Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issues after Combofix *sigh*


  • This topic is locked This topic is locked
19 replies to this topic

#1 Lopa

Lopa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 16 December 2011 - 03:01 AM

In the process of getting rid of some malware via instructions on a site, I ran Combofix (w/o any warning of the downsides). I'll attempt to explain what I can.

I had recently obtained a version of the Windows Security 2012 virus (comes in many flavors apparently). I'm using AVG for virus software and it didn't catch it somehow. The malware somehow gets in, reassociates .exe files to run the malware, posing as an "upgrade" to windows security to take your money. I managed to isolate the exe it was running, deleted it, and reassociated my .exe files according to a guide, which then led me to run Combofix. I was unprepared and unawares to the consequences of how volatile it may be. It seemed to run fine at first, then error'd before it could start running the stages, I believe it was due to AVG's resident shield but I don't remember as I've been trying to fix this for a few days now.

Combofix disabled my internet and I'm unable to get it back despite all my searching. It disabled some services, notably my DHCP service which cannot be restarted. When I attempt to restart the DHCP service I get an "Error 1075: The dependency service does not exist or has been marked for deletion". I've scoured online and found many proposed fixes but none seem to work. Since the problem occured, the only notable thing I've done is running "sfc /scannow" from a command prompt, it reports a problem with tdx.sys but cannot repair it. Beyond that I'm unsure of where to go from here.

Feel free to ask for any logs from programs or screenshots you'd like, I'll check this post as I can (holidays and all). I'm pretty computer savvy, but wouldn't call myself an expert. After the Combofix dilemma I'm not exactly looking forward to making the issue any worse so thought it best to look for advice here as I'm unaware of what all Combofix may have done during it's initialization before it was interrupted. Another note, it appears as though Combofix makes a recovery when it's started, however the recovery seems to be corrupted and won't work. Just hoping to avoid a fresh install as this is a default OEM license that came on the PC upon purchase, which didn't come w/ a CD.

Thanks in advance

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:45 PM

Posted 16 December 2011 - 04:00 AM

Please download Farbar Service Scanner

http://download.bleepingcomputer.com/farbar/FSS.exe

and run it on the computer with the issue.

* Make sure "Include All Files" option remains checked.
* Press "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply.

Launch the scanner and type

tdx.sys in BOX

Click on search files

Please post both the logs

Edited by hamluis, 16 December 2011 - 11:24 AM.


#3 Lopa

Lopa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 16 December 2011 - 08:51 PM

First scan log:

Farbar Service Scanner 
Ran by lokanu (administrator) on 16-12-2011 at 20:36:19
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.


File Check:
===========
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys
[2009-11-29 15:42] - [2008-01-20 21:24] - 0071680 ____A (Microsoft Corporation) D09276B1FAB033CE1D40DCBDF303D10F

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****

2nd Scan log w/ "tdx.sys" in the Search text box:

Farbar Service Scanner 
Ran by lokanu (administrator) on 16-12-2011 at 20:38:00
Windows Vista (TM) Home Premium Service Pack 2 (X86)

************************************************
================== Search: "tdx.sys" ===================

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
[2009-11-29 15:42] - [2009-04-10 23:45] - 0072192 ____A () D4681AB1350AB51BA37FCF5B1061B90B

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys
[2008-01-20 21:24] - [2008-01-20 21:24] - 0071680 ____N (Microsoft Corporation) D09276B1FAB033CE1D40DCBDF303D10F

C:\Windows\System32\drivers\tdx.sys
[2009-11-29 15:42] - [2008-01-20 21:24] - 0071680 ____A (Microsoft Corporation) D09276B1FAB033CE1D40DCBDF303D10F

====== End Of Search ======

Also note that the program did not have an option to set "Include all files". Simply a text box with the 3 buttons: Scan, Search Files, and Export Service.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:45 PM

Posted 16 December 2011 - 10:19 PM

Hi

I guess you still have combofix on your desktop

Open a notepad and copy the script


FCopy::
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys | C:\WINDOWS\system32\drivers\tdx.sys


Save the notepad as CFScript.txt on the desktop

Now drag the text file into combofix.exe

Allow combofix to generate log file


Post the contents here

Restart your computer and see if you can connect now

Edited by narenxp, 16 December 2011 - 10:19 PM.


#5 Lopa

Lopa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 17 December 2011 - 01:02 AM

Still unable to connect to the internet. DHCP and DNS services aren't started, and give the same error upon trying to restart them: "Error 1075: The dependency service does not exist or has been marked for deletion".

[edit:] I also noticed that while I got the UAC reenabled, nothing under Security Center can be turned back on (Windows Firewall, Automatic Updating, Malware Protection). Upon trying to turn Windows Firewall on, it tells me "Security Center is unable" to turn it back on, w/ a link to turn on manually. Clicking that and attempting to turn it on tells me "Due to an unidentified problem, Windows Firewall is unable to display settings". It also has a highlighted section saying Windows Firewall isn't using the recommended settings, w/ a link to get them, clicking that just gives me another error that it's unable.

Combofix Log:

ComboFix 11-12-15.02 - lokanu 12/17/2011   0:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2047.682 [GMT -5:00]
Running from: c:\users\lokanu\Desktop\ComboFix.exe
Command switches used :: c:\users\lokanu\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --> c:\windows\system32\drivers\tdx.sys
.
(((((((((((((((((((((((((   Files Created from 2011-11-17 to 2011-12-17  )))))))))))))))))))))))))))))))
.
.
2011-12-17 05:34 . 2011-12-17 05:34	--------	d-----w-	c:\users\lokanu\AppData\Local\temp
2011-12-17 05:34 . 2011-12-17 05:34	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-12-16 09:39 . 2008-12-12 23:05	24880	----a-w-	c:\windows\system32\drivers\pnarp.sys
2011-12-16 09:38 . 2008-12-12 23:05	26416	----a-w-	c:\windows\system32\drivers\purendis.sys
2011-12-16 09:38 . 2011-12-16 09:38	--------	d-----w-	c:\program files\Common Files\Pure Networks Shared
2011-12-16 09:38 . 2011-12-16 09:38	--------	d-----w-	c:\programdata\Pure Networks
2011-12-16 01:38 . 2011-12-16 01:38	--------	d-----w-	c:\users\lokanu\AppData\Roaming\Malwarebytes
2011-12-16 01:37 . 2011-12-16 01:37	--------	d-----w-	c:\programdata\Malwarebytes
2011-12-16 01:37 . 2011-12-16 01:38	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-12-16 01:37 . 2011-08-31 22:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-12-15 10:07 . 2011-12-15 10:07	--------	d-----w-	C:\!KillBox
2011-12-14 21:37 . 2011-12-14 21:37	--------	d-----w-	c:\users\lokanu\Program Files
2011-12-09 10:01 . 2011-11-21 10:47	6823496	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8E683B32-1C39-4AE8-88F6-9E87B31BFB40}\mpengine.dll
2011-12-08 20:49 . 2011-12-08 20:49	--------	d-----w-	c:\users\UpdatusUser
2011-12-08 20:48 . 2011-05-21 11:01	2560616	----a-w-	c:\windows\system32\nvsvcr.dll
2011-12-08 20:48 . 2011-05-21 11:01	543336	----a-w-	c:\windows\system32\easyupdatusapiu.dll
2011-12-08 20:27 . 2011-07-06 15:31	214016	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-12-08 20:27 . 2011-04-29 13:24	79872	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-12-08 20:27 . 2011-04-29 13:24	106496	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-12-08 20:27 . 2011-06-20 08:54	3602832	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-12-08 20:27 . 2011-06-20 08:54	3550096	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-12-08 20:27 . 2011-08-25 16:15	555520	----a-w-	c:\windows\system32\UIAutomationCore.dll
2011-12-08 20:27 . 2011-08-25 16:14	238080	----a-w-	c:\windows\system32\oleacc.dll
2011-12-08 20:27 . 2011-08-25 13:31	4096	----a-w-	c:\windows\system32\oleaccrc.dll
2011-12-08 20:27 . 2011-08-25 16:14	563712	----a-w-	c:\windows\system32\oleaut32.dll
2011-12-08 20:26 . 2011-04-29 13:25	146432	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-12-08 20:26 . 2011-04-29 13:25	102400	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-12-08 20:26 . 2011-07-11 13:25	2048	----a-w-	c:\windows\system32\tzres.dll
2011-12-08 20:26 . 2011-05-02 17:16	739328	----a-w-	c:\windows\system32\inetcomm.dll
2011-12-08 20:26 . 2011-06-17 16:03	375808	----a-w-	c:\windows\system32\winsrv.dll
2011-12-08 20:26 . 2011-09-30 15:57	707584	----a-w-	c:\program files\Common Files\System\wab32.dll
2011-12-08 20:26 . 2011-07-29 16:01	293376	----a-w-	c:\windows\system32\psisdecd.dll
2011-12-08 20:26 . 2011-07-29 16:01	217088	----a-w-	c:\windows\system32\psisrndr.ax
2011-12-08 20:26 . 2011-07-29 16:00	69632	----a-w-	c:\windows\system32\Mpeg2Data.ax
2011-12-08 20:26 . 2011-07-29 16:00	57856	----a-w-	c:\windows\system32\MSDvbNP.ax
2011-12-08 20:26 . 2011-04-30 06:09	758784	----a-w-	c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-12-08 20:26 . 2011-04-20 15:50	49152	----a-w-	c:\windows\system32\csrsrv.dll
2011-12-08 20:20 . 2011-04-29 15:59	276992	----a-w-	c:\windows\system32\schannel.dll
2011-12-03 22:51 . 2011-12-03 22:51	--------	d-----w-	c:\users\lokanu\AppData\Roaming\InstallShield
2011-12-03 22:48 . 2008-06-05 10:30	172032	----a-w-	c:\windows\system32\NetEdLib.dll
2011-12-03 22:48 . 2008-06-05 10:30	61440	----a-w-	c:\windows\system32\HEI32_3.DLL
2011-12-03 22:48 . 2008-06-05 10:30	303	----a-w-	c:\windows\DS500.bat
2011-12-03 22:48 . 2008-06-05 10:30	1478656	----a-w-	c:\windows\system32\HEIXTP86.dll
2011-12-03 22:48 . 2011-12-03 22:50	--------	d-----w-	C:\HAPTools
2011-12-03 22:48 . 2006-09-11 10:56	24576	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\_ispmres.dll
2011-12-03 22:47 . 2007-08-30 15:50	205480	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
2011-12-03 22:47 . 2007-03-01 05:11	73728	----a-w-	c:\windows\system32\ISUSPM.cpl
2011-12-03 22:45 . 2011-12-03 22:49	--------	d-----w-	c:\program files\DirectSOFT5
2011-12-03 22:44 . 2004-07-16 05:20	733184	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-12-03 22:44 . 2004-07-16 05:20	69715	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-12-03 22:44 . 2004-07-16 05:19	266240	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-12-03 22:44 . 2004-07-16 05:18	172032	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-12-03 22:44 . 2004-07-16 05:18	5632	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-12-03 22:44 . 2011-12-03 22:44	303236	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2011-12-03 22:44 . 2011-12-03 22:44	180356	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-09 03:05 . 2011-06-16 05:27	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54 . 2011-03-16 19:04	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-20 23:26 . 2011-10-20 23:26	94208	----a-w-	c:\windows\system32\dpl100.dll
2011-10-02 07:26 . 2011-05-09 23:08	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-25 06:39	121392	----a-w-	c:\acer\Empowering Technology\eDataSecurity\x86\psdprotect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"AlcoholAutomount"="c:\progra~1\ALCOHO~1\axcmd.exe" [2008-11-23 203720]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BitTorrent DNA"="c:\users\lokanu\Program Files\DNA\btdna.exe" [2011-12-14 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-09 3077528]
"Akamai NetSession Interface"="c:\users\lokanu\AppData\Local\Akamai\netsession_win.exe" [2011-12-07 3305248]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-24 4423680]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"Logitech H760"="c:\program files\Logitech\H760\H760.exe" [2010-07-09 275800]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]
.
c:\users\lokanu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Item Assistant.lnk - c:\aoia\ItemAssistant.exe [2011-9-16 1193984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2008-01-10 01:43	326176	----a-w-	c:\acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-10-15 20:43	3387392	----a-w-	c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-03-05 06:38	526896	----a-w-	c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12	3872080	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50	155648	----a-w-	c:\windows\System32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickGammaLoader]
2005-03-28 07:13	68096	----a-w-	c:\program files\QuickGamma\QuickGammaLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-03-24 00:04	4423680	----a-w-	c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-02-02 00:37	630784	----a-w-	c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-08 02:56	1242448	----a-w-	c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25	202240	----a-w-	c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-927434032-1316377848-797110289-1000]
"EnableNotificationsRef"=dword:00000001
.
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2011-09-10 18432]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-11-04 288112]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
R3 XDva370;XDva370;c:\windows\system32\XDva370.sys [x]
R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-08-18 7390560]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2010-11-04 2304]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-08 369256]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-27 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 28624]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-05-11 724992]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ   	Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://en.us.acer.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
FF - ProfilePath - c:\users\lokanu\AppData\Roaming\Mozilla\Firefox\Profiles\iz2pnbsu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-17 00:34
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(876)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'Explorer.exe'(4008)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Taskbar Calculator\TBCalc.dll
.
Completion time: 2011-12-17  00:37:04
ComboFix-quarantined-files.txt  2011-12-17 05:37
ComboFix2.txt  2011-12-16 10:44
.
Pre-Run: 14,487,183,360 bytes free
Post-Run: 14,238,425,088 bytes free
.
- - End Of File - - 8BB2BE54F42BE19F51F7701242584DA5

Edited by Lopa, 17 December 2011 - 01:12 AM.


#6 Lopa

Lopa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 17 December 2011 - 02:05 AM

I've been perusing other forum posts and have noticed mentions of Ping.exe related to a rootkit. I do recall seeing and terminating it the other day, although it hasn't ran lately (probably due to the lack of an internet connection). So that may be another concern later if my internet can be restored.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 17 December 2011 - 08:02 AM

I have moved this topic to the malware removal forum. At BC we do not allow any members to recommend Combofix usage because this is a very powerful tool. We only allow trained helpers to instruct others in its usage to prevent damage to the computer of the one looking for help.

Since the tool was run, please let me know how things stand at this point. Are you still having internet issues and are there any other problems?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Lopa

Lopa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 20 December 2011 - 01:54 PM

Still unable to connect to the internet. DHCP and DNS services aren't started, and give the same error upon trying to restart them: "Error 1075: The dependency service does not exist or has been marked for deletion".

[edit:] I also noticed that while I got the UAC reenabled, nothing under Security Center can be turned back on (Windows Firewall, Automatic Updating, Malware Protection). Upon trying to turn Windows Firewall on, it tells me "Security Center is unable" to turn it back on, w/ a link to turn on manually. Clicking that and attempting to turn it on tells me "Due to an unidentified problem, Windows Firewall is unable to display settings". It also has a highlighted section saying Windows Firewall isn't using the recommended settings, w/ a link to get them, clicking that just gives me another error that it's unable.

Combofix Log:

ComboFix 11-12-15.02 - lokanu 12/17/2011   0:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2047.682 [GMT -5:00]
Running from: c:\users\lokanu\Desktop\ComboFix.exe
Command switches used :: c:\users\lokanu\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --> c:\windows\system32\drivers\tdx.sys
.
(((((((((((((((((((((((((   Files Created from 2011-11-17 to 2011-12-17  )))))))))))))))))))))))))))))))
.
.
2011-12-17 05:34 . 2011-12-17 05:34	--------	d-----w-	c:\users\lokanu\AppData\Local\temp
2011-12-17 05:34 . 2011-12-17 05:34	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-12-16 09:39 . 2008-12-12 23:05	24880	----a-w-	c:\windows\system32\drivers\pnarp.sys
2011-12-16 09:38 . 2008-12-12 23:05	26416	----a-w-	c:\windows\system32\drivers\purendis.sys
2011-12-16 09:38 . 2011-12-16 09:38	--------	d-----w-	c:\program files\Common Files\Pure Networks Shared
2011-12-16 09:38 . 2011-12-16 09:38	--------	d-----w-	c:\programdata\Pure Networks
2011-12-16 01:38 . 2011-12-16 01:38	--------	d-----w-	c:\users\lokanu\AppData\Roaming\Malwarebytes
2011-12-16 01:37 . 2011-12-16 01:37	--------	d-----w-	c:\programdata\Malwarebytes
2011-12-16 01:37 . 2011-12-16 01:38	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-12-16 01:37 . 2011-08-31 22:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-12-15 10:07 . 2011-12-15 10:07	--------	d-----w-	C:\!KillBox
2011-12-14 21:37 . 2011-12-14 21:37	--------	d-----w-	c:\users\lokanu\Program Files
2011-12-09 10:01 . 2011-11-21 10:47	6823496	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8E683B32-1C39-4AE8-88F6-9E87B31BFB40}\mpengine.dll
2011-12-08 20:49 . 2011-12-08 20:49	--------	d-----w-	c:\users\UpdatusUser
2011-12-08 20:48 . 2011-05-21 11:01	2560616	----a-w-	c:\windows\system32\nvsvcr.dll
2011-12-08 20:48 . 2011-05-21 11:01	543336	----a-w-	c:\windows\system32\easyupdatusapiu.dll
2011-12-08 20:27 . 2011-07-06 15:31	214016	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-12-08 20:27 . 2011-04-29 13:24	79872	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-12-08 20:27 . 2011-04-29 13:24	106496	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-12-08 20:27 . 2011-06-20 08:54	3602832	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-12-08 20:27 . 2011-06-20 08:54	3550096	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-12-08 20:27 . 2011-08-25 16:15	555520	----a-w-	c:\windows\system32\UIAutomationCore.dll
2011-12-08 20:27 . 2011-08-25 16:14	238080	----a-w-	c:\windows\system32\oleacc.dll
2011-12-08 20:27 . 2011-08-25 13:31	4096	----a-w-	c:\windows\system32\oleaccrc.dll
2011-12-08 20:27 . 2011-08-25 16:14	563712	----a-w-	c:\windows\system32\oleaut32.dll
2011-12-08 20:26 . 2011-04-29 13:25	146432	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-12-08 20:26 . 2011-04-29 13:25	102400	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-12-08 20:26 . 2011-07-11 13:25	2048	----a-w-	c:\windows\system32\tzres.dll
2011-12-08 20:26 . 2011-05-02 17:16	739328	----a-w-	c:\windows\system32\inetcomm.dll
2011-12-08 20:26 . 2011-06-17 16:03	375808	----a-w-	c:\windows\system32\winsrv.dll
2011-12-08 20:26 . 2011-09-30 15:57	707584	----a-w-	c:\program files\Common Files\System\wab32.dll
2011-12-08 20:26 . 2011-07-29 16:01	293376	----a-w-	c:\windows\system32\psisdecd.dll
2011-12-08 20:26 . 2011-07-29 16:01	217088	----a-w-	c:\windows\system32\psisrndr.ax
2011-12-08 20:26 . 2011-07-29 16:00	69632	----a-w-	c:\windows\system32\Mpeg2Data.ax
2011-12-08 20:26 . 2011-07-29 16:00	57856	----a-w-	c:\windows\system32\MSDvbNP.ax
2011-12-08 20:26 . 2011-04-30 06:09	758784	----a-w-	c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-12-08 20:26 . 2011-04-20 15:50	49152	----a-w-	c:\windows\system32\csrsrv.dll
2011-12-08 20:20 . 2011-04-29 15:59	276992	----a-w-	c:\windows\system32\schannel.dll
2011-12-03 22:51 . 2011-12-03 22:51	--------	d-----w-	c:\users\lokanu\AppData\Roaming\InstallShield
2011-12-03 22:48 . 2008-06-05 10:30	172032	----a-w-	c:\windows\system32\NetEdLib.dll
2011-12-03 22:48 . 2008-06-05 10:30	61440	----a-w-	c:\windows\system32\HEI32_3.DLL
2011-12-03 22:48 . 2008-06-05 10:30	303	----a-w-	c:\windows\DS500.bat
2011-12-03 22:48 . 2008-06-05 10:30	1478656	----a-w-	c:\windows\system32\HEIXTP86.dll
2011-12-03 22:48 . 2011-12-03 22:50	--------	d-----w-	C:\HAPTools
2011-12-03 22:48 . 2006-09-11 10:56	24576	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\_ispmres.dll
2011-12-03 22:47 . 2007-08-30 15:50	205480	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
2011-12-03 22:47 . 2007-03-01 05:11	73728	----a-w-	c:\windows\system32\ISUSPM.cpl
2011-12-03 22:45 . 2011-12-03 22:49	--------	d-----w-	c:\program files\DirectSOFT5
2011-12-03 22:44 . 2004-07-16 05:20	733184	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-12-03 22:44 . 2004-07-16 05:20	69715	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-12-03 22:44 . 2004-07-16 05:19	266240	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-12-03 22:44 . 2004-07-16 05:18	172032	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-12-03 22:44 . 2004-07-16 05:18	5632	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-12-03 22:44 . 2011-12-03 22:44	303236	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2011-12-03 22:44 . 2011-12-03 22:44	180356	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-09 03:05 . 2011-06-16 05:27	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54 . 2011-03-16 19:04	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-20 23:26 . 2011-10-20 23:26	94208	----a-w-	c:\windows\system32\dpl100.dll
2011-10-02 07:26 . 2011-05-09 23:08	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55	87304	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-25 06:39	121392	----a-w-	c:\acer\Empowering Technology\eDataSecurity\x86\psdprotect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"AlcoholAutomount"="c:\progra~1\ALCOHO~1\axcmd.exe" [2008-11-23 203720]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BitTorrent DNA"="c:\users\lokanu\Program Files\DNA\btdna.exe" [2011-12-14 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-09 3077528]
"Akamai NetSession Interface"="c:\users\lokanu\AppData\Local\Akamai\netsession_win.exe" [2011-12-07 3305248]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-24 4423680]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"Logitech H760"="c:\program files\Logitech\H760\H760.exe" [2010-07-09 275800]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]
.
c:\users\lokanu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Item Assistant.lnk - c:\aoia\ItemAssistant.exe [2011-9-16 1193984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2008-01-10 01:43	326176	----a-w-	c:\acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-10-15 20:43	3387392	----a-w-	c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-03-05 06:38	526896	----a-w-	c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12	3872080	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50	155648	----a-w-	c:\windows\System32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickGammaLoader]
2005-03-28 07:13	68096	----a-w-	c:\program files\QuickGamma\QuickGammaLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-03-24 00:04	4423680	----a-w-	c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-02-02 00:37	630784	----a-w-	c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-08 02:56	1242448	----a-w-	c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25	202240	----a-w-	c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-927434032-1316377848-797110289-1000]
"EnableNotificationsRef"=dword:00000001
.
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2011-09-10 18432]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-11-04 288112]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
R3 XDva370;XDva370;c:\windows\system32\XDva370.sys [x]
R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-08-18 7390560]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2010-11-04 2304]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-08 369256]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-27 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 28624]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-05-11 724992]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ   	Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://en.us.acer.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
FF - ProfilePath - c:\users\lokanu\AppData\Roaming\Mozilla\Firefox\Profiles\iz2pnbsu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-17 00:34
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(876)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'Explorer.exe'(4008)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Taskbar Calculator\TBCalc.dll
.
Completion time: 2011-12-17  00:37:04
ComboFix-quarantined-files.txt  2011-12-17 05:37
ComboFix2.txt  2011-12-16 10:44
.
Pre-Run: 14,487,183,360 bytes free
Post-Run: 14,238,425,088 bytes free
.
- - End Of File - - 8BB2BE54F42BE19F51F7701242584DA5



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 20 December 2011 - 02:21 PM

Hi again, please let me know how things are running after the following steps.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please download Erunt
  • Run the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


We Need to Run a Registry Script

  • Press the Windows Logo in the lower left corner of your screen.
  • In the Posted Image box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx]
    "DisplayName"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
    "Group"="PNP_TDI"
    "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
      52,00,49,00,56,00,45,00,52,00,53,00,5c,00,74,00,64,00,78,00,2e,00,73,00,79,\
      00,73,00,00,00
    "ErrorControl"=dword:00000001
    "Start"=dword:00000001
    "Tag"=dword:00000004
    "Type"=dword:00000001
    "DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
    "Description"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx\Enum]
    "0"="Root\\LEGACY_TDX\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.reg.
  • Press Posted Image.
  • Close Notepad.
  • Double click Posted Image on your desktop.
  • Press Yes if prompted by User Account Control.
  • Press Yes, and then Ok, when prompted.
  • Right click on Posted Image and choose Delete.
  • Press Yes.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Lopa

Lopa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 23 December 2011 - 01:28 PM

Apologies for the late reply, holidays and all.

Okay, that fixed the DHCP and DNS services, they now start automatically, thank you. However the Security Center still refuses to start anything (Firewall/Automatic Updating/Malware Protection) and my Linksys Wireless Manager still reports "The Platform Service is not running", so there's still something preventing those from running and allowing me to establish an internet connection. There's nothing wrong w/ the Linksys Wireless Manager or the drivers for it, I've already double-checked the drivers to ensure that before asking here. I'm not sure what else I can provide to give anymore insight then this. Any other logs I can get/post that might shed some light on this?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 23 December 2011 - 01:53 PM

Can you please navigate to the following file: c:\windows\system32\config\regbackup\system <-- right click this file and select Send To > Compressed (Zipped) file. This will create a file named system.zip (most likely you'll get a warning that the file cannot be created in this location and that it will be located on the desktop instead).

Upload this file here and let me know when done: http://www.bleepingcomputer.com/submit-malware.php?channel=105

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Lopa

Lopa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 24 December 2011 - 07:13 PM

Using your method I recieved this error message after the "copy to desktop" dialog box: "File not found or no read permission." Any other standard method yielded this error: "The action cannot be completed because the file is in use by another program."

I tried in windows explorer and via command prompt both explicitly opened with "Run as Admin" permission, and takeown/cacls to take ownership and full control of the file. Even with ownership and control the file is still in use by a service and cannot be copied. I believe the only way I can copy these files is with a program that is designed to do it with a restart involved. Know of any you could point me to?

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 25 December 2011 - 04:27 AM

Unfortunately a required service has been deleted. If you remember what security application flagged/deleted (part of the) infection, we can see if its quarantine still has a copy, otherwise the only way to fix this is to do a system restore to before the problems started, otherwise there is no way to recreate this service.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Lopa

Lopa
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 26 December 2011 - 07:44 AM

As far as I know there weren't any deleted services from the virus. There were only a couple of directories with the main virus executable that were flagged and removed. These were non-windows directories created when the virus blew up. Recovery isn't an option either as it errors and won't complete. My internet was working fine after the virus was removed, even after a restart until I ran ComboFix, so it can't be a service that was flagged and deleted as a result of the virus. My mistake was in running ComboFix unaware of the extent of what it would do.

Edited by Lopa, 26 December 2011 - 07:44 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:45 PM

Posted 26 December 2011 - 09:15 AM

Can you look for c:\qoobox\combofix2.txt (look for the text file with the highest number, if combofix3.txt is there, post that)? If Combofix indeed was the tool that deleted it, it will have saved a backup that we may be able to use.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users