Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IUservices / host process for Windows / network dependency failures


  • This topic is locked This topic is locked
5 replies to this topic

#1 micmogen

micmogen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 14 February 2011 - 09:21 AM

Have had recurrent, ongoing issues with Lenovo ThinkVantage and Recovery software. Have removed several unnecessary progs, some manually, but still receiving these Host Process services errors, and computer cannot connect with Internet - network failures identified as dependency group not started. Looking at Services running, the DHCP client freezes on "starting." TVT scheduler consumes 99% CPU, until it is manually stopped. When manually restarted, it resumes 99% CPU usage.

Also, Windows Defender cannot be started.

Have tried Lenovo's solution, but problem is not corrected.

Latest ran ComboFix, seemed to make significant improvement to startup times, even freeing several gigs of hard drive space. The TDL3 rootkit was "discovered."
Per recommendations, that log file is posted here.

Please advise how to restore Internet networking (LAN) and related issues. Thanks, Michael

ComboFix 11-02-13.03 - Michael R 02/14/2011 5:22.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2935.2192 [GMT -7:00]
Running from: E:\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\RegGenie
c:\program files\RegGenie\RegGenie.ini
C:\readme.txt
C:\System
c:\system\plugins\vocoder.dll
c:\system\plugins\VocoderMiSc.set
c:\users\Michael R\AppData\Roaming\inst.exe
c:\users\Michael R\AppData\Roaming\SQLite3.dll
c:\users\Michael R\AppData\Roaming\WinLogon
c:\windows\struct~.ini
c:\windows\system32\drivers\etc\2sb88tkujwdfc.ths
c:\windows\system32\drivers\etc\m9edej1dtafh4.ths
c:\windows\system32\drivers\etc\mndt1ze92de17.ths
c:\windows\system32\drivers\etc\n4u9adu3bhd52.ths
c:\windows\system32\drivers\etc\pwned.reg
c:\windows\system32\drivers\etc\s2rdk8ztqaru9.ths
c:\windows\system32\drivers\etc\s455uwz8jpjk9.ths
c:\windows\system32\drivers\etc\xdcc.ini
c:\windows\system32\drivers\etc\yythrgucmxj95.ths

Infected copy of c:\windows\system32\drivers\ecache.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
.

2011-02-14 11:55 . 2011-02-14 11:58 -------- d-----w- C:\32788R22FWJFW
2011-02-13 19:42 . 2011-02-13 19:42 -------- d-----w- c:\program files\ThinkPad
2011-02-13 16:30 . 2011-02-13 16:30 -------- d--h--we C:\O
2011-02-12 03:35 . 2011-02-12 03:35 -------- d-----w- C:\N
2011-02-11 05:46 . 2011-02-11 05:46 -------- d-----w- c:\program files\Common Files\xing shared
2011-02-11 00:57 . 2011-02-11 00:57 388096 ----a-r- c:\users\Michael R\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-11 00:57 . 2011-02-11 00:57 -------- d-----w- c:\program files\Trend Micro
2011-02-10 14:07 . 2011-02-10 14:07 -------- d-----w- C:\8fdcf7f2152423310cdd6f21261efc88
2011-02-08 07:13 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-08 06:58 . 2011-02-08 06:58 -------- d-----w- c:\program files\TrendMicro
2011-02-08 06:49 . 2011-02-08 06:49 -------- d-----w- c:\users\Michael R\AppData\Local\Microsoft Corporation
2011-02-08 06:21 . 2011-02-08 06:21 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2011-02-08 06:11 . 2011-02-08 06:11 -------- d-----w- c:\users\Michael R\AppData\Roaming\DriverCure
2011-02-08 06:10 . 2011-02-08 06:10 -------- d-----w- c:\users\Michael R\AppData\Roaming\ParetoLogic
2011-02-08 05:50 . 2001-08-30 13:30 226304 ----a-w- c:\windows\system32\wbem\provthrd.dll
2011-02-08 05:48 . 2004-01-24 10:34 174592 ----a-w- c:\windows\system32\wbem\framedyn.dll
2011-02-08 05:29 . 2011-02-08 05:29 -------- d-----w- c:\users\Michael R\AppData\Local\PackageAware
2011-02-08 05:20 . 2011-02-08 05:20 -------- d-----w- c:\users\Michael R\AppData\Roaming\RegGenie
2011-02-08 01:35 . 2011-02-08 01:35 -------- d-----w- C:\found.014
2011-02-04 12:57 . 2011-02-10 04:22 -------- d-----w- c:\program files\Inbox Toolbar
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-29 19:57 . 2011-01-29 19:57 -------- d-----w- c:\users\Michael R\AppData\Roaming\Philips
2011-01-29 19:54 . 2011-01-29 19:54 -------- d-----w- c:\users\Michael R\AppData\Local\Philips-Songbird
2011-01-29 19:54 . 2011-01-29 19:54 -------- d-----w- c:\users\Michael R\AppData\Roaming\Philips-Songbird
2011-01-27 14:34 . 2011-01-27 14:34 -------- d--h--we C:\M
2011-01-27 13:46 . 2011-01-29 19:54 -------- d-----w- c:\program files\Philips
2011-01-25 07:28 . 2011-01-25 07:28 -------- d-----w- c:\users\Michael R\AppData\Roaming\JEPUMLim
2011-01-22 23:32 . 2005-09-24 00:02 887296 ----a-w- c:\windows\system32\KsDHTMLEDLib.ocx
2011-01-22 23:32 . 2011-01-23 14:08 -------- d-----w- c:\program files\Evrsoft First Page 2006
2011-01-22 18:06 . 2011-01-22 18:06 -------- d--h--we C:\L
2011-01-21 13:50 . 2011-01-24 14:33 -------- d-----w- C:\.mtvconvertertmp
2011-01-21 12:07 . 2011-01-21 12:08 -------- d-----w- c:\program files\Total Video Converter
2011-01-19 18:44 . 2011-01-19 18:44 -------- d-----w- c:\windows\system32\{userdocs}
2011-01-17 04:32 . 2011-02-11 05:48 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-01-17 04:31 . 2011-02-11 05:46 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-01-17 04:31 . 2011-02-11 05:46 100864 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-01-16 11:24 . 2011-01-16 11:24 -------- d-----w- C:\K
2011-01-16 09:21 . 2011-01-16 09:21 -------- d-----w- c:\users\Michael R\AppData\Local\{2FBD07BC-4B04-4F45-B266-D003514F4CD1}
2011-01-16 09:01 . 2011-01-16 09:01 -------- d-----w- c:\users\Michael R\AppData\Local\{7C7E7BAE-E1CF-479B-9AB8-AD78929F1C3E}
2011-01-15 16:01 . 2011-01-15 16:01 -------- d-----w- C:\J

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-14 12:11 . 2007-10-12 19:24 33536 ----a-w- c:\windows\system32\drivers\tvtfilter.sys
2011-02-11 00:42 . 2009-10-28 14:07 6814952 ----a-w- c:\windows\system32\SpoonUninstall.exe
2011-02-03 00:11 . 2009-10-02 20:19 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 15:55 . 2011-01-12 08:11 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-21 07:31 . 2009-10-27 18:13 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-21 06:48 . 2010-12-21 06:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-21 01:09 . 2009-12-02 01:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2009-12-02 01:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 14:49 . 2011-01-12 08:11 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-11 01:29 . 2010-12-11 01:29 64864 ----a-w- c:\windows\system32\sqlctr90.dll
2010-12-11 01:29 . 2010-12-11 01:29 2248032 ----a-w- c:\windows\system32\sqlncli.dll
2010-11-30 00:38 . 2010-11-30 00:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 00:38 . 2010-11-30 00:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2004-01-29 00:33 . 2008-11-23 20:45 2105420 ----a-w- c:\program files\Common Files\soundsoap.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Easy Dock"="c:\users\Michael R\Documents\RCA easyRip\EZDock.exe" [2010-08-11 581632]
"AVO Ram Optimizer"="c:\program files\systweak\advanced vista optimizer 2009\AVO.exe" [2009-01-09 216296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"="ICO.EXE" [2007-02-11 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [2010-05-27 375296]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-11 273544]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

c:\users\Michael R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\users\Michael R\Documents\RCA Detective\RCADetective.exe [2011-1-19 804352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux8"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit Financial Center
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVO Ram Optimizer]
2009-01-09 19:44 216296 ----a-w- c:\program files\Systweak\Advanced Vista Optimizer 2009\AVO.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
2006-11-07 10:51 91688 ------w- c:\program files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-06-18 21:01 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-06-18 21:01 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-14 00:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 05:55 54832 ------w- c:\program files\Lenovo Multimedia Center\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
2006-12-29 17:01 28672 ------w- c:\swtools\LenovoWelcome\LenovoOobeOffers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ------w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-21 01:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2007-02-11 18:09 77824 ------w- c:\windows\System32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Password Manager]
2007-06-12 20:43 837184 ------w- c:\program files\Lenovo\Password Manager\password_manager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-06-18 21:01 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
2010-03-23 23:30 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 22:10 56928 ------w- c:\program files\Lenovo Multimedia Center\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 08:11 132496 ------w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-02-11 05:45 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-03-04 17:34 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
2006-11-02 12:35 176128 ------w- c:\windows\System32\wpcumi.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AVO Ram Optimizer"=c:\program files\systweak\advanced vista optimizer 2009\AVO.exe -s
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"3c1807pd"=c:\windows\SYSTEM32\USRLdr.exe RunServices \Device\3cpipe-3c1807pd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 bknt;bknt;c:\windows\System32\drivers\ytup.sys [x]
R0 ismre;ismre; [x]
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [2010-06-29 334336]
R2 spoolsv.exe;spoolsv.exe; [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2005-11-21 16512]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 PCD5SRVC{7912F32C-DD08463D-05040103}_0;PCD5SRVC{7912F32C-DD08463D-05040103}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\Lenovo Hard Drive Quick Test\pcd5srvc.pkms [2008-09-19 20640]
R3 TBU11;Turtle Beach USB MIDI 1x1 Driver;c:\windows\system32\Drivers\tbu11.sys [2003-03-06 13824]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AVO2009 Defrag;AVO2009 Defrag;c:\program files\Systweak\Advanced Vista Optimizer 2009\AVODefragService32.exe [2009-01-09 398056]
R4 gupdate1c9a2184c7fcbea;Google Update Service (gupdate1c9a2184c7fcbea);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-09 136176]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-07-10 569344]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-05-10 33792]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2011-01-29 c:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilies 08\OneClick.exe [2007-12-21 15:09]

2011-02-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-12 16:17]

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-09 17:32]

2011-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-09 17:32]

2011-02-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2607465677-4122810184-2481376653-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.bresnan.net/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
FF - ProfilePath - c:\users\Michael R\AppData\Roaming\Mozilla\Firefox\Profiles\kxwcyr42.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2856416&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b04950b&v=6.011.025.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Launchy: launchy@gemal.dk - %profile%\extensions\launchy@gemal.dk
FF - Ext: Toggle Private Browsing: toggleprivatebrowsing@supernova00.biz - %profile%\extensions\toggleprivatebrowsing@supernova00.biz
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: ShareThis: {1b8cc170-8c85-11db-b606-0800200c9a66} - %profile%\extensions\{1b8cc170-8c85-11db-b606-0800200c9a66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Fire.fm: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} - %profile%\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: DictionarySearch: {a0faa0a4-f1a7-4098-9a74-21efc3a92372} - %profile%\extensions\{a0faa0a4-f1a7-4098-9a74-21efc3a92372}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: WeatherBug: {3EC9C995-8072-4fc0-953E-4F30620D17F3} - %profile%\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Easy Dock - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AMSG - c:\program files\ThinkVantage\AMSG\Amsg.exe
MSConfigStartUp-DiskeeperSystray - c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-14 05:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{7912F32C-DD08463D-05040103}_0]
"ImagePath"="\??\c:\program files\Lenovo Hard Drive Quick Test\pcd5srvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2607465677-4122810184-2481376653-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ð[Ýb×.]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2607465677-4122810184-2481376653-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Ð[Ýb×.\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-2607465677-4122810184-2481376653-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{797B7689-3061-6DCC-87E8-505E9DA41AA5}*]
"naojnjhoppefokmcpcegkeeailbh"=hex:6a,61,64,6d,6c,6c,66,6c,63,6d,6c,6c,6a,61,
66,70,6a,69,63,6e,00,f5

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CakewalkPlugIns\DRúvÁ*]
"Description"="Cakewal"
"HelpFilePath"=""
"HelpFileTopic"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-14 05:37:51
ComboFix-quarantined-files.txt 2011-02-14 12:37

Pre-Run: 10,130,939,904 bytes free
Post-Run: 10,596,474,880 bytes free

- - End Of File - - 6A26919C5C2E1D5D416E1C47D2195596

Edited by hamluis, 14 February 2011 - 01:23 PM.
Moved from Vista forum to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:28 PM

Posted 19 February 2011 - 08:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 micmogen

micmogen
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 24 February 2011 - 09:51 AM

WOW . . .thanks for the consideration. Was about to "give up" on reply. Okay, now I'm "watching" this post.

Unfortunately I have not refrained from attempting several "unsupervised" fixes. SORRY. Much has been accomplished/cleaned. The only chronic problem that I am having, and most urgently needing correction, is the networking. While the network icon indicates "seeing" a connection, it is unable to create a Local Area Connection via ethernet adapter to our cable modem. The issue is certainly my Vista operating system.

Sorry again for pursuing some "self" change, but should amend the above log with this list of system event errors upon start-up. What seems to be occurring is between system services, there is inconsistency (differences) in the service accounts. Don't know if there's a "quick fix" patch to reset accounts for allthose services and their dependencies. Here's the errors (paraphrased and chronologically upon start-up would occur from the bottom to top of list):

TPM Base Services failed to start service is different account
KtmRm for Distributed Transaction failed to start differnt account
Remote Access Connection Manager depends on Secure Socket Tunneling Protocol service is different
Telephony account is different
WinHTTP Web Proxy Auto-Discovery depends on DHCP Client faild service is different
Diagnostic System Host terminated unexpectedly
Tablet PC Input Service terminated unexpectedly
Superfetch service terminated unexpectedly
Program Compatibility Assistant Service terminated unexpectedly
Network Connections service terminated unexpectedly
ReadyBoost terminated unexpectedly
Windows Audio Endpoint Builder terminated unexpectedly
svchost.exe_SysMain, version 6.0.6001 faulting module ntdll.dll version 6.0.6002.18005
Portable Device Enumerator Service teminated unexpectedly
Desktop Window Manager terminated unexpectedly
Distributed Link Tracking Client terminated
Print Spooler terminated
SpoolerSpoolss failed to initialize error: 0x80072af9
boot-start or system-start drivers failed to load: bknt, ismre, Lbd, tclondrv
Windows time service failed to start different account
UPnP Device Host service depends on SSDP Discovery failed (operation completed successfully)
SQLAgent$SONY_MEDIAMANAGER service depends on MSSQL$SONY_MEDIAMGR diabled no enabled devices
IPsec Policy Agent terminated, support for socket type does not exist in this address family
IKE and AuthIP IPsec Keying Modules service load failed
Function Discovery Resource Publication failed different service
Computer Browser depends on Workstation Service failed different service
WebClient service failed different service
TCP/IP NetBIOS Helper failed different service
configuration AdminConnection\TCP protocol in SQL instance SQLEXPRESS is not valid
SQL Browser service unable to establish instance and connectivity
SQL Browser service port is unavailable for listening or invalid
TaskScheduler service encountered RPC initialization error in RpcServerUseProtseq:ncacn_ip_tcp" error value 1703

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:28 PM

Posted 24 February 2011 - 07:37 PM

This is a malware forum so networking isn't something I will be able to help you with. You ran Combofix without supervision and you've fixed the system so you have a large number of errors on startup.

I won't be able to do much on this type of system as we are likely to come up against more errors as we go.

I would like to test that theory though so please rerun Combofix if you have it still, agree any updates and post the log.
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:28 PM

Posted 27 February 2011 - 09:14 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:28 PM

Posted 28 February 2011 - 07:14 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users