Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Using Rkill to help get rid of Security Shield and rkill is automatically being terminated


  • Please log in to reply
15 replies to this topic

#1 sacsr

sacsr

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 17 July 2012 - 12:20 PM

It says it may be due to being in safe mode there maybe some thing that needs to be changed.

I noticed earlier when I went into tools-options-connections- that the box was not checked to begin with (was expecting it to be checked since that was the first step in process listed to get rid of Securityshield)....so I just closed the window back up.

I had to use another computer to download rkill .......when iexplore did not work.....I chose another one....it too was terminated and so I am not sure where to go from here.

BC AdBot (Login to Remove)

 


m

#2 akaUriel

akaUriel

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 17 July 2012 - 01:57 PM

You can try some of the renamed options here.

If none of those work, try installing MBAM as the next step in the guide asks.
Typically, you remove the malicious processes with RKill so that you can install an AV.
So if you're able to get MBAM up and running, you should have a good shot of getting it removed via the rest of the guide.

Edited by akaUriel, 17 July 2012 - 01:58 PM.


#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:31 AM

Posted 17 July 2012 - 08:58 PM

Boot into safemode with networking

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)



Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#4 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 17 July 2012 - 09:33 PM

The computer is my friends. Thanks I will try it in the morning when I see him and post what I find.

Thanks!

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:31 AM

Posted 17 July 2012 - 09:34 PM

:thumbup2:

#6 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 18 July 2012 - 10:10 AM

Could not get the tdskiller to cut and paste....but it said there were no issues.


Here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-18 09:56:13
-----------------------------
09:56:13.746 OS Version: Windows 5.1.2600 Service Pack 3
09:56:13.746 Number of processors: 2 586 0x170A
09:56:13.746 ComputerName: DELL-380 UserName: larry
09:56:17.996 Initialize success
10:02:27.949 AVAST engine defs: 12071800
10:03:00.246 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:03:00.246 Disk 0 Vendor: ST3250318AS CC45 Size: 238418MB BusType: 3
10:03:00.277 Disk 0 MBR read successfully
10:03:00.293 Disk 0 MBR scan
10:03:00.340 Disk 0 Windows VISTA default MBR code
10:03:00.355 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
10:03:00.371 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238377 MB offset 81920
10:03:00.386 Disk 0 scanning sectors +488279202
10:03:00.465 Disk 0 scanning C:\WINDOWS\system32\drivers
10:03:06.746 Service scanning
10:03:24.761 Modules scanning
10:03:28.308 Disk 0 trace - called modules:
10:03:28.308 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
10:03:28.308 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a154ab8]
10:03:28.308 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a143b00]
10:03:30.480 AVAST engine scan C:\WINDOWS
10:03:40.480 AVAST engine scan C:\WINDOWS\system32
10:04:53.840 File: C:\WINDOWS\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
10:05:31.699 AVAST engine scan C:\WINDOWS\system32\drivers
10:05:43.168 AVAST engine scan C:\Documents and Settings\larry
10:07:20.996 File: C:\Documents and Settings\larry\Local Settings\Application Data\phthpuwf.exe **INFECTED** Win32:Winwebsec-B [Trj]
10:10:53.590 AVAST engine scan C:\Documents and Settings\All Users
10:11:11.699 Scan finished successfully
10:33:42.011 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\larry\Desktop\MBR.dat"
10:33:42.027 The log file has been saved successfully to "C:\Documents and Settings\larry\Desktop\aswMBR.txt"







Here is the ESET log:

C:\Documents and Settings\larry\Local Settings\Application Data\phthpuwf.exe Win32/Adware.SecurityShield.D application cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP522\A0041852.exe Win32/Adware.SecurityShield.D application cleaned by deleting - quarantined
C:\WINDOWS\Installer\{96726d9c-7c7f-47a5-7366-505951d37772}\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\L.class a variant of Java/Agent.EQ trojan cleaned by deleting - quarantined

Edited by sacsr, 18 July 2012 - 10:10 AM.


#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:31 AM

Posted 18 July 2012 - 02:53 PM

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

#8 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 19 July 2012 - 11:49 AM

MiniToolBox by Farbar Version: 15-07-2012
Ran by larry (administrator) on 19-07-2012 at 12:44:24
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Broadcom NetLink ™ Gigabit Ethernet = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Dell-380

Primary Dns Suffix . . . . . . . : Hackney.internal

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Hackney.internal



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet

Physical Address. . . . . . . . . : B8-AC-6F-21-3D-2E

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.176

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.11

216.165.129.158

Lease Obtained. . . . . . . . . . : Thursday, July 19, 2012 12:35:47 PM

Lease Expires . . . . . . . . . . : Thursday, July 19, 2012 2:35:47 PM

Server: ns7.dns.tds.net
Address: 216.165.129.158

Name: google.com
Addresses: 173.194.37.65, 173.194.37.66, 173.194.37.67, 173.194.37.68
173.194.37.69, 173.194.37.70, 173.194.37.71, 173.194.37.72, 173.194.37.73
173.194.37.78, 173.194.37.64



Pinging google.com [173.194.37.66] with 32 bytes of data:



Reply from 173.194.37.66: bytes=32 time=22ms TTL=56

Reply from 173.194.37.66: bytes=32 time=22ms TTL=56



Ping statistics for 173.194.37.66:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 22ms, Maximum = 22ms, Average = 22ms

Server: ns7.dns.tds.net
Address: 216.165.129.158

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24



Pinging yahoo.com [72.30.38.140] with 32 bytes of data:



Reply from 72.30.38.140: bytes=32 time=97ms TTL=56

Reply from 72.30.38.140: bytes=32 time=147ms TTL=56



Ping statistics for 72.30.38.140:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 97ms, Maximum = 147ms, Average = 122ms

Server: ns7.dns.tds.net
Address: 216.165.129.158

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...b8 ac 6f 21 3d 2e ...... Broadcom NetLink ™ Gigabit Ethernet - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.176 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.176 192.168.1.176 20
192.168.1.176 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.176 192.168.1.176 20
224.0.0.0 240.0.0.0 192.168.1.176 192.168.1.176 20
255.255.255.255 255.255.255.255 192.168.1.176 192.168.1.176 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 02 U:\Windows\System32\winrnr.dll [File Not found] ()
Catalog5 03 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/19/2012 07:36:35 AM) (Source: Desktop) (User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f

Error: (07/19/2012 07:36:34 AM) (Source: Desktop) (User: )
Description: [ExtensionManager::initialize_extension]. legacy extension initialize failed. WebLink

Error: (07/18/2012 06:33:12 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe4.0.1526.00x80070424startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (07/18/2012 06:32:41 PM) (Source: Desktop) (User: )
Description: Stop Worker Threads

Error: (07/18/2012 06:31:50 PM) (Source: Desktop) (User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f

Error: (07/18/2012 06:31:50 PM) (Source: Desktop) (User: )
Description: [ExtensionManager::initialize_extension]. legacy extension initialize failed. WebLink

Error: (07/18/2012 05:02:57 PM) (Source: Desktop) (User: )
Description: Stop Worker Threads

Error: (07/18/2012 05:00:40 PM) (Source: Desktop) (User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f

Error: (07/18/2012 05:00:39 PM) (Source: Desktop) (User: )
Description: [ExtensionManager::initialize_extension]. legacy extension initialize failed. WebLink

Error: (07/18/2012 07:54:51 AM) (Source: Desktop) (User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f


System errors:
=============
Error: (07/19/2012 07:37:30 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PBADRV

Error: (07/19/2012 07:37:30 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (07/19/2012 07:37:30 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.

Error: (07/18/2012 06:32:44 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PBADRV
PCIIde

Error: (07/18/2012 06:32:44 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (07/18/2012 06:32:44 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.

Error: (07/18/2012 06:31:17 PM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume2

Error: (07/18/2012 04:59:20 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PBADRV
PCIIde

Error: (07/18/2012 04:59:20 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (07/18/2012 04:59:20 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.


Microsoft Office Sessions:
=========================
Error: (07/19/2012 07:36:35 AM) (Source: Desktop)(User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f

Error: (07/19/2012 07:36:34 AM) (Source: Desktop)(User: )
Description: [ExtensionManager::initialize_extension]. legacy extension initialize failed. WebLink

Error: (07/18/2012 06:33:12 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe4.0.1526.00x80070424startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (07/18/2012 06:32:41 PM) (Source: Desktop)(User: )
Description: Stop Worker Threads

Error: (07/18/2012 06:31:50 PM) (Source: Desktop)(User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f

Error: (07/18/2012 06:31:50 PM) (Source: Desktop)(User: )
Description: [ExtensionManager::initialize_extension]. legacy extension initialize failed. WebLink

Error: (07/18/2012 05:02:57 PM) (Source: Desktop)(User: )
Description: Stop Worker Threads

Error: (07/18/2012 05:00:40 PM) (Source: Desktop)(User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f

Error: (07/18/2012 05:00:39 PM) (Source: Desktop)(User: )
Description: [ExtensionManager::initialize_extension]. legacy extension initialize failed. WebLink

Error: (07/18/2012 07:54:51 AM) (Source: Desktop)(User: )
Description: [ExtensionManager::_handle_work]. [WI_CONNECTION_UPDATE] get_device failed. f


=========================== Installed Programs ============================

Adobe Flash Player 10 Plugin (Version: 10.0.45.2)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 9.3.3 (Version: 9.3.3)
ArcadeCandy (Version: ac 1.24.366)
BioAPI Framework (Version: 1.0.1)
BlackBerry Desktop Software 4.5 (Version: 4.5.0.15)
Broadcom NetXtreme-I Netlink Driver and Management Installer (Version: 12.25.02)
CCleaner (Version: 3.05)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
ESET Online Scanner v3
Google Chrome (Version: 20.0.1132.57)
Google Earth (Version: 6.1.0.5001)
Google Update Helper (Version: 1.3.21.115)
Intel® Graphics Media Accelerator Driver
Java Auto Updater (Version: 2.0.2.1)
Java™ 6 Update 20 (Version: 6.0.200)
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.18.0)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 4.0.1526.0)
Microsoft Security Essentials (Version: 4.0.1526.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB2721691) (Version: 4.30.2114.0)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
MSXML 6.0 Parser (KB927977) (Version: 6.00.3890.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PDFCreator (Version: 0.9.3)
PowerDVD DX (Version: 8.3.6029)
Print2RDP Client
Realtek High Definition Audio Driver
Roxio Creator Audio (Version: 3.7.0)
Roxio Creator Copy (Version: 3.7.0)
Roxio Creator Data (Version: 3.7.0)
Roxio Creator DE 10.3 (Version: 10.3)
Roxio Creator DE 10.3 (Version: 3.7.0)
Roxio Creator Tools (Version: 3.7.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio Media Manager (Version: 9.4.023)
Roxio Update Manager (Version: 6.0.0)
ShopAtHome.com Toolbar
ST Microelectronics TPM Driver Installer (Version: 1.04.15)
SUPERAntiSpyware (Version: 5.0.1150)
The Weather Channel Desktop 6
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB980302) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB943729)
Update for Windows XP (KB951618-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Update for Windows XP (KB978207) (Version: 1)
Update for Windows XP (KB980182) (Version: 1)
UPEK TouchChip Fingerprint Reader (Version: 1.1.0)
WebFldrs XP (Version: 9.50.7523)
Windows Driver Package - STMicroelectronics (stmtpm) System (05/24/2007 1.00.04.15) (Version: 05/24/2007 1.00.04.15)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.95)
Windows Rights Management Client with Service Pack 2 (Version: 5.2.95)
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 27%
Total physical RAM: 3035.57 MB
Available physical RAM: 2195.95 MB
Total Pagefile: 4921.68 MB
Available Pagefile: 4261.99 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.25 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:232.79 GB) (Free:209.02 GB) NTFS
5 Drive u: (SHARES) (Network) (Total:9.77 GB) (Free:6.29 GB) NTFS

========================= Users: ========================================

User accounts for \\DELL-380

Administrator cbartek Guest
HelpAssistant Larry Johnson SUPPORT_388945a0


**** End of log ****


Farbar Service Scanner Version: 08-07-2012
Ran by larry (administrator) on 19-07-2012 at 12:46:28
Running from "C:\Documents and Settings\larry\Local Settings\Temporary Internet Files\Content.IE5\134YCCHG"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****


I noticed his microsoft security essentials is not working.....and I got a few popups while going to the site to download the fss and other scanner

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:31 AM

Posted 19 July 2012 - 01:22 PM

Download

systemlook

Launch it and copy this script and paste in the BOX

:filefind
services.exe
:folderfind
{96726d9c-7c7f-47a5-7366-505951d37772}

Click on LOOK,post the generated log

#10 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 19 July 2012 - 02:12 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 15:11 on 19/07/2012 by larry
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe --a---- 110592 bytes [22:32 03/11/2009] [11:06 06/02/2009] 020CEAAEDC8EB655B6506B8C70D53BB6
C:\WINDOWS\ERDNT\cache\services.exe --a---- 110592 bytes [17:02 19/04/2011] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315
C:\WINDOWS\system32\services.exe --a---- 110592 bytes [16:16 25/04/2008] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315
C:\WINDOWS\system32\dllcache\services.exe --a--c- 110592 bytes [22:32 03/11/2009] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315

========== folderfind ==========

Searching for "{96726d9c-7c7f-47a5-7366-505951d37772}"
C:\Documents and Settings\larry\Local Settings\Application Data\{96726d9c-7c7f-47a5-7366-505951d37772} d--hs-- [16:16 25/04/2008]
C:\WINDOWS\Installer\{96726d9c-7c7f-47a5-7366-505951d37772} d--hs-- [16:16 25/04/2008]

-= EOF =-

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:31 AM

Posted 19 July 2012 - 02:31 PM

Open your C drive

On top,click on Tools-folder options

Click on View tab and scroll down

Check mark Show hidden files
Uncheck Hide operating system files


Click ok,now go to

C:\Documents and Settings\larry\Local Settings\Application Data\{96726d9c-7c7f-47a5-7366-505951d37772}
C:\WINDOWS\Installer\{96726d9c-7c7f-47a5-7366-505951d37772}

delete the folders

Post the new system look log

Download

Sharedaccess
wscsvc

Launch it ,click YES

Download

Windows repair tool

Extract and launch the Repair_Windows.exe file

Click on Start repairs tab-click on Start

check mark following options alone

Repair WMI
Remove Policies Set By Infections
Repair Winsock & DNS Cache



Checkmark Restart System When Finished option
click the Start button

System should restart after repair

Post the FSS log

#12 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 19 July 2012 - 05:14 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 18:13 on 19/07/2012 by larry
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe --a---- 110592 bytes [22:32 03/11/2009] [11:06 06/02/2009] 020CEAAEDC8EB655B6506B8C70D53BB6
C:\WINDOWS\ERDNT\cache\services.exe --a---- 110592 bytes [17:02 19/04/2011] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315
C:\WINDOWS\system32\services.exe --a---- 110592 bytes [16:16 25/04/2008] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315
C:\WINDOWS\system32\dllcache\services.exe --a--c- 110592 bytes [22:32 03/11/2009] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315

========== folderfind ==========

Searching for "{96726d9c-7c7f-47a5-7366-505951d37772}"
No folders found.

-= EOF =-

#13 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 19 July 2012 - 05:37 PM

Farbar Service Scanner Version: 19-07-2012
Ran by larry (administrator) on 19-07-2012 at 18:36:04
Running from "C:\Documents and Settings\larry\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\EnableFirewall value. The value does not exist.
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall value. The value does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:31 AM

Posted 19 July 2012 - 07:14 PM

Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://support.microsoft.com/kb/310405

Update your JAVA from here

http://java.com/en/download/inc/windows_upgrade_xpi.jsp

Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

#15 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 20 July 2012 - 07:48 AM

Thanks!!!!!!!!!! Looking good so far!!!

Appreciate your help! Have a great day! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users