Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP internet security 2012 aftermath


  • This topic is locked This topic is locked
23 replies to this topic

#1 Vcali

Vcali

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 11 January 2012 - 04:13 AM

Hello yet again,

So I had the xp internet security 2012 virus. I removed it, so I think. I followed the guide on this website to remove the virus. I downloaded malwarebytes and it cleaned the virus. I also downloaded the tdsskiller and for some reason it did not want to clean the infections it found. When my computer starts up in regular mode it freezes when I click anything, no response or responds really late (right now its working somehow in regular mode but does not let me post the logs on this site. I saved it to a flash drive and I'm doing everything from my laptop). In safe mode it works ok but redirects sometimes to different sites. I also followed the guide from here http://www.bleepingcomputer.com/forums/topic437279.html. The logs are as follows:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/18/2010 8:17:33 PM
System Uptime: 1/10/2012 2:19:23 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P4S533VX
Processor: Intel® Pentium® 4 CPU 2.40GHz | PGA 478 | 2390/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 2.391 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP530: 10/13/2011 3:00:19 AM - Software Distribution Service 3.0
RP531: 10/17/2011 1:23:07 AM - System Checkpoint
RP532: 10/17/2011 9:41:24 PM - Software Distribution Service 3.0
RP533: 10/20/2011 3:32:09 AM - System Checkpoint
RP534: 10/21/2011 4:08:22 AM - System Checkpoint
RP535: 10/22/2011 3:06:25 PM - System Checkpoint
RP536: 10/24/2011 4:09:54 AM - System Checkpoint
RP537: 10/25/2011 5:29:28 AM - System Checkpoint
RP538: 10/28/2011 4:44:41 AM - System Checkpoint
RP539: 10/30/2011 4:49:58 AM - System Checkpoint
RP540: 11/1/2011 3:48:04 AM - System Checkpoint
RP541: 11/3/2011 2:44:17 AM - System Checkpoint
RP542: 11/4/2011 3:41:08 AM - System Checkpoint
RP543: 11/5/2011 4:14:32 AM - System Checkpoint
RP544: 11/6/2011 3:33:42 AM - System Checkpoint
RP545: 11/7/2011 5:54:38 AM - System Checkpoint
RP546: 11/8/2011 6:23:39 AM - System Checkpoint
RP547: 11/9/2011 3:00:23 AM - Software Distribution Service 3.0
RP548: 11/10/2011 3:58:48 AM - System Checkpoint
RP549: 11/11/2011 3:00:27 AM - Software Distribution Service 3.0
RP550: 11/12/2011 3:23:46 AM - System Checkpoint
RP551: 11/15/2011 3:43:51 AM - System Checkpoint
RP552: 11/18/2011 1:46:29 AM - System Checkpoint
RP553: 11/19/2011 4:10:48 AM - System Checkpoint
RP554: 11/20/2011 11:12:40 AM - System Checkpoint
RP555: 11/22/2011 2:52:54 AM - System Checkpoint
RP556: 11/25/2011 2:29:21 AM - System Checkpoint
RP557: 11/28/2011 3:52:39 AM - System Checkpoint
RP558: 11/29/2011 4:04:06 AM - System Checkpoint
RP559: 12/1/2011 3:09:12 AM - System Checkpoint
RP560: 12/2/2011 3:59:31 AM - System Checkpoint
RP561: 12/4/2011 3:25:15 AM - System Checkpoint
RP562: 12/5/2011 3:30:16 AM - System Checkpoint
RP563: 12/7/2011 2:59:17 AM - System Checkpoint
RP564: 12/11/2011 4:27:54 AM - System Checkpoint
RP565: 12/13/2011 4:12:45 AM - System Checkpoint
RP566: 12/14/2011 3:00:25 AM - Software Distribution Service 3.0
RP567: 12/15/2011 3:22:02 AM - System Checkpoint
RP568: 12/17/2011 3:27:48 AM - System Checkpoint
RP569: 12/18/2011 9:05:27 PM - System Checkpoint
RP570: 12/20/2011 2:03:24 AM - System Checkpoint
RP571: 12/21/2011 4:38:24 AM - System Checkpoint
RP572: 12/25/2011 4:30:00 AM - System Checkpoint
RP573: 12/27/2011 4:25:06 AM - System Checkpoint
RP574: 12/30/2011 1:41:42 AM - System Checkpoint
RP575: 12/31/2011 3:37:21 AM - System Checkpoint
RP576: 1/1/2012 3:29:45 PM - System Checkpoint
RP577: 1/3/2012 2:17:24 AM - System Checkpoint
RP578: 1/4/2012 4:28:25 AM - Restore Operation
RP579: 1/9/2012 3:40:42 PM - Restore Operation
.
==== Installed Programs ======================
.
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
DVgate
Experience Vaio
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImageStation Demo
ImageStation Tour
iTunes
Java Auto Updater
Java™ 6 Update 18
Lucent Technologies Soft Modem AMR
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Motion JPEG Software Decoder
MovieShaker 3.3
Music Visualizer Library 1.4.00
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111
Network Smart Capture
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module 3.1
PC-cillin 2002
PicoPlayer
PicoPlayer Demo
PicoPlayerSplashScreen
PictureGear Studio 1.0
Quicken 2002 New User Edition
QuickTime
RealOne Player
RealProducer Basic 8.5
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SiS Compatible VGA V2.09a
SonicStage 1.5.00
Sony Certificate PCH
Sony DV Shared Library
Sony on Yahoo! Essentials
Support Actions WinXP
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VAIO Action Setup
VAIO Brezza Wallpaper
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Media 2.0
VAIO Media Installer 2.0
VAIO Media Music Server 2.0
VAIO Media Photo Server 2.0
VAIO Media Platform 2.0
VAIO Registration
VAIO Serenus Wallpaper
VAIO Support
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
1/9/2012 6:04:02 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/9/2012 4:18:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VAIO Media Music Server (Application) service to connect.
1/9/2012 4:18:13 PM, error: Service Control Manager [7001] - The VAIO Media Music Server (HTTP) service depends on the VAIO Media Music Server (Application) service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
1/9/2012 4:18:13 PM, error: Service Control Manager [7000] - The VAIO Media Music Server (Application) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/9/2012 3:28:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb DMICall Fips intelppm PCTSD ssmdrv
1/9/2012 10:55:18 PM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
1/5/2012 2:35:00 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the sdCoreService service.
1/4/2012 5:31:34 AM, error: Service Control Manager [7023] - The Security Center service terminated with the following error: %%16389
1/4/2012 5:27:55 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
1/4/2012 5:27:55 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/4/2012 5:25:19 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
1/4/2012 5:22:52 AM, error: Service Control Manager [7022] - The Terminal Services service hung on starting.
1/4/2012 5:22:52 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
1/4/2012 5:22:52 AM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: After starting, the service hung in a start-pending state.
1/4/2012 5:22:52 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/4/2012 4:47:35 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
1/4/2012 4:40:38 AM, error: Service Control Manager [7022] - The Remote Access Connection Manager service hung on starting.
1/4/2012 4:40:38 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
1/4/2012 4:40:38 AM, error: Service Control Manager [7001] - The VAIO Media Music Server (UPnP) service depends on the VAIO Media Music Server (HTTP) service which failed to start because of the following error: The system cannot find the file specified.
1/4/2012 4:40:38 AM, error: Service Control Manager [7001] - The PC-cillin PersonalFirewall service depends on the Remote Access Connection Manager service which failed to start because of the following error: After starting, the service hung in a start-pending state.
1/4/2012 4:40:38 AM, error: Service Control Manager [7000] - The VAIO Media Music Server (HTTP) service failed to start due to the following error: The system cannot find the file specified.
1/4/2012 4:40:37 AM, error: Service Control Manager [7001] - The VAIO Media Photo Server (UPnP) service depends on the VAIO Media Photo Server (HTTP) service which failed to start because of the following error: The system cannot find the file specified.
1/4/2012 4:40:37 AM, error: Service Control Manager [7000] - The VAIO Media Photo Server (HTTP) service failed to start due to the following error: The system cannot find the file specified.
1/4/2012 4:35:36 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/4/2012 4:35:35 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/4/2012 4:35:35 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
1/4/2012 4:35:35 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/4/2012 4:33:44 AM, error: Service Control Manager [7022] - The PC-cillin PersonalFirewall service hung on starting.
1/4/2012 4:25:58 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00184D3486CF. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
1/4/2012 4:17:35 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
1/4/2012 3:47:20 AM, error: Service Control Manager [7016] - The VAIO Media Photo Server (Application) service has reported an invalid current state 272.
1/4/2012 2:38:57 PM, error: Service Control Manager [7001] - The VAIO Media Music Server (UPnP) service depends on the VAIO Media Music Server (HTTP) service which failed to start because of the following error: The dependency service or group failed to start.
1/4/2012 2:38:57 PM, error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: After starting, the service hung in a start-pending state.
1/4/2012 2:38:56 PM, error: Service Control Manager [7022] - The Windows Time service hung on starting.
1/4/2012 2:38:56 PM, error: Service Control Manager [7022] - The VAIO Media Music Server (Application) service hung on starting.
1/4/2012 2:38:56 PM, error: Service Control Manager [7022] - The Computer Browser service hung on starting.
1/4/2012 2:38:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VAIO Media Photo Server (Application) service to connect.
1/4/2012 2:38:56 PM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Windows Management Instrumentation service which failed to start because of the following error: After starting, the service hung in a start-pending state.
1/4/2012 2:38:56 PM, error: Service Control Manager [7001] - The VAIO Media Photo Server (UPnP) service depends on the VAIO Media Photo Server (HTTP) service which failed to start because of the following error: The dependency service or group failed to start.
1/4/2012 2:38:56 PM, error: Service Control Manager [7001] - The VAIO Media Photo Server (HTTP) service depends on the VAIO Media Photo Server (Application) service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
1/4/2012 2:38:56 PM, error: Service Control Manager [7001] - The VAIO Media Music Server (HTTP) service depends on the VAIO Media Music Server (Application) service which failed to start because of the following error: After starting, the service hung in a start-pending state.
1/4/2012 2:38:56 PM, error: Service Control Manager [7000] - The VAIO Media Photo Server (Application) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/4/2012 1:47:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/4/2012 1:44:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb DMICall Fips intelppm ssmdrv
1/4/2012 1:36:16 PM, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
1/4/2012 1:36:16 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
1/4/2012 1:36:16 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/4/2012 1:36:16 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
1/4/2012 1:36:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb DMICall Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
1/4/2012 1:36:16 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
1/4/2012 1:36:16 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/4/2012 1:36:16 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/4/2012 1:36:16 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/4/2012 1:36:16 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/4/2012 1:36:16 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/4/2012 1:21:56 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AntiVirSchedulerService service.
.
==== End Of File ===========================



.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Valo at 15:15:45 on 2012-01-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.279 [GMT -8:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SiS Tray]
mRun: [SiS KHooker] c:\windows\system32\khooker.exe
mRun: [LTSMMSG] LTSMMSG.exe
mRun: [pccguide.exe] "c:\program files\trend micro\pc-cillin 2002\pccguide.exe"
mRun: [PCCClient.exe] "c:\program files\trend micro\pc-cillin 2002\PCCClient.exe"
mRun: [Pop3trap.exe] "c:\program files\trend micro\pc-cillin 2002\Pop3trap.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vaioac~1.lnk - c:\program files\sony\vaio action setup\VAServ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264057898031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{1069C43D-0927-49C0-AFFC-E2B8B3B079AB} : DhcpNameServer = 10.0.0.1
.
============= SERVICES / DRIVERS ===============
.
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2010-1-21 384608]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-18 11608]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-18 56816]
S2 PCC_PFW;PC-Cillin Personal Firewall;c:\windows\system32\drivers\PCC_PFW.sys [2002-6-19 43612]
S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2002-3-16 154368]
S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2002-3-16 18048]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2010-1-18 17149]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-8-3 815819]
.
=============== Created Last 30 ================
.
2012-01-10 03:12:41 -------- d-----w- c:\documents and settings\valo\application data\Malwarebytes
2012-01-10 03:12:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-10 03:12:19 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 03:12:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 02:31:48 -------- d--h--w- c:\documents and settings\valo\application data\85C8FA04
2012-01-09 23:42:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-09 23:42:47 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-05 09:06:10 -------- d-----w- c:\program files\common files\PC Tools
2012-01-05 09:06:09 -------- d-----w- c:\program files\PC Tools Security
2012-01-05 09:06:09 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-06 09:25:33 1430 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ------w- c:\windows\system32\encdec.dll
.
============= FINISH: 15:17:45.21 ===============

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 14 January 2012 - 10:42 AM

Hello Vcali and welcome to BC. :)

Sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Vcali

Vcali
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 14 January 2012 - 01:14 PM

Yes I do. At this point I am sometimes able to use the computer in regular mode but it still redirects me to a different site and the computer is really slow. I am certain something is still wrong. Thank so much.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 14 January 2012 - 01:57 PM

Please remove unnecessary and outdated AV product, go to Control Panel > Add Remove Programs and uninstall PC-cillin 2002.

=================================

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Vcali

Vcali
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 14 January 2012 - 09:13 PM

Here is the log from combofix. It ran twice, once when I started it and then the computer rebooted and it ran again. I think after the reboot avira started guarding again and it gave me a message saying rootkit trying to enter or something of that sort, I clicked deny access. Anyway, thank you very much I appreciate your help. Here is the log. PS I never visited these sites.

ComboFix 12-01-13.05 - Valo 01/14/2012 17:38:47.1.1 - x86
Running from: c:\documents and settings\Valo\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Valo\WINDOWS
c:\program files\StartNow Toolbar
c:\program files\StartNow Toolbar\Resources\images\engine_images.png
c:\program files\StartNow Toolbar\Resources\images\engine_maps.png
c:\program files\StartNow Toolbar\Resources\images\engine_news.png
c:\program files\StartNow Toolbar\Resources\images\engine_videos.png
c:\program files\StartNow Toolbar\Resources\images\engine_web.png
c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png
c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png
c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png
c:\program files\StartNow Toolbar\Resources\images\icon_games.png
c:\program files\StartNow Toolbar\Resources\images\icon_msn.png
c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png
c:\program files\StartNow Toolbar\Resources\images\icon_travel.png
c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png
c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png
c:\program files\StartNow Toolbar\Resources\installer.xml
c:\program files\StartNow Toolbar\Resources\protect\index.html
c:\program files\StartNow Toolbar\Resources\protect\NotIE6.css
c:\program files\StartNow Toolbar\Resources\protect\OnlyIE6.css
c:\program files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png
c:\program files\StartNow Toolbar\Resources\protect\window.css
c:\program files\StartNow Toolbar\Resources\protect\window.js
c:\program files\StartNow Toolbar\Resources\reactivate\index.html
c:\program files\StartNow Toolbar\Resources\reactivate\LeftImage.png
c:\program files\StartNow Toolbar\Resources\reactivate\NotIE6.css
c:\program files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css
c:\program files\StartNow Toolbar\Resources\reactivate\window.css
c:\program files\StartNow Toolbar\Resources\reactivate\window.js
c:\program files\StartNow Toolbar\Resources\skin\chevron_button.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_background.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_left.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
c:\program files\StartNow Toolbar\Resources\skin\separator.png
c:\program files\StartNow Toolbar\Resources\skin\splitter.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
c:\program files\StartNow Toolbar\Resources\toolbar.xml
c:\program files\StartNow Toolbar\Resources\update.xml
c:\program files\StartNow Toolbar\uninstall.dat
c:\windows\$NtUninstallKB2945$
c:\windows\$NtUninstallKB2945$\2685528055
c:\windows\$NtUninstallKB2945$\3145052404\@
c:\windows\$NtUninstallKB2945$\3145052404\bckfg.tmp
c:\windows\$NtUninstallKB2945$\3145052404\cfg.ini
c:\windows\$NtUninstallKB2945$\3145052404\Desktop.ini
c:\windows\$NtUninstallKB2945$\3145052404\keywords
c:\windows\$NtUninstallKB2945$\3145052404\kwrd.dll
c:\windows\$NtUninstallKB2945$\3145052404\L\akygdmgo
c:\windows\$NtUninstallKB2945$\3145052404\lsflt7.ver
c:\windows\$NtUninstallKB2945$\3145052404\U\00000001.@
c:\windows\$NtUninstallKB2945$\3145052404\U\00000002.@
c:\windows\$NtUninstallKB2945$\3145052404\U\00000004.@
c:\windows\$NtUninstallKB2945$\3145052404\U\80000000.@
c:\windows\$NtUninstallKB2945$\3145052404\U\80000004.@
c:\windows\$NtUninstallKB2945$\3145052404\U\80000032.@
c:\windows\system32\config\systemprofile\WINDOWS
.
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 01:29 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-01-15 01:29 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-10 03:12 . 2012-01-10 03:12 -------- d-----w- c:\documents and settings\Valo\Application Data\Malwarebytes
2012-01-10 03:12 . 2012-01-10 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-10 03:12 . 2012-01-10 03:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 03:12 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 02:31 . 2012-01-10 02:33 -------- d--h--w- c:\documents and settings\Valo\Application Data\85C8FA04
2012-01-09 23:42 . 2012-01-09 23:42 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-05 09:06 . 2012-01-09 23:42 -------- d-----w- c:\program files\Common Files\PC Tools
2012-01-05 09:06 . 2012-01-09 23:42 -------- d-----w- c:\program files\PC Tools Security
2012-01-05 09:06 . 2012-01-09 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-04 12:14 . 2012-01-04 12:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2002-08-03 15:05 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2002-08-03 15:05 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2002-08-03 15:05 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2010-01-21 07:16 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2002-08-03 15:05 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-06 09:25 . 2011-11-06 09:25 1430 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-04 19:20 . 2002-08-29 15:14 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 15:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2002-08-03 15:04 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2002-08-03 15:05 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-03 15:28 . 2002-08-03 15:05 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-01 16:07 . 2002-08-03 15:05 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2002-08-03 15:04 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-08-03 15:05 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-27 102400]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 32768]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-04 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 11406]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2010-01-19 146432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2010-1-21 884844]
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-8-15 40960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.0\\Vc.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/18/2010 11:55 PM 108289]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/18/2010 11:50 PM 17149]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [8/3/2002 7:06 AM 815819]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [1/21/2010 12:08 AM 384608]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SiS Tray - (no file)
HKLM-Run-SiS KHooker - c:\windows\System32\khooker.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 17:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1556)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
c:\windows\LTSMMSG.exe
c:\windows\System32\WScript.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-14 18:06:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 02:06
.
Pre-Run: 2,038,996,992 bytes free
Post-Run: 2,324,271,104 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - D2BA668AC0EFD97A0F27D3BC89088C7D

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 14 January 2012 - 09:25 PM

The rootkit was taken care of. Hows the computer running now?


:step1: Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1
Download Mirror #2

  • Double-click the SystemLook and copy-paste the following into the box
    :dir
    c:\documents and settings\valo\application data\85C8FA04
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply


:step2: ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Vcali

Vcali
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 15 January 2012 - 05:40 AM

I haven't gone to many sites yet but so far have not been redirected once. I followed the steps you provided me and will list the logs. The Eset scanner found 5 infected files. Here are the logs:

System look:

SystemLook 30.07.11 by jpshortstuff
Log created at 01:18 on 15/01/2012 by Valo
Administrator - Elevation successful

========== dir ==========

c:\documents and settings\valo\application data\85C8FA04 - Parameters: "(none)"

---Files---
85C8FA04.DAT --ah--- 691 bytes [02:33 10/01/2012] [02:33 10/01/2012]

---Folders---
None found.

-= EOF =-




Eset:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=fe880103528bd14399e43b6dee3e902c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-15 10:31:16
# local_time=2012-01-15 02:31:17 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 61732969 61732969 0 0
# compatibility_mode=1797 16775145 100 94 0 99160335 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=49294
# found=5
# cleaned=0
# scan_time=2460
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\23\3ea95997-24c6d536 Java/Exploit.CVE-2011-3544.S trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\5\62e61245-198335b0 a variant of Win32/Kryptik.YVM trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\5\78c39385-797376cd a variant of Java/Exploit.CVE-2011-3544.G trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\63\304979ff-26ad5c5f a variant of Java/Agent.DZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 15 January 2012 - 08:27 AM

Log is looking good, just a few more steps away before we can call this topic as resolved. :)


:step1: Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\documents and settings\valo\application data\85C8FA04\85C8FA04.DAT

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



:step2: We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".

    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    
    :Files
    C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\23\3ea95997-24c6d536 
    C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\5\62e61245-198335b0 
    C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\5\78c39385-797376cd 
    C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\63\304979ff-26ad5c5f
    
    :Commands
    [emptytemp]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Vcali

Vcali
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 15 January 2012 - 12:47 PM

Hello, it will not let me paste or even type anything in the "suspicious files to scan" box. I am not sure how to browse for it either. I got so far but then came to a dead end. Thanks

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 15 January 2012 - 01:00 PM

Please proceed with step 2, and then upload the file to Jotti, thanks. :)


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    c:\documents and settings\valo\application data\85C8FA04\85C8FA04.DAT

  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal


Edited by sempai, 15 January 2012 - 01:07 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Vcali

Vcali
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 15 January 2012 - 01:37 PM

Jotti found nothing on all scanners and here is the OTM log:


All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"AntiVirusOverride"|dword:00000000 /E : value set successfully!
========== FILES ==========
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\23\3ea95997-24c6d536 moved successfully.
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\5\62e61245-198335b0 moved successfully.
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\5\78c39385-797376cd moved successfully.
C:\Documents and Settings\Valo\Application Data\Sun\Java\Deployment\cache\6.0\63\304979ff-26ad5c5f moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 832197 bytes
->Temporary Internet Files folder emptied: 493604 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 28091 bytes

User: Valo
->Temp folder emptied: 802 bytes
->Temporary Internet Files folder emptied: 4092819 bytes
->Java cache emptied: 18556075 bytes
->Flash cache emptied: 101520 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 4007 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 610226 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 24.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 01152012_101846

Files moved on Reboot...

Registry entries deleted on Reboot...

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 15 January 2012 - 08:32 PM

That's great, how's the computer running now?


:step1: Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "Java SE 7u2".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".

    • Select "Windows x86 Offline" and click on jre-7u2-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.



:step2: Please run a DDS scan once again and post the new report for my review, no need to include the Attach.txt.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Vcali

Vcali
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 15 January 2012 - 09:04 PM

So far so good. Don't have any problems. I am not sure if that virus could have infected my wireless keyboard but it didn't work when I had the virus. I haven't tried it out after the infection removal. I am not going to be able to do the directions you recommended in your last post because I will be out of town until Friday. Is it ok to do when I get back? I really appreciate you help.

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 15 January 2012 - 09:28 PM

Is it ok to do when I get back?

Sure, no problem. :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:10 AM

Posted 21 January 2012 - 07:47 PM

Hi,

Are you still with me?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users