Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't connect to Internet after Combofix


  • This topic is locked This topic is locked
2 replies to this topic

#1 dartshad

dartshad

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 11 December 2011 - 06:40 PM

Hello,

I used Combofix to remove a rootkit from my other PC, which seemed to work. However, now I cannot reconnect to the internet, despite trying to right click the network icon and clicking repair. Any help would be greatly appreciated. Here is my Combofix log:


ComboFix 11-12-10.01 - Jason Truong 12/10/2011 23:00:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.677 [GMT -5:00]
Running from: c:\documents and settings\Jason Truong\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Jason Truong\Application Data\Desktopicon
c:\documents and settings\Jason Truong\Application Data\Desktopicon\eBay.ico
c:\documents and settings\Jason Truong\Application Data\Desktopicon\uninst.exe
c:\documents and settings\Jason Truong\g2mdlhlpx.exe
c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\enebisyz.dll
c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\igonu._dl
c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\udixaxasym.dl
c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\ugarof.lib
c:\documents and settings\Jason Truong\WINDOWS
c:\documents and settings\Jason Truong\WoW-2.1.3.6898-to-0.2.0.6932-enUS-patch.exe
c:\recycler\k-1-3542-4232123213-7676767-8888886
c:\windows\$NtUninstallKB20452$\3505168136\@
c:\windows\$NtUninstallKB20452$\3505168136\bckfg.tmp
c:\windows\$NtUninstallKB20452$\3505168136\cfg.ini
c:\windows\$NtUninstallKB20452$\3505168136\Desktop.ini
c:\windows\$NtUninstallKB20452$\3505168136\keywords
c:\windows\$NtUninstallKB20452$\3505168136\kwrd.dll
c:\windows\$NtUninstallKB20452$\3505168136\L\pdmzmplg
c:\windows\$NtUninstallKB20452$\3505168136\lsflt7.ver
c:\windows\$NtUninstallKB20452$\3505168136\U\00000001.@
c:\windows\$NtUninstallKB20452$\3505168136\U\00000002.@
c:\windows\$NtUninstallKB20452$\3505168136\U\00000004.@
c:\windows\$NtUninstallKB20452$\3505168136\U\80000000.@
c:\windows\$NtUninstallKB20452$\3505168136\U\80000004.@
c:\windows\$NtUninstallKB20452$\3505168136\U\80000032.@
c:\windows\$NtUninstallKB20452$\984829057
c:\windows\CSC\d6
c:\windows\emap.scr
c:\windows\kb913800.exe
c:\windows\system32\Settings
c:\windows\system32\Settings\Settings.ini
c:\windows\$NtUninstallKB20452$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-11 to 2011-12-11 )))))))))))))))))))))))))))))))
.
.
2011-12-11 04:15 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-12-11 01:23 . 2002-02-27 19:12 2600 ----a-w- C:\xp_exe_fix.reg
2011-12-11 01:21 . 2011-12-11 01:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-11 00:09 . 2011-12-11 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-11-20 23:35 . 2011-11-20 23:35 -------- d-----w- c:\program files\iPod
2011-11-20 23:35 . 2011-11-20 23:36 -------- d-----w- c:\program files\iTunes
2011-11-20 23:30 . 2011-11-20 23:30 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2008-10-20 01:33 . 2008-10-20 01:33 12120 ----a-w- c:\program files\Common Files\imax.bin
2008-10-20 01:33 . 2008-10-20 01:33 10792 ----a-w- c:\program files\Common Files\narupeluj.bat
2008-10-20 01:15 . 2008-10-20 01:15 11700 ----a-w- c:\program files\Common Files\menuba.vbs
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-11-11 05:12 . 2011-03-27 14:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-10-15 . 63999D0ABD8DABFD76A9C07F6E104868 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2005-03-10 . C29A5286E64D97385178452D5F307B98 . 295424 . . [5.1.2600.2627] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2004-08-10 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB895961$\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-05-30 3050392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
c:\documents and settings\Jason Truong\Start Menu\Programs\Startup\
Registration Heroes of Might & Magic 5.LNK - c:\program files\Ubisoft\Heroes of Might and Magic V Collector Edition\registration\RegistrationReminder.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-9-5 1466384]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-23 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\winagens32.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader
"56798:TCP"= 56798:TCP:Pando Media Booster
"56798:UDP"= 56798:UDP:Pando Media Booster
"58603:TCP"= 58603:TCP:Pando Media Booster
"58603:UDP"= 58603:UDP:Pando Media Booster
"57385:TCP"= 57385:TCP:Pando Media Booster
"57385:UDP"= 57385:UDP:Pando Media Booster
"57960:TCP"= 57960:TCP:Pando Media Booster
"57960:UDP"= 57960:UDP:Pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/1/2006 9:29 PM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/2/2009 9:38 AM 366152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/27/2007 12:11 AM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/2/2009 9:38 AM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 7:30 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 7:30 PM 136176]
S3 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [?]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-06 00:30]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-06 00:30]
.
2011-12-06 c:\windows\Tasks\Norton Security Scan for Jason Truong.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\documents and settings\Jason Truong\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: musicmatch.com\online
TCP: Interfaces\{6103D6B9-5760-4CAC-B5CA-FC42E5BE6627}: NameServer = 195.62.37.19,192.168.1.1
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Jason Truong\Application Data\Mozilla\Firefox\Profiles\9nld7l6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=09-05-2010&tb_mrud=09-05-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.gmail.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=09-05-2010&tb_mrud=09-05-2010&query=
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
HKLM-Run-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
AddRemove-62289540-dc30-11dc-95ff-0800200c9a66_is1 - c:\program files\Turbine\Turbine Download Manager\UninstallTDM.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-EAX™ Unified (SHELL) - c:\program files\Creative Labs\EAX™ Unified (SHELL)\Uninst.isu
AddRemove-eBay Icon - c:\documents and settings\Jason Truong\Application Data\Desktopicon\uninst.exe
AddRemove-Heroes of Might and Magic II - c:\program files\Heroes2\DeIsL1.isu
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\ConverterUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\ConverterUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-10 23:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2355040189-2138677896-3045065138-1005\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000
.
[HKEY_USERS\S-1-5-21-2355040189-2138677896-3045065138-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A984A83-CC49-1910-4BFA-AC623461056E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaidhdjeplilinafcbemmhbpdmmkah"=hex:64,61,69,6e,65,68,66,66,00,85
"oaecfmfoenhfdbjlnoombjnpmgfeii"=hex:6a,61,69,6e,67,66,6b,6b,66,64,6c,6b,67,65,
62,6c,63,69,66,67,00,02
"nakdndkcdijkiefgjbejjahaebed"=hex:6a,61,69,6e,67,66,6b,6b,66,64,6c,6b,67,65,
62,6c,63,69,66,67,00,02
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-12-10 23:26:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-11 04:25
.
Pre-Run: 9,721,253,888 bytes free
Post-Run: 10,547,294,208 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C80F0F5F6EC777530250B0BE56840C34

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:13 AM

Posted 17 December 2011 - 09:51 AM

Hi,

Hopefully you have another computer where you can download the programs required and transfer them over.

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Folder::
c:\windows\$NtUninstallKB20452$

File::
c:\program files\Common Files\imax.bin
c:\program files\Common Files\narupeluj.bat
c:\program files\Common Files\menuba.vbs
C:\xp_exe_fix.reg

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Edited by CatByte, 26 December 2011 - 11:52 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:13 AM

Posted 26 December 2011 - 11:51 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users