Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VISTA Home Security 2012 Removed, still have issues


  • Please log in to reply
9 replies to this topic

#1 DigitalFusion

DigitalFusion

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 23 December 2011 - 02:17 PM

Hello All,

I am helping a friend out who had the VISTA Home Security 2012 virus on her laptop. Here are the steps already taken:

  • ran FixNCR.reg
  • ran rkill
  • installed & ran mbam

Everything worked fine, and mbam found and removed 4 infected files. I then rebooted the machine, and ran another full scan which returned 0 results. However, I cannot get the machine to access the internet. I ran a full FSS scan, and here are the results.

Farbar Service Scanner
Ran by _____ (administrator) on 23-12-2011 at 12:58:44
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
********************************************************

Internet Services:
=================

Connection Status:
=================
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
================
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
========================


System Restore:
==============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
==============================


File Check:
==========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll
[2009-09-18 07:57] - [2009-04-11 00:28] - 0407552 ____A (Microsoft Corporation) 5DE62C6E9108F14F6794060A9BDECAEC

C:\Windows\system32\bfe.dll
[2009-09-18 07:57] - [2009-04-11 00:28] - 0334848 ____A (Microsoft Corporation) C789AF0F724FDA5852FB9A7D3A432381

C:\Windows\system32\Drivers\mpsdrv.sys
[2008-01-20 20:34] - [2008-01-20 20:34] - 0064000 ____A (Microsoft Corporation) 22241FEBA9B2DEFA669C8CB0A8DD7D2E

C:\Windows\system32\SDRSVC.dll
[2008-01-20 20:32] - [2008-01-20 20:32] - 0104960 ____A (Microsoft Corporation) 716313D9F6B0529D03F726D5AAF6F191

C:\Windows\system32\vssvc.exe
[2009-09-18 07:57] - [2009-04-11 00:28] - 1055232 ____A (Microsoft Corporation) DB3D19F850C6EB32BDCB9BC0836ACDDB

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****


It looks like there is some registry issues here. I have cleaned a few machines with this virus in the past, and I havent ran into this before. Kinda lost as to what to do now.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:07 PM

Posted 23 December 2011 - 02:52 PM

Welcome aboard Posted Image

Those registry keys concern Windows firewall and system restore.

Network files and registry keys look fine.

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size
Click Go and post the result.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 DigitalFusion

DigitalFusion
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 27 December 2011 - 04:50 PM

thanks for the response, and the welcome.

here are the results from MiniToolBox:

MiniToolBox by Farbar
Ran by Deanna (administrator) on 27-12-2011 at 15:46:25
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:5555
Hosts file not detected in the default directory
========================= IP Configuration: ================================

Realtek RTL8102E/8103E Family PCI-E FE NIC = Local Area Connection (Media disconnected)
Atheros AR5007 802.11b/g WiFi Adapter = Wireless Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Deanna-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : westell.com
Description . . . . . . . . . . . : Atheros AR5007 802.11b/g WiFi Adapter
Physical Address. . . . . . . . . : 00-24-2B-92-A6-5E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : mn.warpdriveonline.com
Description . . . . . . . . . . . : Realtek RTL8102E/8103E Family PCI-E FE NIC
Physical Address. . . . . . . . . : 00-1F-16-70-07-07
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.hsd1.mn.comcast.net.
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.westell.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 16:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.mn.warpdriveonline.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
11 ...00 24 2b 92 a6 5e ...... Atheros AR5007 802.11b/g WiFi Adapter
10 ...00 1f 16 70 07 07 ...... Realtek RTL8102E/8103E Family PCI-E FE NIC
1 ........................... Software Loopback Interface 1
14 ...00 00 00 00 00 00 00 e0 isatap.hsd1.mn.comcast.net.
17 ...00 00 00 00 00 00 00 e0 isatap.westell.com
12 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
13 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 isatap.mn.warpdriveonline.com
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/27/2011 03:43:59 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 05:07:33 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 05:06:47 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: -528

Error: (12/24/2011 05:06:47 PM) (Source: ESENT) (User: )
Description: Catalog Database (1404) Catalog Database: Error -1811 occurred while opening logfile C:\Windows\system32\CatRoot2\edb0014E.log.

Error: (12/24/2011 04:34:51 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 04:17:10 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 04:11:31 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 02:44:42 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 02:26:37 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 02:03:53 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (12/27/2011 03:46:23 PM) (Source: WinDefend) (User: )
Description: %%%82527 has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

Signatures Attempted: %%%82524

Error Code: 0x8050a001

Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.

Signatures loading: %%825

Loading signature version: 1.117.1189.0

Loading engine version: %%%825270

Error: (12/27/2011 03:43:59 PM) (Source: Service Control Manager) (User: )
Description: SRTSP
SRTSPX

Error: (12/27/2011 03:43:59 PM) (Source: Service Control Manager) (User: )
Description: Norton Internet Security%%3

Error: (12/27/2011 03:43:59 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (12/24/2011 05:14:19 PM) (Source: PlugPlayManager) (User: )
Description: Error writing to server side install pipe

Error: (12/24/2011 05:08:10 PM) (Source: Service Control Manager) (User: )
Description: iPod Service%%1053

Error: (12/24/2011 05:08:10 PM) (Source: Service Control Manager) (User: )
Description: 30000iPod Service

Error: (12/24/2011 05:08:10 PM) (Source: DCOM) (User: )
Description: 1053iPod Service{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error: (12/24/2011 05:07:36 PM) (Source: Service Control Manager) (User: )
Description: SRTSP
SRTSPX

Error: (12/24/2011 05:07:36 PM) (Source: Service Control Manager) (User: )
Description: Norton Internet Security%%3


Microsoft Office Sessions:
=========================
Error: (12/27/2011 03:43:59 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 05:07:33 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 05:06:47 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -528

Error: (12/24/2011 05:06:47 PM) (Source: ESENT)(User: )
Description: Catalog Database1404Catalog Database: C:\Windows\system32\CatRoot2\edb0014E.log-1811

Error: (12/24/2011 04:34:51 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 04:17:10 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 04:11:31 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 02:44:42 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 02:26:37 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/24/2011 02:03:53 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


=========================== Installed Programs ============================

Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.2)
Adobe AIR (Version: 2.6.0.19140)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 9.4.6 (Version: 9.4.6)
Adobe Shockwave Player (Version: 11.0)
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
Ask Toolbar (Version: 1.6.12.0)
Atheros Driver Installation Program (Version: 5.2)
Bejeweled 2 Deluxe 1.0
Big Fish Games: Game Manager (Version: 1.5.1.0)
Bonjour (Version: 3.0.0.10)
Build-a-lot
CCleaner (remove only)
Cisco EAP-FAST Module (Version: 2.1.6)
Cisco LEAP Module (Version: 1.0.12)
Cisco PEAP Module (Version: 1.0.13)
Click to Call with Skype (Version: 5.6.8153)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Conexant HD Audio (Version: 4.58.1.0)
Coupon Printer for Windows (Version: 4.0)
Coupon Printer for Windows (Version: 5.0.0.0)
CyberLink DVD Suite (Version: 6.0.2203)
CyberLink YouCam (Version: 2.0.1616)
DJ_SF_03_D4300_Software_Min (Version: 110.0.206.000)
ESU for Microsoft Vista (Version: 1.0.0)
File Uploader (Version: 1.1.1)
Google Chrome (Version: 15.0.874.121)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.2.2308.2056)
Google Update Helper (Version: 1.3.21.79)
Google Updater (Version: 2.4.2432.1652)
HDAUDIO Soft Data Fax Modem with SmartCP
HP Active Support Library (Version: 3.1.9.1)
HP Customer Experience Enhancements (Version: 5.7.0.2664)
HP Deskjet D4300 Printer Driver 11.0 Rel .3 (Version: 11.0)
HP Doc Viewer (Version: 1.03.0001)
HP DVD Play 3.7 (Version: 3.7.0.5723)
HP Help and Support (Version: 2.1.1.0)
HP Quick Launch Buttons 6.40 H2 (Version: 6.40 H2)
HP Total Care Advisor (Version: 2.4.4941.2798)
HP Update (Version: 5.003.001.001)
HP User Guides 0118 (Version: 1.00.0000)
HP Wireless Assistant (Version: 3.00 K2)
HPAsset component for HP Active Support Library (Version: 3.0.0.6)
HPNetworkAssistant (Version: 1.1.70)
HPTCSSetup (Version: 1.1.1963.2799)
iCloud (Version: 1.0.2.17)
Intel® Graphics Media Accelerator Driver
iTunes (Version: 10.5.1.42)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Java™ 6 Update 7 (Version: 1.6.0.70)
Juno Preloader (Version: 1.0.0)
LabelPrint (Version: 2.5.0926)
LeapFrog Connect (Version: 3.0.24.12179)
LeapFrog Leapster2 Plugin (Version: 3.0.24.12179)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Live Search Toolbar (Version: 3.0.541.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Works (Version: 9.7.0621)
MobileMe Control Panel (Version: 3.1.8.0)
Mouse Suite
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
muvee Reveal (Version: 7.0.35.6951)
My HP Games (Version: 1.0.0.62)
NetWaiting (Version: 2.5.52)
Nikon Message Center (Version: 0.92.000)
Nikon Transfer (Version: 1.3.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Panorama Maker
Picture Control Utility (Version: 1.1.3)
Power2Go (Version: 6.0.2202)
PowerDirector (Version: 7.0.2201)
QuickTime (Version: 7.71.80.42)
Realtek 8169 8168 8101E 8102E Ethernet Driver (Version: 1.00.0000)
Realtek USB 2.0 Card Reader (Version: 3.0.1.3)
Safari (Version: 5.34.52.7)
Samsung PC Studio 3 (Version: 3.0.0.80206)
ShopAtHome.com Toolbar
Shutterfly Express Uploader (Version: 1.0.0)
Shutterfly Express Uploader (Version: 1.0.0.4)
Skype™ 5.5 (Version: 5.5.117)
Spelling Dictionaries Support For Adobe Reader 9 (Version: 9.0.0)
Synaptics Pointing Device Driver (Version: 11.1.3.0)
Toolbox (Version: 110.0.180.000)
Trend Micro Titanium (Version: 3.1.1109)
Trend Micro™ Titanium™ (Version: 3.00)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)
ViewNX (Version: 1.2.0)
Vuze (Version: 4.6)
Vuze_Remote Toolbar
WeFi 4.0.0.16 (Version: 4.0.0.16)
Where's Waldo: The Fantastic Journey
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)

========================= Devices: ================================

Name: Microsoft Tun Miniport Adapter #2
Description: Microsoft Tun Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunmp
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


========================= Memory info: ===================================

Percentage of memory in use: 30%
Total physical RAM: 3002.44 MB
Available physical RAM: 2081.61 MB
Total Pagefile: 6209.15 MB
Available Pagefile: 5334.54 MB
Total Virtual: 2047.88 MB
Available Virtual: 1946.07 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:138.7 GB) (Free:62.49 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:10.34 GB) (Free:1.77 GB) NTFS
4 Drive f: (USB DISK) (Removable) (Total:14.95 GB) (Free:14.93 GB) FAT32

========================= Users: ========================================

User accounts for \\DEANNA-PC

Administrator Deanna Guest


**** End of log ****



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:07 PM

Posted 27 December 2011 - 06:33 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

NOTE.
To manually update MBAM, download this file: http://data.mbamupdates.com/tools/mbam-rules.exe
Double click on downloaded file to update the program.


=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 DigitalFusion

DigitalFusion
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 29 December 2011 - 04:35 PM

Thanks once again for your help!



Security Check Results:

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Trend Micro Titanium
Trend Micro™ Titanium™
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner (remove only)
Java™ 6 Update 26
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player ( 10.0.32.18) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
SecurityCheck.exe
Windows Defender MSASCui.exe
windows defender MpCmdRun.exe
Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
``````````End of Log````````````




mbam log (note, a scan was done before, but not with the manual update done this time)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

12/29/2011 12:31:07 PM
mbam-log-2011-12-29 (12-31-07).txt

Scan type: Quick scan
Objects scanned: 178499
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER Log







GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-29 14:08:53
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9160310AS rev.HP07
Running: hhg3000j.exe; Driver: C:\Users\Deanna\AppData\Local\Temp\awdirpog.sys


---- System - GMER 1.0.15 ----

SSDT 87EE6AA0 ZwCreateKey
SSDT 87F66A00 ZwCreateMutant
SSDT 87EE55A0 ZwCreateProcess
SSDT 87EE58A0 ZwCreateProcessEx
SSDT 87F66DC0 ZwCreateSymbolicLinkObject
SSDT 87F66340 ZwCreateThread
SSDT 87EE70A0 ZwDeleteKey
SSDT 87EE79A0 ZwDeleteValueKey
SSDT 87F66FA0 ZwDuplicateObject
SSDT 87F66700 ZwLoadDriver
SSDT 87EE5EA0 ZwOpenProcess
SSDT 87EE7F80 ZwOpenSection
SSDT 87EE61A0 ZwOpenThread
SSDT 87EE73A0 ZwRenameKey
SSDT 87EE76A0 ZwRestoreKey
SSDT 87F66BE0 ZwSetSystemInformation
SSDT 87EE6DA0 ZwSetValueKey
SSDT 87EE64A0 ZwTerminateProcess
SSDT 87EE67A0 ZwTerminateThread
SSDT 87F66160 ZwWriteVirtualMemory
SSDT 87F66520 ZwCreateThreadEx
SSDT 87EE5BA0 ZwCreateUserProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 1E9 820EC96C 4 Bytes [A0, 6A, EE, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 820EC978 4 Bytes [00, 6A, F6, 87]
.text ntkrnlpa.exe!KeSetEvent + 209 820EC98C 8 Bytes [A0, 55, EE, 87, A0, 58, EE, ...]
.text ntkrnlpa.exe!KeSetEvent + 21D 820EC9A0 8 Bytes [C0, 6D, F6, 87, 40, 63, F6, ...]
.text ntkrnlpa.exe!KeSetEvent + 2D5 820ECA58 4 Bytes [A0, 70, EE, 87]
.text ...

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB62280$\3742309516 0 bytes
File C:\Windows\$NtUninstallKB62280$\485945278 0 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\cfg.ini 199 bytes
File C:\Windows\$NtUninstallKB62280$\485945278\U 0 bytes

---- EOF - GMER 1.0.15 ----



#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:07 PM

Posted 29 December 2011 - 04:46 PM

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 DigitalFusion

DigitalFusion
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 29 December 2011 - 06:55 PM

i cannot have it update, as that is my issue. The virus is gone, and now the machine cannot access the internet.


aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2011-12-29 17:50:40
-----------------------------
17:50:40.550 OS Version: Windows 6.0.6002 Service Pack 2
17:50:40.550 Number of processors: 2 586 0xF0D
17:50:40.550 ComputerName: DEANNA-PC UserName: Deanna
17:51:01.306 Initialize success
17:51:18.159 AVAST engine download error: 0
17:52:39.572 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:52:39.572 Disk 0 Vendor: ST9160310AS HP07 Size: 152627MB BusType: 3
17:52:39.697 Disk 0 MBR read successfully
17:52:39.697 Disk 0 MBR scan
17:52:39.712 Disk 0 unknown MBR code
17:52:39.712 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 142032 MB offset 63
17:52:39.759 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10591 MB offset 290883584
17:52:39.806 Disk 0 scanning sectors +312573952
17:52:40.009 Disk 0 scanning C:\Windows\system32\drivers
17:53:07.574 Service scanning
17:53:09.555 Modules scanning
17:53:33.704 Disk 0 trace - called modules:
17:53:33.735 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
17:53:33.735 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85cba600]
17:53:33.751 3 CLASSPNP.SYS[8260d8b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85b19b98]
17:53:33.751 Scan finished successfully
17:54:29.926 Disk 0 MBR has been saved successfully to "F:\virus toolkit\MBR.dat"
17:54:29.973 The log file has been saved successfully to "F:\virus toolkit\aswMBR.txt"



#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:07 PM

Posted 29 December 2011 - 07:02 PM

Make sure, your settings are correct.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol version 4 (TCP/IPv4), make sure it is checked, and then click Properties
6. Make sure Obtain an IP Address Automatically and Obtain DNS server address Automatically are checked.
7. Click on "Advanced" button and make sure "IP Settings" tab looks like this:
Posted Image
Make sure "DNS" tab looks like this:
Posted Image
Make sure "WINS" tab looks like this:
Posted Image
8. Still in Control Panel double click on "Internet options" then "Connections" tab then "LAN Settings" button. Make sure "Automatically detect settings" is checked.
If you made any changes OK your way out.
Restart computer.


If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

If that doesn't work, bypass router, and connect computer straight to the modem.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Restart computer.

If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Apply Fixit from: http://support.microsoft.com/kb/811259/en-us

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 DigitalFusion

DigitalFusion
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 29 December 2011 - 08:28 PM

ive actually done everything you listed prior to posting here. I did them again just to be on the safe side. The only thing I cannot do is connect directly to the router as its a mobile hotspot device.

EDIT: I also did two fixIts from MS as well.

Edited by DigitalFusion, 29 December 2011 - 08:28 PM.


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:07 PM

Posted 29 December 2011 - 08:42 PM

Your GMER log makes me believe that you're still infected and you'll need more advanced help.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users