Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

no internet after combofix-helper out of town


  • This topic is locked This topic is locked
41 replies to this topic

#1 drpaul88

drpaul88

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 09 March 2012 - 08:07 AM

I have been working with Sempai. Had me run combofix among other things. Said he was leaving from 9th-12th but did not get my last post. I have lost internet connection. I have rebooted a couple times & re-ran combofix, still nothing....please help, I need the internet for work

thanks

this is my last combofix log:


ComboFix 12-03-07.05 - Paul 03/08/2012 7:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.532 [GMT -5:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB24539$\4143494357
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Paul\g2mdlhlpx.exe
c:\documents and settings\Paul\Start Menu\Programs\System Check
c:\documents and settings\Paul\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Paul\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\$NtUninstallKB24539$
c:\windows\$NtUninstallKB24539$\4286881887\@
c:\windows\$NtUninstallKB24539$\4286881887\bckfg.tmp
c:\windows\$NtUninstallKB24539$\4286881887\cfg.ini
c:\windows\$NtUninstallKB24539$\4286881887\Desktop.ini
c:\windows\$NtUninstallKB24539$\4286881887\keywords
c:\windows\$NtUninstallKB24539$\4286881887\kwrd.dll
c:\windows\$NtUninstallKB24539$\4286881887\L\aoqomtme
c:\windows\$NtUninstallKB24539$\4286881887\lsflt7.ver
c:\windows\$NtUninstallKB24539$\4286881887\U\00000001.@
c:\windows\$NtUninstallKB24539$\4286881887\U\00000002.@
c:\windows\$NtUninstallKB24539$\4286881887\U\00000004.@
c:\windows\$NtUninstallKB24539$\4286881887\U\80000000.@
c:\windows\$NtUninstallKB24539$\4286881887\U\80000004.@
c:\windows\$NtUninstallKB24539$\4286881887\U\80000032.@
.
.
((((((((((((((((((((((((( Files Created from 2012-02-08 to 2012-03-08 )))))))))))))))))))))))))))))))
.
.
2012-03-01 18:40 . 2012-02-16 14:40 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-03-01 18:40 . 2012-02-16 14:40 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2012-03-01 18:40 . 2012-02-16 14:40 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2012-03-01 18:40 . 2012-02-16 14:40 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-03-01 18:40 . 2012-02-16 14:40 437208 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2012-03-01 18:40 . 2012-02-16 14:40 1911768 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2012-03-01 18:40 . 2012-02-16 14:40 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2012-03-01 18:40 . 2012-02-16 10:42 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-03-01 18:40 . 2012-02-16 10:42 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-03-01 18:40 . 2012-02-16 10:42 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-03-01 18:40 . 2012-02-16 10:42 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-03-01 18:40 . 2012-02-16 10:42 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-02-29 19:55 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-29 19:55 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-29 19:35 . 2012-02-29 19:35 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 23:47 . 2011-12-05 17:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2008-04-14 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 20:24 . 2011-05-16 17:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-31 16:42 . 2011-03-31 16:42 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-02-16 14:40 . 2012-03-01 18:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-11 413696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/23/2012 7:32 PM 263888]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [1/23/2012 7:33 PM 338880]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 297168]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/23/2012 7:33 PM 253096]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [1/23/2012 7:32 PM 233976]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 3:02 PM 7391072]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 27216]
S0 cerc6;cerc6; [x]
S0 mphdg;mphdg;c:\windows\system32\drivers\tkloge.sys --> c:\windows\system32\drivers\tkloge.sys [?]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/17/2010 7:32 PM 20549]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 4:15 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 4:15 PM 135664]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/23/2012 7:32 PM 70664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [1/23/2012 7:32 PM 371472]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 21:15]
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 21:15]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-115176313-1417001333-1003Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 09:45]
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-115176313-1417001333-1003UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Paul\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\9xf03076.default\
FF - prefs.js: browser.search.selectedEngine - google.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-08 10:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(948)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(2108)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2012-03-08 10:27:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-08 15:27
.
Pre-Run: 208,494,632,960 bytes free
Post-Run: 208,450,748,416 bytes free
.
- - End Of File - - 5AA7E996FCAA2AD70362AD7497D687C6

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:55 AM

Posted 09 March 2012 - 07:59 PM

Hi,

I'll see if I can help you out until Sempai returns (you will need a USB to download the programs and transfer back and forth - run the following on the USB to protect it:
Download Flash_Disinfector.exe from HERE and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
)


please run the following


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 11 March 2012 - 09:02 AM

Ran the flash disinfector.....not really sure what it did

As a side note, I am getting Sigmatel-IDT-systra error every time I shut down


Here's FSS:
Farbar Service Scanner Version: 01-03-2012
Ran by Paul (administrator) on 11-03-2012 at 09:59:39
Running from "K:\virus fix"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(9) Gpc(3) IPSec(5) NetBT(6) pctgntdi(10) PSched(7) Tcpip(4)
0x0A00000005000000010000000200000003000000040000000A00000008000000090000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#4 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 11 March 2012 - 09:05 AM

in addition...I keep getting the jushed crash & I can not boot in safe mode via msconfig

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:55 AM

Posted 11 March 2012 - 09:28 AM

Hi,

I can not boot in safe mode via msconfig


Good, please never try and place your machine into safe mode via msconfig, it can cause your system to enter an endless boot loop

the only method to enter safe mode should be the following:

  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


(flash disinfector just places a hidden file in the USB which prevents malware from writing code to execute when plugged in, so you wouldn't actually see anything happen)


well that doesn't explain why there is no internet connection

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.



go into Service Manager and Start BITS manually, change it to start Automatically

click start > run > type "services.msc" > click ok

scroll down to Background Intelligence Transfer service and start it.


then try some trouble shooting for the connection:



if your network icon appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair.


Posted Image

If you have no task bar icon do this:

  • Click on the Start button.
  • Click on the Settings menu option.
  • Click on the Control Panel option.
  • When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
  • You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
  • click on the Repair menu option.

Posted Image

Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.


if no luck - try this:

  • Go to Start > Control Panel, and choose Network Connections.
  • Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.
  • Click the Networking tab
  • Double-click on the Internet Protocol (TCP/IP) item.
  • Write down the settings in case you should need to change them back.
  • Select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice to get out of the properties screen and restart your computer.
  • If not prompted to reboot go ahead and reboot manually.

In I.E.
  • Check internet options settings.
  • Tools > Internet Options > Connections
  • LAN settings
  • Choose "automatically detect settings"
  • uncheck both proxy settings boxes

In FireFox
  • Click on Advanced -> Network -> Settings…
  • the No Proxy option should be selected



Next: - try this:

Go to Start > Run > type in CMD to open a command prompt.

Type in the following command in the command prompt and press Enter.


netsh int ip reset reset.log

Then also type the following command and hit enter.

netsh winsock reset catalog

Once that completes then restart the system and see then if you are able to get online.


next this -

Go to Start > Run then type: CMD into the run box

You will now see a black DOS-like screen.

Type the following at the command prompt:

IPconfig /release. (Note the space between the "g" and the slash / it needs to be there)

Hit enter Then type:

IPconfig /Renew (Note the space between the "g" and the slash / it needs to be there)

Hit enter



NEXT


re-run ComboFix > post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 11 March 2012 - 10:51 AM

BITS won’t start

I can see network icon but cannot repair (missing IP)

For tcp/ip there are no settings to write down….everything is blank

I CAN get on line which is freaking AWESOME!!!! (after the CMD entries & reboot)

Do I still need to do IPconfig & renew?

Can’t get combofix to start…nothing happens when I double click it

#7 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 11 March 2012 - 10:54 AM

oops...combofix finally started will post when done

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:55 AM

Posted 11 March 2012 - 11:08 AM

:thumbup2:

don't worry about the 'renew' command if your connection is working now

I'll await the ComboFix log


then we'll have to see what's stopping BITS from working

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 11 March 2012 - 11:18 AM

Good news...I was able to start BITS & then put to auto!!!


here"s the combo log:

ComboFix 12-03-07.05 - Paul 03/11/2012 11:56:23.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.424 [GMT -4:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-01 18:40 . 2012-02-16 14:40 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-03-01 18:40 . 2012-02-16 14:40 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2012-03-01 18:40 . 2012-02-16 14:40 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2012-03-01 18:40 . 2012-02-16 14:40 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-03-01 18:40 . 2012-02-16 14:40 437208 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2012-03-01 18:40 . 2012-02-16 14:40 1911768 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2012-03-01 18:40 . 2012-02-16 14:40 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2012-03-01 18:40 . 2012-02-16 10:42 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-03-01 18:40 . 2012-02-16 10:42 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-03-01 18:40 . 2012-02-16 10:42 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-03-01 18:40 . 2012-02-16 10:42 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-03-01 18:40 . 2012-02-16 10:42 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-02-29 19:55 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-29 19:55 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-29 19:35 . 2012-02-29 19:35 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 23:47 . 2011-12-05 17:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2008-04-14 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-03-31 16:42 . 2011-03-31 16:42 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-02-16 14:40 . 2012-03-01 18:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-08_15.22.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-11 15:45 . 2012-03-11 15:45 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
+ 2008-04-14 12:00 . 2012-03-11 15:47 81756 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2012-03-01 08:09 81756 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-03-11 15:47 467176 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-03-01 08:09 467176 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-11 413696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgRemover"="c:\documents and settings\Paul\My Documents\Downloads\avg_remover_stf_x86_2012_1796.exe" [2012-03-11 1692968]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/23/2012 8:32 PM 263888]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [1/23/2012 8:33 PM 338880]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/23/2012 8:33 PM 253096]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [1/23/2012 8:32 PM 233976]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/17/2010 8:32 PM 20549]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]
S0 cerc6;cerc6; [x]
S0 mphdg;mphdg;c:\windows\system32\drivers\tkloge.sys --> c:\windows\system32\drivers\tkloge.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 5:15 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 5:15 PM 135664]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/23/2012 8:32 PM 70664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [1/23/2012 8:32 PM 371472]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
*Deregistered* - Avgmfx86
*Deregistered* - avgwd
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 21:15]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 21:15]
.
2012-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-115176313-1417001333-1003Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 09:45]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-115176313-1417001333-1003UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Paul\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\9xf03076.default\
FF - prefs.js: browser.search.selectedEngine - google.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 12:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-03-11 12:16:12
ComboFix-quarantined-files.txt 2012-03-11 16:16
ComboFix2.txt 2012-03-08 18:06
ComboFix3.txt 2012-03-08 15:27
.
Pre-Run: 208,491,429,888 bytes free
Post-Run: 208,478,478,336 bytes free
.
- - End Of File - - F3644F294FD2C605A7EE6B94F15E475D

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:55 AM

Posted 11 March 2012 - 11:30 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic445589.html/page__pid__2627815#entry2627815

Collect::
c:\windows\system32\drivers\tkloge.sys

Driver::
mphdg

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 12 March 2012 - 12:28 PM

for ESET. do I need to click "delete quaratined file" before I finish?

COMBO:
ComboFix 12-03-07.05 - Paul 03/12/2012 8:11.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.396 [GMT -4:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_mphdg
.
.
((((((((((((((((((((((((( Files Created from 2012-02-12 to 2012-03-12 )))))))))))))))))))))))))))))))
.
.
2012-03-01 18:40 . 2012-02-16 14:40 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-03-01 18:40 . 2012-02-16 14:40 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2012-03-01 18:40 . 2012-02-16 14:40 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2012-03-01 18:40 . 2012-02-16 14:40 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-03-01 18:40 . 2012-02-16 14:40 437208 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2012-03-01 18:40 . 2012-02-16 14:40 1911768 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2012-03-01 18:40 . 2012-02-16 14:40 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2012-03-01 18:40 . 2012-02-16 10:42 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-03-01 18:40 . 2012-02-16 10:42 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-03-01 18:40 . 2012-02-16 10:42 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-03-01 18:40 . 2012-02-16 10:42 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-03-01 18:40 . 2012-02-16 10:42 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-02-29 19:55 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-29 19:55 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-29 19:35 . 2012-02-29 19:35 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 23:47 . 2011-12-05 17:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2008-04-14 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-03-31 16:42 . 2011-03-31 16:42 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-02-16 14:40 . 2012-03-01 18:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-08_15.22.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-12 12:28 . 2012-03-12 12:28 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
+ 2008-04-14 12:00 . 2012-03-11 15:47 81756 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2012-03-01 08:09 81756 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-03-11 15:47 467176 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-03-01 08:09 467176 c:\windows\system32\perfh009.dat
+ 2012-03-11 16:45 . 2012-03-11 16:45 341504 c:\windows\Installer\15f49f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-11 413696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/23/2012 8:32 PM 263888]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [1/23/2012 8:33 PM 338880]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/23/2012 8:33 PM 253096]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [1/23/2012 8:32 PM 233976]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/17/2010 8:32 PM 20549]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 5:15 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 5:15 PM 135664]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/23/2012 8:32 PM 70664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [1/23/2012 8:32 PM 371472]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 21:15]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 21:15]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-115176313-1417001333-1003Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 09:45]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-115176313-1417001333-1003UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Paul\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\9xf03076.default\
FF - prefs.js: browser.search.selectedEngine - google.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-12 08:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3160)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\igfxsrvc.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-12 08:33:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-12 12:33
ComboFix2.txt 2012-03-11 16:16
ComboFix3.txt 2012-03-08 18:06
ComboFix4.txt 2012-03-08 15:27
.
Pre-Run: 208,922,337,280 bytes free
Post-Run: 208,823,357,440 bytes free
.
- - End Of File - - 4F06198F0DAA0BFC62DD205D8D1C2471


MBAM:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.12.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Paul :: PAUL-C5D256C778 [administrator]

3/12/2012 11:18:28 AM
mbam-log-2012-03-12 (11-18-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198419
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET:
C:\Documents and Settings\Paul\My Documents\Downloads\musicnotesSuite.exe Win32/OpenCandy application


as a side note: a lot of files remain hidden from original virus(office, quickbooks, etc..) & I've tried virtually everything. SHould I just reload programs? I see all the info still on hard drive but no actual program

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:55 AM

Posted 12 March 2012 - 02:51 PM

do I need to click "delete quaratined file" before I finish?

No, I wanted to have a look first

please run unhide.exe


Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.


ESET is alerting that this program is likely bundled with adware, if this was a torrent download then I'd delete it, if it's from a disk that you purchased, then ignore the detection
C:\Documents and Settings\Paul\My Documents\Downloads\musicnotesSuite.exe


Please let me know if Unhide.exe resolved the issue, if not, please be specific as to what is missing and describe any other issues that might be outstanding

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 12 March 2012 - 06:25 PM

I did download a the music note program for my daughter a while back. Here is the unhide log:
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 03/12/2012 07:12:13 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 101382 files processed.

The C:\DOCUME~1\Paul\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* HideIcons policy was found and deleted!

Program finished at: 03/12/2012 07:17:49 PM
Execution time: 0 hours(s), 5 minute(s), and 35 seconds(s)

The programs (office, quickbooks, etc.) all say empty when I go to start, programs.

also get can not end process...sigmatel-IDT systray...when I try to shut down

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:55 AM

Posted 12 March 2012 - 06:44 PM

You will need to recreate the entries in All Programs manually as the malware has removed them



To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.
  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

Posted Image
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

Posted Image

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

Posted Image

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

Posted Image


In case, program's link shows as (empty):

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast


Let me know how that goes


export the following reg key to see what is going on with sigmatel



Go to Start > Run > copy and paste the following command into the run box > OK:

regedit /a "%userprofile%\desktop\output.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

A new file called output.txt should appear on your Desktop, please post the contents with your next response.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 drpaul88

drpaul88
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 13 March 2012 - 09:41 AM

can't figure it out. I see the programs in appPaths. If I right click on an "empty" start menu program, I don't see the type of screen that you show. There are only 3 tabs & I don't see target anywhere.

I can copy the path but "paste" doesn't show up

I also don't see "create shortcut".....only the create desktop shortcut

I must be doing something wrong. I was working on Quickbooks(intuit)to try & make it NOT empty but can't figure it out, even though when I so a file/folder search, it's all there




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users