ------w- c:\windows\system32\SET1C1.tmp
2011-01-08 09:16 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-03 22:23 . 2009-04-20 14:54 256 ----a-w- c:\documents and settings\kloyer\pool.bin
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-18 18:12 . 2004-08-11 22:12 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-11 22:00 249856 ----a-w- c:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2005-11-01 151552]
"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2005-06-01 40960]
"LabTech Tray Icon"="c:\windows\LTSvc\LTTray.exe" [2011-02-06 1109008]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2010-09-24 1332560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Network Monitoring Tray.lnk - c:\windows\LTSvc\LTTray.exe [2011-1-31 1109008]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-11-9 1154848]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3323839634-2801909134-3450246216-1145\Scripts\Logon\0\0]
"Script"=\\Mvmsbs\NETLOGON\SBS_LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/30/2010 3:06 PM 207280]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [6/21/2005 3:48 PM 17792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [12/30/2010 3:07 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [12/30/2010 3:07 PM 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/30/2010 3:06 PM 233136]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [10/18/2010 7:54 PM 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/13/2010 6:56 AM 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [10/18/2010 7:54 PM 212568]
R2 avgagent;AVG7 Remote Support Service (AvgAgent);avgagent.exe /srvfsys --> avgagent.exe [?]
R2 DMDefragService;Performance Toolkit Disk Defrag Service;c:\program files\PC Tools Utilities\Tools\Defrag\DMDefragSrv.exe [12/30/2010 1:15 PM 1034208]
R2 DMRepairService;Performance Toolkit Disk Repair Service;c:\program files\PC Tools Utilities\Tools\Repair\DMRepairSrv.exe [12/30/2010 1:15 PM 1021920]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/28/2010 1:48 PM 374152]
R2 LTService;StoneHill Monitoring Service;c:\windows\LTSvc\LTSVC.exe [10/11/2010 1:36 PM 3085840]
R2 LTSvcMon;StoneHill Monitoring Service CheckUp Util;c:\windows\LTSvc\LTSvcMon.exe [10/11/2010 1:36 PM 88064]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [12/30/2010 1:15 PM 583648]
R2 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [7/27/2005 8:26 AM 13824]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [9/23/2010 9:55 PM 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [10/18/2010 7:54 PM 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [9/23/2010 9:55 PM 181584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/7/2010 4:04 PM 135664]
S2 LMIRescue_e278216b-af48-4703-944b-d1a30cf86784;LogMeIn Rescue (e278216b-af48-4703-944b-d1a30cf86784);"c:\windows\LMI15B.tmp\LMI_Rescue_srv.exe" -service -sid e278216b-af48-4703-944b-d1a30cf86784 --> c:\windows\LMI15B.tmp\LMI_Rescue_srv.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/5/2007 4:21 PM 30192]
S3 PCTDMDefrag;PCTDMDefrag;c:\windows\system32\drivers\PCTDMDefrag.sys [12/30/2010 1:15 PM 107992]
S3 PCTDSMon;PCTDSMon;c:\windows\system32\drivers\PCTDSMon.sys [12/30/2010 1:15 PM 127352]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [12/30/2010 3:06 PM 70408]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/30/2010 3:05 PM 365280]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [12/30/2010 3:07 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 00:04]

2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 00:04]

2011-02-04 c:\windows\Tasks\PTSchedule.job
- c:\program files\PC Tools Utilities\pt.exe [2010-12-30 23:44]

2011-02-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3323839634-2801909134-3450246216-1145.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

2011-02-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3323839634-2801909134-3450246216-1145.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

2011-02-06 c:\windows\Tasks\User_Feed_Synchronization-{C462F83E-F922-4989-AA6B-40C1CE5B44D2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: stonehilltech.com\lt
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\kloyer\Application Data\Mozilla\Firefox\Profiles\a1sdz18b.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

AddRemove-AbacusLaw Accounting Workstation - c:\windows\UNWISE.EXE
AddRemove-AbacusLaw Workstation - c:\windows\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-06 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'lsass.exe'(720)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\avgagent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\PC Tools Utilities\Tools\Defrag\DMDefragSrvProxy.exe
c:\program files\PC Tools Utilities\Tools\Repair\DMRepairSrvProxy.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MI3AA1~1\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2011-02-06 11:06:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-06 19:06

Pre-Run: 36,480,020,480 bytes free
Post-Run: 37,234,896,896 bytes free

- - End Of File - - 894ED6954C55834CCC26A111A3FEA5FD

Thank you!
dwdawg

A further note to the earlier post. Once compelted, the system ran much faster. It is still a little sluggish, but not nearly as bad as before. However, this system can no longer be connected to using vpn. All the other computers in the network can be connected remotely, but not this one. The error message I get when trying is that it is "trying to connect RDP, but this machine cannot be connected. PLease check the machine..."

RDP is enabled and the IPv6 protocol is enabled. This is identical to the other computers in the network.

Any suggections?

Thanks,
dwdawg

EDIT: Posts merged ~BP

Edited by Budapest, 08 February 2011 - 05:58 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 10 February 2011 - 06:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 dwdawg

dwdawg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 10 February 2011 - 10:31 PM

Hello,

I have run the logs and they are attached. Upon finishing the GMER scan, I got another dialog window:

iExplore.exe - Application Error
The instruction at "0x055ad66f" referenced memory at "0x055ad55f". The memory could not be "written".

This was the first instance of seeing this error.

Thank you for your help.

dwdawg
Attached File  OTL.Txt   100.95KB   1 downloads
Attached File  ark.log   7.66KB   3 downloads
Attached File  Extras.Txt   42.79KB   1 downloads

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 11 February 2011 - 06:45 PM

Hello, dwdawg.

The original Combofix log above shows it removed a backdoor rootkit. We'll verify the computer is clean, then work on the VPN issue.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case Registry Mechanic). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578





Ask Toolbar Warning"

I see you have the Ask.Com toolbar installed. This often comes bundled with spyware and is recommended you remove.

Please see here for more information:
http://www.bleepingcomputer.com/uninstall/94/Ask-Toolbar.html

If you would like to remove it, please go to add/Remove Programs and uninstall it.



Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 dwdawg

dwdawg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 February 2011 - 10:19 PM

Hi etavares,

Thanks for the help. I have attached the log. It ran without incident.

dw
Attached File  ComboFix.txt   13.13KB   1 downloads

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 12 February 2011 - 07:34 AM

Hello, dwdawg.

OK, some minor cleanup, then we'll work the RDP issue.



Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 23 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 21
    Java 6 Update 2
    Java 2 Runtime Environment, SE v1.4.2_03
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version.




Step 3

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 4

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 5

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 dwdawg

dwdawg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 12 February 2011 - 08:53 PM

Hello etavares,

I finished all the steps you suggested. I could not remove Adobe Reader 7. I did load Reader X. All other processes completed without incident. The files are attached.

Thanks,
dwdawg

Attached File  ComboFix.txt   13.16KB   3 downloads
Attached File  OTL.Txt   81KB   1 downloads
Attached File  02122011_154527.log   8.23KB   1 downloads
Attached File  ESETScan.txt   436bytes   1 downloads

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 13 February 2011 - 08:30 AM

Hello, dwdawg.
OK, first things first, let's use Revo to remove AR7.



Step 1

Please download Revo Uninstaller (Free Version) and save it to your desktop.

Find revosetup.exe on your desktop, double-click it, and follow the prompts to install it.

Next, launch Revo Uninstaller. Select the following program(s) from the list and click the Uninstall button for each.
Adobe Reader 7


Select Advanced and click OK. It will launch the uninstaller. Uninstall it. Once that's finished, Revo will then scan for leftover files and registry settings. Select them and click "delete", then OK your way until it's done.

Reboot. Let me know how this goes.



Step 2

In regards to RDP, are you using a firewall on this computer?

Also, are you trying to remote desktop FROM it or TO it?

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 dwdawg

dwdawg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 15 February 2011 - 12:07 PM

Hello etavares,

Reader 7.0 is completely removed. It made Reader X disfunctional, but I reinstalled it and it works fine.

We have a Sonicwall firewall. I am trying to RDP to this workstation from an external laptop through a vpn connection. The server is Windows Small Business Server 2003.

Thanks,
dw

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 15 February 2011 - 07:18 PM

Is port 3389 open on the firewall? If you want to check, from that computer, use the Online Port Scan to check 3389.

Is it open? Or blocked?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 dwdawg

dwdawg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 15 February 2011 - 08:08 PM

It is open.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 16 February 2011 - 06:23 PM

OK, that's good.

This may be what you mean by "remote desktop is enabled" in your description above, but I want to confirm.

Please, right-click My Computer, select Properties, select the Remote tab.
In there, in the Remote Desktop section, please check the box for Allow users to remotely connect to this computer if it isn't already. If it's not, check it and OK your way out, Reboot, then try to connect.

If that doesn't work, are you trying to connect via IP or computer name? If one, please try the other.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 dwdawg

dwdawg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 17 February 2011 - 08:42 PM

Hi etavares,

The "Allow users to remotely connect..." is enabled.

I connect using a computer name and just tried it again. It is working! Hooray! I tried using two different remote computers and two different networks. It seems to be operating normally.

Thanks for all your help.

dwdawg

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 18 February 2011 - 06:42 PM

Hello, dwdawg.

Great news! You're welcome.


Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1



Uninstall ComboFix and Clean Up
Click Start > Run and type combofix /Uninstall click OK (Note the space between combofix and /Uninstall) See below:
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • If that link doesn't work, try this one.
  • Double click Posted Imageicon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 24 February 2011 - 06:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users