Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 ADS could not be removed!


  • This topic is locked This topic is locked
9 replies to this topic

#1 WinBMY

WinBMY

  • Members
  • 176 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 16 February 2011 - 09:17 PM

HI,

I use HiJackThis MISC tool's "Open ADS spy" to scan my PC and found 2 alternative data streams that they are strange:


C:\Documents and Settings\All Users\Application Data\TEMP : C43ED645 (129 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : C43ED645 (129 bytes)

I check them to remove and fail to do so.

Please guide me to solve this issue.

And here is the DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by BMYM at 10:26:01.85 on 2011/02/17 星期四
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.766.349 [GMT 8:00]

AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Enabled*

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
D:\Virus Detection and Firewall\Comodo\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINNT\system32\svchost.exe -k netsvcs
C:\WINNT\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\1XConfig.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Virus Detection and Firewall\SpyShelter Personal Free\SpyShelter.exe
D:\Virus Detection and Firewall\Comodo\COMODO\COMODO Internet Security\cfp.exe
D:\Virus Detection and Firewall\SASAnti\SUPERAntiSpyware.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\igfxsrvc.exe
C:\WINNT\notepad.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\BMYM\桌面\dds.scr
C:\WINNT\system32\conime.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.bringthere.com
uInternet Connection Wizard,ShellNext = hxxp://www.comodo.com/images/style/logo.gif
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] d:\virus detection and firewall\sasanti\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\winnt\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\winnt\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\winnt\system32\hkcmd.exe
mRun: [igfxpers] c:\winnt\system32\igfxpers.exe
mRun: [ZCfgSvc.exe] c:\winnt\system32\ZCfgSvc.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [CJIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\changjie\CINTLCFG.EXE /CJIMETIPSync
mRun: [PHIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\phonetic\TINTLCFG.EXE /PHIMETIPSync
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SpyShelter] d:\virus detection and firewall\spyshelter personal free\SpyShelter.exe
mRun: [COMODO Internet Security] "d:\virus detection and firewall\comodo\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: {08EF3536-F2C0-4C66-BE28-ECAFB8570246} = 156.154.70.22,156.154.71.22
TCP: {CA1EEDC5-B4C7-41E7-BE1A-A172569BCB1B} = 156.154.70.22,156.154.71.22
TCP: {F1800C5F-9017-4E9D-A9EE-76142E6AD33A} = 210.241.192.201 168.95.1.1
Notify: !SASWinLogon - d:\virus detection and firewall\sasanti\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: Sebring - c:\winnt\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\virus detection and firewall\sasanti\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bmym\applic~1\mozilla\firefox\profiles\yqhm3vg4.default\
FF - plugin: c:\documents and settings\bmym\application data\mozilla\firefox\profiles\yqhm3vg4.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\winnt\system32\tvuax\npTVUAx.dll
FF - plugin: d:\google picasa\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com

============= SERVICES / DRIVERS ===============

R0 CFRPD;CFRPD;c:\winnt\system32\drivers\CFRPD.sys [2009-8-4 56736]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\winnt\system32\drivers\cmderd.sys [2010-12-29 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\winnt\system32\drivers\cmdGuard.sys [2010-12-29 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\winnt\system32\drivers\cmdhlp.sys [2010-12-29 27576]
R1 SASDIFSV;SASDIFSV;d:\virus detection and firewall\sasanti\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;d:\virus detection and firewall\sasanti\SASKUTIL.SYS [2010-5-11 67656]
R1 SpyShelter;SpyShelter;d:\virus detection and firewall\spyshelter personal free\SpyShelter.sys [2010-12-8 174528]
R2 cmdAgent;COMODO Internet Security Helper Service;d:\virus detection and firewall\comodo\comodo\comodo internet security\cmdagent.exe [2010-12-29 1803224]
S2 CLPSLS;COMODO livePCsupport Service;"c:\program files\comodo\comodo livepcsupport\clpsls.exe" --> c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [?]
S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.cfxxe" exec /i "c:\combofix\hidec.exe" "c:\combofix\swreg.exe" acl "hkey_local_machine\system\currentcontrolset\enum\root\legacy_beep" /reset /q --> c:\combofix\PEV.cfxxe [?]
S3 EMVSCARD;EMVSCARD;c:\winnt\system32\drivers\emvscard.sys --> c:\winnt\system32\drivers\EMVSCARD.sys [?]
S3 GTICARD;GTICARD;c:\winnt\system32\drivers\gticard.sys [2003-10-23 76160]

=============== Created Last 30 ================

2011-02-14 06:17:17 249656 ----a-w- c:\winnt\system32\drivers\cumon.sys
2011-02-14 06:16:53 19176 ----a-w- c:\winnt\system32\drivers\evdd.sys
2011-02-08 01:20:11 -------- d--h--w- C:\VritualRoot
2011-01-26 03:33:43 368640 ----a-w- c:\winnt\system32\fmtkit60.dll
2011-01-24 06:17:25 -------- d-s---w- C:\ComboFixbak
2011-01-24 05:11:19 98816 ----a-w- c:\winnt\sed.exe
2011-01-24 05:11:19 161792 ----a-w- c:\winnt\SWREG.exe
2011-01-24 04:48:18 4224 -c--a-w- c:\winnt\system32\dllcache\beep.sys
2011-01-24 04:48:18 4224 ----a-w- c:\winnt\system32\drivers\beep.sys
2011-01-21 12:35:45 25544 ----a-w- c:\winnt\system32\cnat.exe
2011-01-21 12:31:29 -------- d-----w- c:\docume~1\bmym\applic~1\ComodoGroup
2011-01-18 06:44:02 -------- d-----w- c:\winnt\system32\NtmsData
2011-01-18 06:21:21 -------- d-----w- c:\program files\Avira

==================== Find3M ====================

2010-12-28 17:42:04 285480 ----a-w- c:\winnt\system32\guard32.dll
2010-12-26 14:13:59 709456 ----a-w- c:\winnt\isRS-000.tmp
2010-12-02 03:35:18 4280320 ----a-w- c:\winnt\system32\GPhotos.scr
2010-11-29 12:02:28 21952 ----a-w- c:\winnt\system32\SpyShelterShellExt.dll

============= FINISH: 10:27:45.80 ===============

EDIT: Posts merged ~BP

Edited by Budapest, 16 February 2011 - 10:53 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:18 AM

Posted 17 February 2011 - 03:46 PM

Good evening. :)

Alternate Data Streams are often legitimate, so simply finding them isn't an automatic cause for concern. Why the two detections couldn't be removed isn't clear, but as they appear to be temp files, given the location, try the following:

Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download RegQuery from here and save it to your Desktop.
  • Double click the file to run it.
  • Copy the following keyname to your clipboard - either CTRL + C or right click will do.

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
  • Click Paste from Clipboard and then Query.
  • A Notepad window should open with some text it - either that or you'll get a pop-up telling you to check the keyname.
  • Let me have the contents of the file in your next reply.

So long, and thanks for all the fish.

 

 


#3 WinBMY

WinBMY
  • Topic Starter

  • Members
  • 176 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 17 February 2011 - 08:53 PM

Hi, Noviciate

Thanks for the instruction, follow your direction, and here is the query log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{08EF3536-F2C0-4C66-BE28-ECAFB8570246}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000e10
"LeaseObtainedTime"=dword:4b091039
"T1"=dword:4b091741
"T2"=dword:4b091c87
"LeaseTerminatesTime"=dword:4b091e49
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:6d1e4aa6
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"NameServer"="156.154.70.22,156.154.71.22"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{704D7C8C-DCFD-4CAD-BEA6-C504138E6E0C}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"DhcpClassIdBin"=hex:
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99DE1DAC-4CFC-468C-BB51-C0C3A75D26A3}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C778C1A9-6143-465F-A143-8CA50883FAAF}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CA1EEDC5-B4C7-41E7-BE1A-A172569BCB1B}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.1.1"
"Lease"=dword:0003f480
"LeaseObtainedTime"=dword:4bf8dce4
"T1"=dword:4bfad724
"T2"=dword:4bfc52d4
"LeaseTerminatesTime"=dword:4bfcd164
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"DhcpIPAddress"="192.168.1.52"
"DhcpSubnetMask"="255.255.255.0"
"NameServer"="156.154.70.22,156.154.71.22"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DA10EBD3-B6E7-4666-A2EE-018A6BE6AAA3}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F1800C5F-9017-4E9D-A9EE-76142E6AD33A}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpClassIdBin"=hex:
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"NameServer"=""

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:18 AM

Posted 18 February 2011 - 03:05 PM

Good evening. :)

Go to Start >> Run..., enter cmd in the textbox and click OK - this should open a Command Window.
Copy and paste the following text into the Window and hit <ENTER>:

ipconfig /all >> "%userprofile%\desktop\texty.txt"I'd like a copy of the text file texty.txt that should have appeared on the Desktop, as if by magic - or by Windows if you're less impressed than i'd hoped! :blink:

So long, and thanks for all the fish.

 

 


#5 WinBMY

WinBMY
  • Topic Starter

  • Members
  • 176 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 18 February 2011 - 08:07 PM

Hi, This is text file you request to have:


Windows IP Configuration



Host Name . . . . . . . . . . . . : jack-7e05630515

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter 區域連線:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 570x Gigabit Integrated Controller

Physical Address. . . . . . . . . : 00-0D-56-6D-56-3E



PPP adapter 遠傳電信:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 61.20.169.253

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 61.20.169.253

DNS Servers . . . . . . . . . . . : 210.241.192.201

168.95.1.1

Primary WINS Server . . . . . . . : 10.11.12.13

Secondary WINS Server . . . . . . : 10.11.12.14

NetBIOS over Tcpip. . . . . . . . : Disabled

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:18 AM

Posted 19 February 2011 - 03:14 PM

Good evening. :)

There's a setting that you need to alter that looks to me like it is a leftover from a previous nasty that you came across.

Go to Start > Control Panel >Network Connections. Right click your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on Properties.
Under This connection uses the following items:, locate and double click the Internet Protocol (TCP/IP) entry.
* Make a note of the settings before you change them just in case you need to put them back how they were.
If it isn't already selected, select the radio button that says Obtain DNS servers automatically and then click OK twice.

Should you have issues with accessing pages online then you need to rerun the instructions but click the Use the following DNS addresses: radio button and enter the numbers that were there originally.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Assuming that all went well with the above, do the below and psot accordingly. If nothing major shows up with the scan, we'll tidy-up and you'llbe on you way.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#7 WinBMY

WinBMY
  • Topic Starter

  • Members
  • 176 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 19 February 2011 - 11:11 PM

Hi, ESET online scan result: No Threat was Found!

Here is the new ipconfig log:

Windows IP Configuration

Host Name . . . . . . . . . . . . : jack-7e05630515
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No


Ethernet adapter 區域連線:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom 570x Gigabit Integrated Controller
Physical Address. . . . . . . . . : 00-0D-56-6D-56-3E



PPP adapter 遠傳電信:


Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 118.231.101.204
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 118.231.101.204
DNS Servers . . . . . . . . . . . : 210.241.192.201
168.95.1.1
Primary WINS Server . . . . . . . : 10.11.12.13
Secondary WINS Server . . . . . . : 10.11.12.14
NetBIOS over Tcpip. . . . . . . . : Disabled

Edited by WinBMY, 19 February 2011 - 11:14 PM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:18 AM

Posted 20 February 2011 - 02:49 PM

Good evening. :)

If the file c:\winnt\isRS-000.tmp can be found on your system, delete it. Apart from that, I think that's your lot, unless the PC isn't behaving itself in any way.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java may need updating, but I can't say for certain without further info. If you go to Start >> All Programs >> Add/Remove Programs you want to see Java 6 Update 24 alone.

If the update(s) shown is/are less than 24, you need to follow all of the below:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

If update 24 is there, only follow step 2 to remove any traces of older versions from your system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#9 WinBMY

WinBMY
  • Topic Starter

  • Members
  • 176 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 23 February 2011 - 09:27 AM

Thank you very much, these two days I can not JavaRa.zip, and today I download it finally. And I havd done what you instruct me.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:18 AM

Posted 25 February 2011 - 03:49 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users