Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access malware attack


  • Please log in to reply
21 replies to this topic

#1 MXK944

MXK944

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 22 April 2012 - 06:02 PM

Hello;

I need assistance dealing with the aftermath of Zero Access malware attack.

Anti virus software attempted to remove Trojan Zero Access infection. After removal process and reboot, the PC could not acquire an IP address and the firewall would not start because several services were not running. I isolated the problem as the AFD Network Support Environment drive was not running, because the afd.sys file was missing from system32/drivers; in addition I found the AFD registry key was missing.

I reinstalled XP SP3 after which the AFD Network Support Environment driver and firewall were running, and the PC could acquire an IP address. I found the AFD registry key was missing, so I imported the key from a similar PC. I rebooted the PC and all was well; however the next time the PC was restarted the aforementioned symptoms reappeared.

I removed the drive for the effected PC, mounted in a known good system and scanned the drive with several anti viruses / anti malware tools. The tools such as Supper Anti Spyware and Malware Bytes did not find any problems.

I would appreciate your collective wisdom on how to correct this annoying problem.

Thank you,

Attached Files



BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:15 PM

Posted 23 April 2012 - 11:24 AM

Hello MXK944,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================

Backdoor Warning

One or more of the identified infections (ZeroAccess) is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

====================================================================================


Please download ComboFix from the followingl location:* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on Combofix icon Posted Image & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • C:\Combofix.txt


How is your machine behaving now?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 MXK944

MXK944
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 23 April 2012 - 05:55 PM

Hello Ratman,

Thank you for taking up my request. Prior to receiving your reply I restored network connectivity by reinstalling the following files in the WINDOWS/SYSTEM32/DRIVER folder:
afd.sys, netbios.sys, netbt.sys and tcpip.sys

The attached text is the results from the ComboFix scan:

Please note during the scan there were several messages regarding RootKit infection of the tcpip stack

After the scan the PC still has network connectivity

Thank you,

MXK944

ComboFix 12-04-23.02 - MXK944 04/23/2012 18:21:56.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2731 [GMT -4:00]
Running from: c:\documents and settings\MXK944.THINKPAD\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {587F6C37-16D2-4E68-97C7-99F6DD1C038E}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {DDFFF28D-73E8-449E-952A-0FDD49731F45}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB16334$
c:\windows\$NtUninstallKB16334$\4123445768\@
c:\windows\$NtUninstallKB16334$\4123445768\cfg.ini
c:\windows\$NtUninstallKB16334$\4123445768\Desktop.ini
c:\windows\$NtUninstallKB16334$\4123445768\L\vgzzedoi
c:\windows\$NtUninstallKB16334$\4123445768\U\00000001.@
c:\windows\$NtUninstallKB16334$\4123445768\U\00000002.@
c:\windows\$NtUninstallKB16334$\4123445768\U\00000004.@
c:\windows\$NtUninstallKB16334$\4123445768\U\80000000.@
c:\windows\$NtUninstallKB16334$\4123445768\U\80000004.@
c:\windows\$NtUninstallKB16334$\4123445768\U\80000032.@
c:\windows\$NtUninstallKB16334$\4123445768\version
c:\windows\$NtUninstallKB16334$\4162355612
c:\windows\Client.ini
c:\windows\isRS-000.tmp
c:\windows\ST6UNST.000
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\ICAutoUpdate.log
c:\windows\system32\urttemp
c:\windows\system32\urttemp\fusion.dll
c:\windows\system32\urttemp\mscoree.dll
c:\windows\system32\urttemp\mscoree.dll.local
c:\windows\system32\urttemp\mscorsn.dll
c:\windows\system32\urttemp\mscorwks.dll
c:\windows\system32\urttemp\msvcr71.dll
c:\windows\system32\urttemp\regtlib.exe
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Updater_Service_for_StartNow_Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2012-03-23 to 2012-04-23 )))))))))))))))))))))))))))))))
.
.
2012-04-23 10:39 . 2012-04-23 10:39 -------- d-----w- C:\Re Loudon NER_files
2012-04-23 10:36 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-04-23 10:05 . 2008-04-14 09:40 102912 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2012-04-23 10:04 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000006_.tmp
2012-04-23 09:37 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000005_.tmp
2012-04-21 16:00 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000004_.tmp
2012-04-21 12:48 . 2012-04-21 12:48 132243140 ----a-w- C:\CurrentControlSet_Services.reg
2012-04-21 12:45 . 2012-04-21 12:45 132243040 ----a-w- C:\Full Reg Backup.reg
2012-04-21 01:06 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000003_.tmp
2012-04-20 23:55 . 2012-04-20 23:55 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Application Data\Malwarebytes
2012-04-20 23:25 . 2012-04-20 23:25 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-20 22:34 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000002_.tmp
2012-04-20 21:05 . 2008-04-14 09:41 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll
2012-04-19 23:52 . 2012-04-19 23:52 -------- d-----w- C:\SWTOOLS
2012-04-19 21:43 . 2012-04-19 21:43 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Application Data\Windows Search
2012-04-19 21:29 . 2008-04-14 07:00 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2012-04-19 21:29 . 2008-04-14 07:00 18944 ----a-w- c:\windows\system32\simptcp.dll
2012-04-19 21:28 . 2008-04-14 07:00 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll
2012-04-19 21:28 . 2008-04-14 07:00 22528 ----a-w- c:\windows\system32\lpdsvc.dll
2012-04-19 21:28 . 2008-04-14 07:00 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll
2012-04-19 21:28 . 2008-04-14 07:00 18944 ----a-w- c:\windows\system32\lprmon.dll
2012-04-19 21:28 . 2008-04-14 07:00 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
2012-04-19 21:28 . 2008-04-14 07:00 35328 ----a-w- c:\windows\system32\iprip.dll
2012-04-16 23:40 . 2012-04-16 23:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-15 20:19 . 2012-04-15 21:48 102400 ----a-w- c:\windows\RegBootClean.exe
2012-04-09 21:37 . 2012-04-09 21:37 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-31 16:50 . 2012-03-31 16:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2012-03-31 16:50 . 2012-03-31 16:50 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Application Data\Intel
2012-03-31 16:50 . 2012-03-31 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2012-03-31 16:50 . 2012-03-31 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2012-03-31 16:50 . 2012-03-31 16:50 -------- d-----w- c:\documents and settings\Administrator.RINCONNETWORKS\Application Data\Intel
2012-03-31 16:50 . 2012-03-31 16:50 -------- d-----w- c:\program files\Common Files\Intel
2012-03-31 16:43 . 2012-04-21 13:38 -------- d-----w- C:\SWSHARE
2012-03-31 16:42 . 2012-03-31 16:42 33536 ----a-w- c:\windows\system32\drivers\tvtfilter.sys
2012-03-31 16:41 . 2012-03-31 16:41 7012 ----a-w- c:\windows\system32\drivers\pmemnt.sys
2012-03-31 16:39 . 2011-09-09 14:36 81920 ----a-w- c:\windows\system32\igfxCoIn_v5355.dll
2012-03-31 16:25 . 2012-04-10 22:57 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Local Settings\Application Data\ApplicationHistory
2012-03-30 23:37 . 2012-03-30 23:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
2012-03-30 21:40 . 2012-03-30 21:40 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Application Data\Helios
2012-03-30 15:28 . 2012-03-31 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Garmin
2012-03-30 15:23 . 2012-03-31 00:01 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Application Data\GARMIN
2012-03-29 22:02 . 2012-03-29 22:02 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Local Settings\Application Data\Intuit
2012-03-29 22:02 . 2012-03-29 22:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
2012-03-29 22:02 . 2012-03-29 22:02 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Application Data\Intuit
2012-03-29 21:58 . 2012-03-29 21:58 -------- d-----w- c:\documents and settings\MXK944.THINKPAD\Local Settings\Application Data\IsolatedStorage
2012-03-29 21:58 . 2012-03-29 21:59 -------- d-----w- c:\program files\Common Files\Intuit
2012-03-29 21:58 . 2012-03-29 21:58 -------- d-----w- c:\program files\TurboTax
2012-03-29 21:57 . 2012-03-29 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2012-03-29 08:10 . 2012-03-29 08:10 -------- d-----w- c:\program files\iPod
2012-03-29 08:10 . 2012-03-29 08:11 -------- d-----w- c:\program files\iTunes
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-09 21:37 . 2011-06-09 10:01 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2008-04-14 09:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 09:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-29 14:10 . 2008-04-14 09:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 09:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 04:07 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 16:01 . 2012-03-10 23:41 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2012-03-10 23:41 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-14 16:09 . 2012-02-14 16:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2008-04-14 05:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-11 3905920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2010-10-26 184320]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-01-06 513384]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2009-11-24 93032]
"RotateImage"="c:\program files\RotateImage\RCIMGDIR.exe" [2008-10-30 31744]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-09-08 849192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2010-09-17 228136]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2011-10-20 101440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-09 136472]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-09 170264]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-09 145688]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\AMInit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2012-03-26 13:00 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2012-03-27 09:40 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2009-12-11 16:19 337256 ----a-w- c:\windows\system32\TpShocks.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\altiris\\aclient\\AClntUsr.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\drivers\atiide.sys [11/2/2009 2:57 PM 3456]
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [3/16/2010 4:43 PM 24304]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/9/2009 12:10 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [10/31/2011 8:26 AM 13680]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 5:50 AM 46144]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [3/16/2010 4:43 PM 132456]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 5:42 AM 14336]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CamMute.exe [10/31/2011 8:27 AM 50536]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [3/16/2010 4:43 PM 53248]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/16/2010 5:54 PM 51792]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [5/22/2009 1:02 AM 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [5/22/2009 1:00 AM 36624]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [10/31/2011 8:26 AM 131432]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/29/2009 6:31 PM 142696]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 4:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 5:50 AM 253952]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\RCUVCMNP.sys [3/16/2010 4:45 PM 187776]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/16/2009 1:59 PM 250584]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [10/31/2011 8:22 AM 7476864]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/23/2009 12:31 PM 689416]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [3/16/2010 4:44 PM 23152]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 4:54 PM 37312]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\d:\mass\Software\Apps on Casper\_Server Installs\ISO Mounter\VCdRom.sys --> d:\mass\Software\Apps on Casper\_Server Installs\ISO Mounter\VCdRom.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [10/29/2009 6:31 PM 101736]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/9/2012 5:37 PM 253600]
S3 agBoot;Agilent Technologies 82357 firmware download service;c:\windows\system32\DRIVERS\agt82357.sys --> c:\windows\system32\DRIVERS\agt82357.sys [?]
S3 AltirisAgentProvider;AltirisAgentProvider;c:\program files\altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [7/21/2010 1:07 AM 619816]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys --> c:\windows\system32\Drivers\ATSwpWDF.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/13/2010 5:19 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/13/2010 5:19 PM 136176]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 PlcmAEC;Polycom Communicator;c:\windows\system32\drivers\PlcmAEC.sys [3/7/2011 7:04 AM 512896]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [6/10/2007 4:48 PM 110160]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
basfipm
VAIOMediaPlatform-PhotoServer-HTTP
vcommmgr
oracle%oracle_home_service%clientcache80
MSMQ
earthlinksafeconnectagent
SIODRV
aracpi
belmonitorservice
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 21:37]
.
2012-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd09a45a19adb2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 21:19]
.
2012-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cd09a45a27fbce.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 21:19]
.
2012-04-23 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:54]
.
2012-04-23 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-03-16 05:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {3CBA13C3-58C7-47F1-9758-D4B255A50D52} - file:///D:/data/index/ses_ocx/sessearch.ocx
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://sslvpn.mindshift.com/sre/ICSScanner.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKLM-Run-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe
MSConfigStartUp-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
AddRemove-UIU - c:\program files\UIU\uninstallnet.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-23 18:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\aracpi]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\basfipm]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\belmonitorservice]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\earthlinksafeconnectagent]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSMQ]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\oracle%oracle_home_service%clientcache80]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SIODRV]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\VAIOMediaPlatform-PhotoServer-HTTP]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vcommmgr]
"ServiceDll"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Altiris\AClient\AClient.exe
c:\program files\LENOVO\HOTKEY\tposdsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\windows\system32\igfxext.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
.
**************************************************************************
.
Completion time: 2012-04-23 18:36:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-23 22:36
.
Pre-Run: 120,233,025,536 bytes free
Post-Run: 117,106,118,656 bytes free
.
- - End Of File - - FB9467333783C499161EE9B931628169

#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:15 PM

Posted 23 April 2012 - 06:21 PM

Hello MXK944,

We seem to have got the bad guys! Need to check though!

I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

I'd like you to run a scan with MBAM:

Please download Malwarebytes' Anti-Malware and save it to your desktop.

Download Link 1

Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

===================================================================================




In your next reply, please copy/paste the contents of the following:
  • aswMBR Log
  • MBAM Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 MXK944

MXK944
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 23 April 2012 - 08:32 PM

Hello Ratman,

The following is the requested information from the utilities.

Thank you,

MXK944

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-23 19:42:56
-----------------------------
19:42:56.921 OS Version: Windows 5.1.2600 Service Pack 3
19:42:56.921 Number of processors: 2 586 0x170A
19:42:56.921 ComputerName: THINKPAD UserName:
19:42:57.593 Initialize success
19:43:24.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:43:24.640 Disk 0 Vendor: HITACHI_ FC2Z Size: 152627MB BusType: 3
19:43:24.656 Disk 0 MBR read successfully
19:43:24.656 Disk 0 MBR scan
19:43:24.656 Disk 0 unknown MBR code
19:43:24.671 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152624 MB offset 63
19:43:24.671 Disk 0 scanning sectors +312575760
19:43:24.765 Disk 0 scanning C:\WINDOWS\system32\drivers
19:43:41.093 Service scanning
19:43:54.843 Service TmFilter C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys **LOCKED** 32
19:43:54.953 Service TmPreFilter C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys **LOCKED** 32
19:43:57.062 Service VSApiNt C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys **LOCKED** 32
19:43:59.015 Modules scanning
19:44:05.890 Disk 0 trace - called modules:
19:44:05.921 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
19:44:05.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b64a030]
19:44:05.937 3 CLASSPNP.SYS[b98e8fd7] -> nt!IofCallDriver -> \Device\00000081[0x8b68a130]
19:44:05.953 5 ACPI.sys[b977f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b666028]
19:44:05.953 Scan finished successfully
19:44:44.656 Disk 0 MBR has been saved successfully to "E:\Laptop Log Files\MBR.dat"
19:44:44.687 The log file has been saved successfully to "E:\Laptop Log Files\aswMBR.txt"


-----------------------------------------------------------------------------------------------------------------

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.23.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mark.Keefe :: THINKPAD [administrator]

4/23/2012 7:45:27 PM
mbam-log-2012-04-23 (19-45-27).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 315190
Time elapsed: 1 hour(s), 24 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:15 PM

Posted 24 April 2012 - 07:31 AM

Hello MXK944,

We need to bring your Java up to date.

  • Update your Java version here:

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

====================================================================================

I'd like us to scan your machine with ESET OnlineScan
  • Right click on the following link and open ESET OnlineScan in a new window.ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


In your next reply, please copy/paste the contents of the following:
  • ESETScan


How is your machine behaving now? Do you have any issues?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 MXK944

MXK944
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 24 April 2012 - 07:18 PM

Hello Ratman,

I believe the old version of Java was the means the malware infected my PC; I have updated Java to the latest version.

The ESET scan did not find any problems, attached are the results.

Thank you,

Attached Files



#8 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:15 PM

Posted 24 April 2012 - 07:25 PM

Hello MXK944,

Good work - your computer is clean :thumbsup:

Just a couple of housekeeping tasks now.

We need to delete ComboFix:

Please rename ComboFix.exe (right click ComboFix and select Rename) to Uninstall.exe and double click on it.

====================================================================================

Except for Malwarebytes, you can simply delete all other tools we used as they don't un-install.


Things to do to stay safe:

  • Make sure Windows Updates (including Internet Explorer) are current. Follow instructions here
  • Run Malwarebytes "Quick scan" once in a week to assure safety of your computer.
  • Download and install Secunia Personal Software Inspector (PSI): The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
  • When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.
  • Read How did I get infected?, With steps so it does not happen again!

Happy and safe surfing!


Can you reply to say whether you have any more issues or not. If not we can close this topic.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#9 MXK944

MXK944
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 26 April 2012 - 05:39 AM

Hello Ratman,

There is no joy in Mudville.

The symptoms described in the original post where the PC could acquire an IP address have returned after performing a Lenovo system update. The update installed a driver for the finger print reader and a patch for XP system restore. After the forced reboot I saw but did not capture an error message.

I tried the following without success:

1. Remove the finger print reader driver and disabled the device.

2. Use the system restore to revert back prior to the Lenovo system update. The results were negative the system restore failed.

3. Reinstall the following network related drivers in WINDOWS/SYSTEM32/DRIVERS directory
afd.sys, netbios.sys, netbt.sys and tcpip.sys

#10 MXK944

MXK944
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 26 April 2012 - 06:12 AM

Hell Ratman,

The following is the system event log, which may shed some light on what maybe the problem.

Thank you

Level Date and Time Source Event ID Task Category
Information 4/25/2012 5:34:48 PM EventLog 6009 None Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Multiprocessor Free.
Information 4/25/2012 5:34:48 PM EventLog 6005 None The Event log service was started.
Information 4/25/2012 5:34:28 PM redbook 10 None "The description for Event ID 10 from source redbook cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 5:34:29 PM HECI 2 None "The description for Event ID 2 from source HECI cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 5:34:33 PM NETwNx32 7036 None "The description for Event ID 7036 from source NETwNx32 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® WiFi Link 5100 AGN
"
Error 4/25/2012 5:34:33 PM NetBT 4311 None "Initialization failed because the driver device could not be created. Use the string ""000000000100580000000000D71000C013010000340000C000000000000000000000000000000000"" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. "
Information 4/25/2012 5:34:33 PM Tcpip6 3100 None The Microsoft TCP/IP version 6 driver was started.
Information 4/25/2012 5:34:35 PM e1yexpress 32 None "The description for Event ID 32 from source e1yexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® 82567LF Gigabit Network Connection
"
Error 4/25/2012 5:35:41 PM Service Control Manager 7026 None "The following boot-start or system-start driver(s) failed to load:
tmtdi"
Information 4/25/2012 5:35:41 PM Service Control Manager 7035 None The SSDP Discovery Service service was successfully sent a start control.
Information 4/25/2012 5:35:41 PM Service Control Manager 7036 None The Network Location Awareness (NLA) service entered the running state.
Information 4/25/2012 5:35:41 PM Service Control Manager 7035 None The Network Location Awareness (NLA) service was successfully sent a start control.
Information 4/25/2012 5:35:41 PM Service Control Manager 7036 None The SSDP Discovery Service service entered the running state.
Information 4/25/2012 5:35:42 PM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a start control.
Information 4/25/2012 5:35:42 PM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the running state.
Information 4/25/2012 5:35:42 PM Service Control Manager 7035 None The Application Layer Gateway Service service was successfully sent a start control.
Information 4/25/2012 5:35:44 PM Service Control Manager 7036 None The Application Layer Gateway Service service entered the running state.
Information 4/25/2012 5:35:46 PM Service Control Manager 7036 None The Computer Browser service entered the stopped state.
Information 4/25/2012 5:35:55 PM Service Control Manager 7035 None The IMAPI CD-Burning COM Service service was successfully sent a start control.
Information 4/25/2012 5:35:56 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the running state.
Information 4/25/2012 5:36:01 PM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Information 4/25/2012 5:36:02 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the stopped state.
Information 4/25/2012 5:36:16 PM Service Control Manager 7035 None The WAM service was successfully sent a start control.
Error 4/25/2012 5:36:16 PM PlugPlayManager 11 None The device Root\LEGACY_AFD\0000 disappeared from the system without first being prepared for removal.
Information 4/25/2012 5:36:37 PM Service Control Manager 7035 None The iPod Service service was successfully sent a start control.
Information 4/25/2012 5:36:40 PM Service Control Manager 7036 None The iPod Service service entered the running state.
Information 4/25/2012 5:36:56 PM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Information 4/25/2012 5:38:15 PM Service Control Manager 7035 None The OfficeScan NT Proxy Service service was successfully sent a start control.
Information 4/25/2012 5:38:15 PM Service Control Manager 7036 None The OfficeScan NT Proxy Service service entered the running state.
Information 4/25/2012 5:38:39 PM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a stop control.
Information 4/25/2012 5:38:40 PM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the stopped state.
Information 4/25/2012 5:38:41 PM Service Control Manager 7035 None The tmcomm service was successfully sent a start control.
Information 4/25/2012 5:38:41 PM Service Control Manager 7035 None The tmevtmgr service was successfully sent a start control.
Information 4/25/2012 5:38:41 PM Service Control Manager 7035 None The tmactmon service was successfully sent a start control.
Information 4/25/2012 5:38:41 PM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the running state.
Information 4/25/2012 5:38:41 PM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a start control.
Information 4/25/2012 5:39:21 PM Service Control Manager 7035 None The Office Software Protection Platform service was successfully sent a start control.
Information 4/25/2012 5:39:21 PM Service Control Manager 7036 None The Office Software Protection Platform service entered the running state.
Information 4/25/2012 6:01:00 PM Service Control Manager 7035 None The Google Update Service (gupdate) service was successfully sent a start control.
Information 4/25/2012 6:01:00 PM Service Control Manager 7036 None The Google Update Service (gupdate) service entered the running state.
Information 4/25/2012 6:01:01 PM Service Control Manager 7036 None The Google Update Service (gupdate) service entered the stopped state.
Information 4/25/2012 6:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the running state.
Information 4/25/2012 6:23:00 PM Service Control Manager 7035 None The Adobe Flash Player Update Service service was successfully sent a start control.
Information 4/25/2012 6:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the stopped state.
Information 4/25/2012 7:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the running state.
Information 4/25/2012 7:23:00 PM Service Control Manager 7035 None The Adobe Flash Player Update Service service was successfully sent a start control.
Information 4/25/2012 7:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the stopped state.
Information 4/25/2012 8:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the running state.
Information 4/25/2012 8:23:00 PM Service Control Manager 7035 None The Adobe Flash Player Update Service service was successfully sent a start control.
Information 4/25/2012 8:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the stopped state.
Information 4/25/2012 9:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the running state.
Information 4/25/2012 9:23:00 PM Service Control Manager 7035 None The Adobe Flash Player Update Service service was successfully sent a start control.
Information 4/25/2012 9:23:00 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the stopped state.
Information 4/25/2012 9:50:10 PM Service Control Manager 7035 None The SWI32 service was successfully sent a start control.
Information 4/25/2012 9:50:10 PM Service Control Manager 7035 None The SWI32 service was successfully sent a start control.
Information 4/25/2012 9:50:13 PM Service Control Manager 7035 None The SWI32 service was successfully sent a start control.
Information 4/25/2012 9:51:59 PM Service Control Manager 7035 None The Windows Installer service was successfully sent a start control.
Information 4/25/2012 9:51:59 PM Service Control Manager 7036 None The Windows Installer service entered the running state.
Information 4/25/2012 9:52:42 PM Service Control Manager 7036 None The AuthenTec Fingerprint Service service entered the running state.
Information 4/25/2012 9:52:42 PM Service Control Manager 7035 None The AuthenTec Fingerprint Service service was successfully sent a start control.
Information 4/25/2012 9:52:44 PM ATService 0 None "The description for Event ID 0 from source ATService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

AuthenTec fingerprint sensor support is now active.
"
Information 4/25/2012 9:53:30 PM Service Control Manager 7036 None The Windows Installer service entered the stopped state.
Information 4/25/2012 9:53:42 PM EventLog 6006 None The Event log service was stopped.
Information 4/25/2012 9:54:49 PM EventLog 6009 None Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Multiprocessor Free.
Information 4/25/2012 9:54:49 PM EventLog 6005 None The Event log service was started.
Information 4/25/2012 9:54:51 PM Application Popup 26 None "Application popup: AtService.exe - Application Error : The exception unknown software exception (0x40000015) occurred in the application at location 0x004d8ba8.

Click on OK to terminate the program
Click on CANCEL to debug the program"
Information 4/25/2012 9:54:28 PM redbook 10 None "The description for Event ID 10 from source redbook cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 9:54:30 PM HECI 2 None "The description for Event ID 2 from source HECI cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 9:54:34 PM NETwNx32 7036 None "The description for Event ID 7036 from source NETwNx32 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® WiFi Link 5100 AGN
"
Error 4/25/2012 9:54:34 PM NetBT 4311 None "Initialization failed because the driver device could not be created. Use the string ""000000000100580000000000D71000C013010000340000C000000000000000000000000000000000"" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. "
Information 4/25/2012 9:54:34 PM Tcpip6 3100 None The Microsoft TCP/IP version 6 driver was started.
Information 4/25/2012 9:54:35 PM e1yexpress 32 None "The description for Event ID 32 from source e1yexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® 82567LF Gigabit Network Connection
"
Error 4/25/2012 9:56:50 PM Service Control Manager 7003 None The DHCP Client service depends the following service: Afd. This service might not be installed.
Error 4/25/2012 9:56:50 PM Service Control Manager 7003 None The TCP/IP NetBIOS Helper service depends the following service: Afd. This service might not be installed.
Error 4/25/2012 9:57:02 PM Service Control Manager 7024 None The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
Error 4/25/2012 9:57:07 PM Service Control Manager 7023 None "The IPSEC Services service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 9:57:08 PM Service Control Manager 7003 None The Simple TCP/IP Services service depends the following service: Afd. This service might not be installed.
Error 4/25/2012 9:57:08 PM Service Control Manager 7023 None "The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 9:57:16 PM Service Control Manager 7023 None "The Automatic Updates service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 9:57:22 PM Service Control Manager 7026 None "The following boot-start or system-start driver(s) failed to load:
tmtdi"
Error 4/25/2012 9:57:29 PM Service Control Manager 7034 None The AuthenTec Fingerprint Service service terminated unexpectedly. It has done this 1 time(s).
Information 4/25/2012 9:57:32 PM Service Control Manager 7035 None The IMAPI CD-Burning COM Service service was successfully sent a start control.
Information 4/25/2012 9:57:32 PM Service Control Manager 7035 None The SSDP Discovery Service service was successfully sent a start control.
Information 4/25/2012 9:57:32 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the running state.
Information 4/25/2012 9:57:32 PM Service Control Manager 7036 None The SSDP Discovery Service service entered the running state.
Information 4/25/2012 9:57:34 PM Service Control Manager 7035 None The iPod Service service was successfully sent a start control.
Error 4/25/2012 9:57:34 PM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Information 4/25/2012 9:57:34 PM Service Control Manager 7036 None The iPod Service service entered the running state.
Information 4/25/2012 9:57:40 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the stopped state.
Information 4/25/2012 9:57:41 PM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a start control.
Information 4/25/2012 9:57:41 PM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the running state.
Information 4/25/2012 9:58:01 PM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Error 4/25/2012 9:58:10 PM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Information 4/25/2012 10:01:01 PM Service Control Manager 7035 None The Automatic Updates service was successfully sent a start control.
Information 4/25/2012 10:01:01 PM Service Control Manager 7036 None The Automatic Updates service entered the stopped state.
Error 4/25/2012 10:01:01 PM Service Control Manager 7023 None "The Automatic Updates service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 10:01:31 PM DCOM 10010 None "The description for Event ID 10010 from source DCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}
"
Information 4/25/2012 10:02:05 PM Service Control Manager 7035 None The Windows Installer service was successfully sent a start control.
Information 4/25/2012 10:02:05 PM Service Control Manager 7036 None The Windows Installer service entered the running state.
Information 4/25/2012 10:02:57 PM Service Control Manager 7035 None The AuthenTec Fingerprint Service service was successfully sent a start control.
Information 4/25/2012 10:02:57 PM Service Control Manager 7036 None The AuthenTec Fingerprint Service service entered the running state.
Information 4/25/2012 10:03:07 PM Service Control Manager 7035 None The Data Transfer Service service was successfully sent a stop control.
Information 4/25/2012 10:03:07 PM Service Control Manager 7036 None The Data Transfer Service service entered the stopped state.
Error 4/25/2012 10:03:07 PM Service Control Manager 7034 None The AuthenTec Fingerprint Service service terminated unexpectedly. It has done this 2 time(s).
Information 4/25/2012 10:03:25 PM Service Control Manager 7035 None The Application Management service was successfully sent a start control.
Information 4/25/2012 10:03:25 PM Service Control Manager 7036 None The Application Management service entered the running state.
Information 4/25/2012 10:03:55 PM Service Control Manager 7036 None The Windows Installer service entered the stopped state.
Information 4/25/2012 10:04:02 PM EventLog 6006 None The Event log service was stopped.
Information 4/25/2012 10:05:07 PM EventLog 6009 None Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Multiprocessor Free.
Information 4/25/2012 10:05:07 PM EventLog 6005 None The Event log service was started.
Information 4/25/2012 10:04:47 PM redbook 10 None "The description for Event ID 10 from source redbook cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 10:04:48 PM HECI 2 None "The description for Event ID 2 from source HECI cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 10:04:52 PM NETwNx32 7036 None "The description for Event ID 7036 from source NETwNx32 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® WiFi Link 5100 AGN
"
Error 4/25/2012 10:04:53 PM NetBT 4311 None "Initialization failed because the driver device could not be created. Use the string ""000000000100580000000000D71000C013010000340000C000000000000000000000000000000000"" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. "
Information 4/25/2012 10:04:53 PM Tcpip6 3100 None The Microsoft TCP/IP version 6 driver was started.
Information 4/25/2012 10:04:54 PM e1yexpress 32 None "The description for Event ID 32 from source e1yexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® 82567LF Gigabit Network Connection
"
Error 4/25/2012 10:06:54 PM Service Control Manager 7003 None The DHCP Client service depends the following service: Afd. This service might not be installed.
Error 4/25/2012 10:06:54 PM Service Control Manager 7003 None The TCP/IP NetBIOS Helper service depends the following service: Afd. This service might not be installed.
Error 4/25/2012 10:07:23 PM Service Control Manager 7024 None The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
Error 4/25/2012 10:07:24 PM Service Control Manager 7023 None "The IPSEC Services service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 10:07:24 PM Service Control Manager 7003 None The Simple TCP/IP Services service depends the following service: Afd. This service might not be installed.
Error 4/25/2012 10:07:24 PM Service Control Manager 7023 None "The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 10:07:34 PM Service Control Manager 7023 None "The Automatic Updates service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 10:07:40 PM Service Control Manager 7026 None "The following boot-start or system-start driver(s) failed to load:
tmtdi"
Information 4/25/2012 10:07:49 PM Service Control Manager 7035 None The IMAPI CD-Burning COM Service service was successfully sent a start control.
Information 4/25/2012 10:07:49 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the running state.
Information 4/25/2012 10:07:50 PM Service Control Manager 7035 None The iPod Service service was successfully sent a start control.
Information 4/25/2012 10:07:50 PM Service Control Manager 7035 None The SSDP Discovery Service service was successfully sent a start control.
Error 4/25/2012 10:07:51 PM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Information 4/25/2012 10:07:51 PM Service Control Manager 7036 None The iPod Service service entered the running state.
Information 4/25/2012 10:07:51 PM Service Control Manager 7036 None The SSDP Discovery Service service entered the running state.
Information 4/25/2012 10:07:56 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the stopped state.
Information 4/25/2012 10:07:59 PM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a start control.
Information 4/25/2012 10:07:59 PM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the running state.
Information 4/25/2012 10:08:15 PM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Error 4/25/2012 10:08:17 PM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Information 4/25/2012 10:10:55 PM Service Control Manager 7035 None The Trend Micro TDI Driver service was successfully sent a start control.
Information 4/25/2012 10:23:15 PM Service Control Manager 7035 None The Adobe Flash Player Update Service service was successfully sent a start control.
Information 4/25/2012 10:23:15 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the running state.
Information 4/25/2012 10:23:15 PM Service Control Manager 7036 None The Adobe Flash Player Update Service service entered the stopped state.
Information 4/25/2012 10:24:59 PM EventLog 6006 None The Event log service was stopped.
Information 4/25/2012 10:26:02 PM EventLog 6009 None Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Multiprocessor Free.
Information 4/25/2012 10:26:02 PM EventLog 6005 None The Event log service was started.
Information 4/25/2012 10:25:42 PM redbook 10 None "The description for Event ID 10 from source redbook cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 10:25:44 PM HECI 2 None "The description for Event ID 2 from source HECI cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/25/2012 10:25:48 PM NETwNx32 7036 None "The description for Event ID 7036 from source NETwNx32 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® WiFi Link 5100 AGN
"
Error 4/25/2012 10:25:48 PM NetBT 4311 None "Initialization failed because the driver device could not be created. Use the string ""000000000100580000000000D71000C013010000340000C000000000000000000000000000000000"" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. "
Information 4/25/2012 10:25:48 PM Tcpip6 3100 None The Microsoft TCP/IP version 6 driver was started.
Information 4/25/2012 10:25:49 PM e1yexpress 32 None "The description for Event ID 32 from source e1yexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® 82567LF Gigabit Network Connection
"
Error 4/25/2012 10:27:44 PM Service Control Manager 7001 None "The DHCP Client service depends on the AFD service which failed to start because of the following error:
A device attached to the system is not functioning."
Error 4/25/2012 10:27:44 PM Service Control Manager 7001 None "The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
A device attached to the system is not functioning."
Error 4/25/2012 10:28:18 PM Service Control Manager 7024 None The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
Error 4/25/2012 10:28:20 PM Service Control Manager 7023 None "The IPSEC Services service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 10:28:21 PM Service Control Manager 7001 None "The Simple TCP/IP Services service depends on the AFD service which failed to start because of the following error:
A device attached to the system is not functioning."
Error 4/25/2012 10:28:21 PM Service Control Manager 7023 None "The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 10:28:35 PM Service Control Manager 7023 None "The Automatic Updates service terminated with the following error:
A socket operation encountered a dead network."
Error 4/25/2012 10:28:40 PM Service Control Manager 7026 None "The following boot-start or system-start driver(s) failed to load:
AFD
tmtdi"
Information 4/25/2012 10:28:46 PM Service Control Manager 7035 None The IMAPI CD-Burning COM Service service was successfully sent a start control.
Information 4/25/2012 10:28:46 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the running state.
Information 4/25/2012 10:28:46 PM Service Control Manager 7035 None The SSDP Discovery Service service was successfully sent a start control.
Information 4/25/2012 10:28:47 PM Service Control Manager 7036 None The SSDP Discovery Service service entered the running state.
Information 4/25/2012 10:28:48 PM Service Control Manager 7035 None The iPod Service service was successfully sent a start control.
Error 4/25/2012 10:28:48 PM Service Control Manager 7000 None "The AFD service failed to start due to the following error:
The system cannot find the file specified."
Error 4/25/2012 10:28:48 PM Service Control Manager 7001 None "The Network Location Awareness (NLA) service depends on the AFD service which failed to start because of the following error:
The system cannot find the file specified."
Information 4/25/2012 10:28:48 PM Service Control Manager 7036 None The iPod Service service entered the running state.
Information 4/25/2012 10:28:52 PM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the stopped state.
Information 4/25/2012 10:29:01 PM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a start control.
Information 4/25/2012 10:29:01 PM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the running state.
Information 4/25/2012 10:29:04 PM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Error 4/25/2012 10:29:15 PM Service Control Manager 7000 None "The AFD service failed to start due to the following error:
The system cannot find the file specified."
Error 4/25/2012 10:29:15 PM Service Control Manager 7001 None "The Network Location Awareness (NLA) service depends on the AFD service which failed to start because of the following error:
The system cannot find the file specified."
Information 4/25/2012 10:29:52 PM EventLog 6006 None The Event log service was stopped.
Information 4/26/2012 3:57:00 AM EventLog 6009 None Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Multiprocessor Free.
Information 4/26/2012 3:57:00 AM EventLog 6005 None The Event log service was started.
Information 4/26/2012 3:56:40 AM redbook 10 None "The description for Event ID 10 from source redbook cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/26/2012 3:56:41 AM HECI 2 None "The description for Event ID 2 from source HECI cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/26/2012 3:56:46 AM NETwNx32 7036 None "The description for Event ID 7036 from source NETwNx32 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® WiFi Link 5100 AGN
"
Error 4/26/2012 3:56:46 AM NetBT 4311 None "Initialization failed because the driver device could not be created. Use the string ""000000000100580000000000D71000C013010000340000C000000000000000000000000000000000"" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. "
Information 4/26/2012 3:56:46 AM Tcpip6 3100 None The Microsoft TCP/IP version 6 driver was started.
Information 4/26/2012 3:56:47 AM e1yexpress 32 None "The description for Event ID 32 from source e1yexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® 82567LF Gigabit Network Connection
"
Error 4/26/2012 3:59:17 AM Service Control Manager 7003 None The DHCP Client service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 3:59:17 AM Service Control Manager 7003 None The TCP/IP NetBIOS Helper service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 3:59:18 AM Service Control Manager 7023 None "The IPSEC Services service terminated with the following error:
A socket operation encountered a dead network."
Error 4/26/2012 3:59:18 AM Service Control Manager 7003 None The Simple TCP/IP Services service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 3:59:19 AM Service Control Manager 7023 None "The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
A socket operation encountered a dead network."
Error 4/26/2012 3:59:32 AM Service Control Manager 7023 None "The Automatic Updates service terminated with the following error:
A socket operation encountered a dead network."
Error 4/26/2012 3:59:41 AM Service Control Manager 7026 None "The following boot-start or system-start driver(s) failed to load:
tmtdi"
Information 4/26/2012 3:59:43 AM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a start control.
Information 4/26/2012 3:59:43 AM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the running state.
Information 4/26/2012 3:59:56 AM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Information 4/26/2012 4:01:00 AM Service Control Manager 7035 None The Google Update Service (gupdate) service was successfully sent a start control.
Information 4/26/2012 4:01:00 AM Service Control Manager 7036 None The Google Update Service (gupdate) service entered the running state.
Information 4/26/2012 4:01:11 AM Service Control Manager 7036 None The Google Update Service (gupdate) service entered the stopped state.
Information 4/26/2012 4:02:30 AM Service Control Manager 7035 None The IMAPI CD-Burning COM Service service was successfully sent a start control.
Information 4/26/2012 4:02:30 AM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the running state.
Information 4/26/2012 4:02:30 AM Service Control Manager 7035 None The SSDP Discovery Service service was successfully sent a start control.
Information 4/26/2012 4:02:30 AM Service Control Manager 7036 None The SSDP Discovery Service service entered the running state.
Error 4/26/2012 4:02:32 AM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Information 4/26/2012 4:02:36 AM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the stopped state.
Information 4/26/2012 4:02:39 AM Service Control Manager 7035 None The iPod Service service was successfully sent a start control.
Information 4/26/2012 4:02:39 AM Service Control Manager 7036 None The iPod Service service entered the running state.
Information 4/26/2012 4:02:40 AM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Error 4/26/2012 4:02:55 AM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 4:03:30 AM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Information 4/26/2012 4:04:58 AM EventLog 6006 None The Event log service was stopped.
Information 4/26/2012 4:06:59 AM EventLog 6009 None Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Multiprocessor Free.
Information 4/26/2012 4:06:59 AM EventLog 6005 None The Event log service was started.
Information 4/26/2012 4:06:39 AM redbook 10 None "The description for Event ID 10 from source redbook cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/26/2012 4:06:40 AM HECI 2 None "The description for Event ID 2 from source HECI cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

"
Information 4/26/2012 4:06:44 AM NETwNx32 7036 None "The description for Event ID 7036 from source NETwNx32 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® WiFi Link 5100 AGN
"
Error 4/26/2012 4:06:45 AM NetBT 4311 None "Initialization failed because the driver device could not be created. Use the string ""000000000100580000000000D71000C013010000340000C000000000000000000000000000000000"" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. "
Information 4/26/2012 4:06:45 AM Tcpip6 3100 None The Microsoft TCP/IP version 6 driver was started.
Information 4/26/2012 4:06:46 AM e1yexpress 32 None "The description for Event ID 32 from source e1yexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Intel® 82567LF Gigabit Network Connection
"
Error 4/26/2012 4:08:42 AM Service Control Manager 7003 None The DHCP Client service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 4:08:42 AM Service Control Manager 7003 None The TCP/IP NetBIOS Helper service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 4:09:15 AM Service Control Manager 7024 None The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
Error 4/26/2012 4:09:16 AM Service Control Manager 7023 None "The IPSEC Services service terminated with the following error:
A socket operation encountered a dead network."
Error 4/26/2012 4:09:16 AM Service Control Manager 7003 None The Simple TCP/IP Services service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 4:09:17 AM Service Control Manager 7023 None "The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
A socket operation encountered a dead network."
Error 4/26/2012 4:09:34 AM Service Control Manager 7023 None "The Automatic Updates service terminated with the following error:
A socket operation encountered a dead network."
Error 4/26/2012 4:09:45 AM Service Control Manager 7026 None "The following boot-start or system-start driver(s) failed to load:
tmtdi"
Information 4/26/2012 4:09:47 AM SRService 111 None "The description for Event ID 111 from source SRService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Installed Java™ 6 Update 31
"
Information 4/26/2012 4:09:49 AM Service Control Manager 7035 None The Trend Micro Unauthorized Change Prevention Service service was successfully sent a start control.
Information 4/26/2012 4:09:49 AM Service Control Manager 7036 None The Trend Micro Unauthorized Change Prevention Service service entered the running state.
Information 4/26/2012 4:10:04 AM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Information 4/26/2012 4:10:20 AM Service Control Manager 7035 None The IMAPI CD-Burning COM Service service was successfully sent a start control.
Information 4/26/2012 4:10:20 AM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the running state.
Information 4/26/2012 4:10:22 AM Service Control Manager 7035 None The SSDP Discovery Service service was successfully sent a start control.
Information 4/26/2012 4:10:22 AM Service Control Manager 7036 None The SSDP Discovery Service service entered the running state.
Error 4/26/2012 4:10:26 AM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Information 4/26/2012 4:10:27 AM Service Control Manager 7036 None The IMAPI CD-Burning COM Service service entered the stopped state.
Information 4/26/2012 4:10:45 AM Windows File Protection 64002 None "The description for Event ID 64002 from source Windows File Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

c:\windows\system32\drivers\afd.sys
5.1.2600.6142
"
Information 4/26/2012 4:10:45 AM Service Control Manager 7035 None The iPod Service service was successfully sent a start control.
Information 4/26/2012 4:10:45 AM Service Control Manager 7036 None The iPod Service service entered the running state.
Error 4/26/2012 4:11:21 AM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.
Error 4/26/2012 4:11:22 AM Service Control Manager 7003 None The Network Location Awareness (NLA) service depends the following service: Afd. This service might not be installed.

#11 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:15 PM

Posted 26 April 2012 - 07:28 AM

Hello MXK944,

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

In your next reply, please copy/paste the contents of the following:
  • FSS.txt

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#12 MXK944

MXK944
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 26 April 2012 - 04:21 PM

Hello Ratman,

The following is the results from the FSS scan.

Thank you,

Farbar Service Scanner Version: 16-04-2012
Ran by MXK944 (administrator) on 26-04-2012 at 17:10:38
Running from "C:\temp\PC Tools"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Checking LEGACY_afd: Attention! Unable to open LEGACY_afd\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(8)
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

#13 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:15 PM

Posted 27 April 2012 - 08:39 AM

Hi MXK944,

I'd like you run ComboFix again:

Please download ComboFix from the followingl location:* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on Combofix icon Posted Image & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

====================================================================================

We need to create an OTL Report
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

====================================================================================


In your next reply, please copy/paste the contents of the following:
  • C:\Combofix.txt
  • OTL.txt
  • Extra.txt

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#14 MXK944

MXK944
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 27 April 2012 - 06:00 PM

Hello Ratman,

At the conclusion for the ComboFix (after reboot) the network connectivity was restored. The attached files are the results from the scans.

Please note that in the Device Manager / Non-Plug and Play Drivers there are two exceptions

catchme
Trend Micro TDI Driver

Thank you,

MXK944

Attached Files



#15 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:15 PM

Posted 28 April 2012 - 07:40 AM

Hi MXK944,

I want you to run TDSSKiller:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

===================================================================================

Please run another scan with Malwarebytes(ensuring virus definitions are up to date) and copy/paste (please don't attach) contents of it's log in your next reply.

====================================================================================


In your next reply, please copy/paste the contents of the following:
  • TDSSKiller Log
  • MBAM.Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users