Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Trojan (redux)


  • This topic is locked This topic is locked
8 replies to this topic

#1 frankvh

frankvh

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 24 July 2013 - 08:49 AM

New topic, as suggested by the estimable Boopme. Previous topic here:

 

http://www.bleepingcomputer.com/forums/t/501360/stubborn-trojan/#entry3111254

 

G'day!

 

As suggested, I implemented the procedures from the "Preparation Guide" relative to the machine we've been discussing.

 

The first item of interest: When I went to Control Panel to check Windows Firewall settings, I double clicked on the applet icon and got a dialog box saying:

 

"Due to an unidentified problem Windows cannot display Windows Firewall settings. OK?"

 

I took no further action re: the firewall.

 

I dl'ed and ran DDS, and saved the resultant dds.txt and attach.txt. I shall stand by and await further guidance. As usual, my thanks for your continuing help. Here are the txt files, dds.txt first:

 

--------------------------------------------

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Administrator at 17:16:21 on 2013-07-23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.446.157 [GMT -4:00]
.
AV: AVG update module *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.novachem.net/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OzLINK for UPS Startup] "c:\documents and settings\administrator\local settings\application data\oz development\ozlink for ups\app\OzLINK for UPS Startup.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_5_502_135_ActiveX.exe -update activex
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [PeachtreePrefetcher.exe] c:\program files\sage software\peachtree\PeachtreePrefetcher.exe /configfile:peachtreeprefetcher.winstart.config
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1356041616250
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{7111D43C-1D42-46CE-A980-0E83E69910AD} : DHCPNameServer = 167.206.251.129 167.206.251.130
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.72\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 245048]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-11-16 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 39224]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-4-2 102008]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-3-21 37664]
R1 oxpar;%OXPAR.SVCDESC%;c:\windows\system32\drivers\oxpar.sys [2007-1-24 80128]
R1 RapportCerberus_53984;RapportCerberus_53984;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\53984\RapportCerberus32_53984.sys [2013-7-23 317424]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-4-2 102680]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-4-2 173880]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-5-14 4937264]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-4-18 283136]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-10-25 145920]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-12-27 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-12-27 701512]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-4-14 818200]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435496]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-4-2 1124184]
R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.3.0\ToolbarUpdater.exe [2013-6-18 1598128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-27 22856]
R3 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [2007-1-24 21888]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [2007-1-24 5888]
R3 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [2007-1-24 70784]
S3 Sage 50 SmartPosting 2013;Sage 50 SmartPosting 2013;c:\program files\sage software\peachtree\SmartPostingService2013.exe [2012-11-7 334704]
.
=============== Created Last 30 ================
.
2013-07-23 12:08:15 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-07-23 12:08:14 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-23 12:08:13 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-23 12:07:49 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-22 21:18:29 -------- d-----w- c:\program files\ESET
.
==================== Find3M  ====================
.
2013-06-18 14:00:53 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-06-08 03:55:44 385024 ----a-w- c:\windows\system32\html.iec
2013-06-07 21:56:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-03 01:26:26 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:18 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-25 21:41:22 810496 ----a-w- c:\windows\system32\wmvdmod.dll
.
============= FINISH: 17:17:34.38 ===============
 

-----------------------------------------------------

 

Now, attach.txt:

 

---------------------------------------------------

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/25/2008 6:14:21 AM
System Uptime: 7/23/2013 7:40:02 AM (10 hours ago)
.
Motherboard: ASUSTek Computer INC. |  | 2A72
Processor: AMD Athlon™ Processor 1640B | Socket AM2  | 1789/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 65 GiB total, 38.797 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.869 GiB free.
E: is CDROM ()
F: is NetworkDisk (FAT) - 112 GiB total, 82.807 GiB free.
Z: is NetworkDisk (FAT) - 112 GiB total, 82.807 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1478: 5/24/2013 4:01:10 PM - Software Distribution Service 3.0
RP1479: 5/28/2013 5:26:09 PM - System Checkpoint
RP1480: 5/28/2013 8:00:28 PM - Software Distribution Service 3.0
RP1481: 5/29/2013 5:25:02 PM - Software Distribution Service 3.0
RP1482: 5/30/2013 5:05:43 PM - Software Distribution Service 3.0
RP1483: 5/31/2013 5:30:44 PM - Software Distribution Service 3.0
RP1484: 6/3/2013 12:28:14 PM - System Checkpoint
RP1485: 6/3/2013 6:10:19 PM - Software Distribution Service 3.0
RP1486: 6/4/2013 4:57:46 PM - Software Distribution Service 3.0
RP1487: 6/5/2013 4:37:47 PM - Software Distribution Service 3.0
RP1488: 6/6/2013 5:07:26 PM - Software Distribution Service 3.0
RP1489: 6/7/2013 5:06:31 PM - Software Distribution Service 3.0
RP1490: 6/10/2013 11:46:23 AM - System Checkpoint
RP1491: 6/10/2013 5:08:39 PM - Software Distribution Service 3.0
RP1492: 6/11/2013 5:10:46 PM - Software Distribution Service 3.0
RP1493: 6/12/2013 5:28:26 PM - Software Distribution Service 3.0
RP1494: 6/13/2013 5:07:21 PM - Software Distribution Service 3.0
RP1495: 6/14/2013 5:24:06 PM - Software Distribution Service 3.0
RP1496: 6/17/2013 12:20:48 PM - System Checkpoint
RP1497: 6/17/2013 5:08:32 PM - Software Distribution Service 3.0
RP1498: 6/18/2013 5:31:42 PM - Software Distribution Service 3.0
RP1499: 6/19/2013 5:08:15 PM - Software Distribution Service 3.0
RP1500: 6/20/2013 5:07:18 PM - Software Distribution Service 3.0
RP1501: 6/21/2013 5:25:31 PM - Software Distribution Service 3.0
RP1502: 6/24/2013 12:24:03 PM - System Checkpoint
RP1503: 6/24/2013 8:00:23 PM - Software Distribution Service 3.0
RP1504: 6/25/2013 5:17:13 PM - Software Distribution Service 3.0
RP1505: 6/26/2013 5:22:17 PM - Software Distribution Service 3.0
RP1506: 6/27/2013 5:19:52 PM - Software Distribution Service 3.0
RP1507: 6/28/2013 5:31:18 PM - Software Distribution Service 3.0
RP1508: 7/1/2013 9:24:21 AM - System Checkpoint
RP1509: 7/1/2013 5:43:51 PM - Software Distribution Service 3.0
RP1510: 7/2/2013 5:51:43 PM - Software Distribution Service 3.0
RP1511: 7/3/2013 3:12:32 PM - Software Distribution Service 3.0
RP1512: 7/8/2013 11:52:46 AM - System Checkpoint
RP1513: 7/8/2013 5:12:36 PM - Software Distribution Service 3.0
RP1514: 7/9/2013 5:56:47 PM - Software Distribution Service 3.0
RP1515: 7/10/2013 9:42:50 AM - Software Distribution Service 3.0
RP1516: 7/10/2013 6:09:13 PM - Software Distribution Service 3.0
RP1517: 7/11/2013 9:39:18 AM - Software Distribution Service 3.0
RP1518: 7/11/2013 5:43:18 PM - Software Distribution Service 3.0
RP1519: 7/12/2013 5:31:24 PM - Software Distribution Service 3.0
RP1520: 7/15/2013 5:40:19 PM - Software Distribution Service 3.0
RP1521: 7/16/2013 5:43:26 PM - Software Distribution Service 3.0
RP1522: 7/17/2013 5:30:18 PM - Software Distribution Service 3.0
RP1523: 7/19/2013 8:10:37 AM - Software Distribution Service 3.0
RP1524: 7/19/2013 9:58:20 AM - Installed Sage 50 Payroll Solutions Update
RP1525: 7/19/2013 5:05:10 PM - Software Distribution Service 3.0
RP1526: 7/22/2013 12:28:13 PM - System Checkpoint
RP1527: 7/22/2013 8:00:27 PM - Software Distribution Service 3.0
RP1528: 7/23/2013 8:01:06 AM - Removed Adobe Reader 9.5.0.
RP1529: 7/23/2013 8:02:11 AM - Removed Java™ 6 Update 2
RP1530: 7/23/2013 8:07:01 AM - Installed Java 7 Update 25
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.03)
AMD Processor Driver
AVG 2013
AVG SafeGuard toolbar
Business Contact Manager for Outlook 2007 SP2
CCleaner (remove only)
Crystal Reports 2008 Runtime SP1
Dual-Core Optimizer
ESET Online Scanner v3
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2779562)
HP Backup and Recovery Manager
HP Help and Support
HP LaserJet Professional M1530 MFP Series
HP LJ M1530 MFP Series HP Scan
HPLaserJetHelp_LearnCenter
HPLJUT
hppFaxDrvM1530
hppFaxUtilityM1530
hppLaserJetService
hppM1530LaserJetService
hppSendFaxM1530
hppTLBXFXM1530
HpSdpAppCoreApp
hpzTLBXFX
I.R.I.S. OCR
InterVideo Register Manager
InterVideo WinDVD
Java 7 Update 25
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 SR-1 Small Business
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Small Business Connectivity Components
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
MSN
MSXML 6 Service Pack 2 (KB973686)
NVIDIA Drivers
OzLINK for UPS
PDF Complete Corporate Edition
Peachtree Signature Ready Forms
Pervasive PSQL v10 SP2 Workgroup (32-bit)
Pervasive Software PSQL v9.1 Client
Pervasive System Analyzer v9.1
Rapport
Realtek High Definition Audio Driver
Sage 50 Accounting 2013
Sage Message Center
Sage Software Integration Services
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2803821)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Spelling Dictionaries Support For Adobe Reader 9
StuffIt Expander 2010
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951978)
Update for Windows XP (KB971029)
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
7/22/2013 9:46:39 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
7/22/2013 8:57:26 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
7/19/2013 8:29:47 AM, error: Windows Update Agent [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2833941).
7/19/2013 8:17:09 AM, error: Windows Update Agent [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office PowerPoint 2007 (KB2596764).
7/19/2013 8:08:54 AM, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
7/18/2013 8:09:19 AM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
7/17/2013 8:11:10 AM, error: PlugPlayManager [11]  - The device Root\LEGACY_RAPPORTIASO\0000 disappeared from the system without first being prepared for removal.
.
==== End Of File ===========================
 

-------------------------------------

 

EOM.

 

Frank

 

Mod Edit: Moved topic from Aii, to the intended (Logs) sub-forum. ~bloopie


Edited by bloopie, 24 July 2013 - 09:32 PM.


BC AdBot (Login to Remove)

 


#2 frankvh

frankvh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 25 July 2013 - 06:51 AM

Bloopie, thanks for the housekeeping edit. I'm a newbie here, maybe I'll get the hang of it after a bit.

 

Frank



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 26 July 2013 - 10:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#4 frankvh

frankvh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 29 July 2013 - 02:49 PM

G'day, nasdaq!

 

I have run RogueKiller and FSS on the affected machine, in accordance with your instructions. For some reason, RK generated two .txt files of results. I will paste both in below, as well as the FSS.txt log file.

 

I am still unable to open the Windows Firewall control panel applet on the machine.

 

As before, my thanks for your help with this. Herewith, the logs:

 

------------------------------------------------

RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 07/29/2013 15:19:44
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : OzLINK for UPS Startup ("C:\Documents and Settings\Administrator\Local Settings\Application Data\Oz Development\OzLINK for UPS\App\OzLINK for UPS Startup.exe" [-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4057623434-2618859999-3600674897-500\[...]\Run : OzLINK for UPS Startup ("C:\Documents and Settings\Administrator\Local Settings\Application Data\Oz Development\OzLINK for UPS\App\OzLINK for UPS Startup.exe" [-]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 :  (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sbcjxyn\snprdmb\wow.dll [-]) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\Documents and Settings\Administrator\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\@ [-] --> FOUND
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-4057623434-2618859999-3600674897-500\$ff24043d55f85ce9a20a8337d9b4b888\@ [-] --> FOUND
[ZeroAccess][Folder] U : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\Documents and Settings\Administrator\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U [-] --> FOUND
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-4057623434-2618859999-3600674897-500\$ff24043d55f85ce9a20a8337d9b4b888\U [-] --> FOUND
[ZeroAccess][Folder] L : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\Documents and Settings\Administrator\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\L [-] --> FOUND
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-4057623434-2618859999-3600674897-500\$ff24043d55f85ce9a20a8337d9b4b888\L [-] --> FOUND
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST380815AS +++++
--- User ---
[MBR] ae2b6d6f24b36c47dfdd34fc2f95a0ff
[BSP] 5552c0dc4191488df4a64307c8144b31 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 66056 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 135299430 | Size: 10244 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_07292013_151944.txt >>
 
-----------------------------------------------
 
RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 07/29/2013 15:22:21
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : OzLINK for UPS Startup ("C:\Documents and Settings\Administrator\Local Settings\Application Data\Oz Development\OzLINK for UPS\App\OzLINK for UPS Startup.exe" [-]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-4057623434-2618859999-3600674897-500\[...]\Run : OzLINK for UPS Startup ("C:\Documents and Settings\Administrator\Local Settings\Application Data\Oz Development\OzLINK for UPS\App\OzLINK for UPS Startup.exe" [-]) -> [0x2] The system cannot find the file specified. 
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 :  (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sbcjxyn\snprdmb\wow.dll [-]) -> REPLACED (C:\WINDOWS\system32\shell32.dll)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@ [-] --> DELETED
[ZeroAccess][File] @ : C:\Documents and Settings\Administrator\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@ [-] --> DELETED
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\@ [-] --> DELETED
[ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-4057623434-2618859999-3600674897-500\$ff24043d55f85ce9a20a8337d9b4b888\@ [-] --> DELETED
[ZeroAccess][Folder] U : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U [-] --> DELETED
[ZeroAccess][Folder] U : C:\Documents and Settings\Administrator\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U [-] --> DELETED
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U [-] --> DELETED
[ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-4057623434-2618859999-3600674897-500\$ff24043d55f85ce9a20a8337d9b4b888\U [-] --> DELETED
[ZeroAccess][Folder] L : C:\WINDOWS\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L [-] --> DELETED
[ZeroAccess][Folder] L : C:\Documents and Settings\Administrator\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L [-] --> DELETED
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\L [-] --> DELETED
[ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-4057623434-2618859999-3600674897-500\$ff24043d55f85ce9a20a8337d9b4b888\L [-] --> DELETED
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST380815AS +++++
--- User ---
[MBR] ae2b6d6f24b36c47dfdd34fc2f95a0ff
[BSP] 5552c0dc4191488df4a64307c8144b31 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 66056 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 135299430 | Size: 10244 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_07292013_152220.txt >>
RKreport[0]_S_07292013_151944.txt
 
-------------------------------------------
 
Farbar Service Scanner Version: 26-07-2013
Ran by Administrator (administrator) on 29-07-2013 at 15:26:41
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.
 
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
 
Extra List:
=======
Avgtdix(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
0x09000000040000000100000002000000030000000800000009000000050000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****

 

 

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 30 July 2013 - 08:01 AM

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
===

Go to this XP page
http://download.bleepingcomputer.com/win-services/xp/

Download following registry files to your desktops:
wscsvc.reg
LEGACY_WSCSVC.reg
SharedAccess.reg
LEGACY_SHAREDACCESS.reg


Double click on on each downloaded files and confirm the prompt.
Restart computer normally.
Post new FSS log.

===

Let me know what problem persists on this computer.

#6 frankvh

frankvh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 31 July 2013 - 08:20 AM

G'day, nasdaq!

 

I have implemented your most recent instructions. The latest FSS.txt is spliced in below.

 

The firewall applet in Control Panel now works as designed.

 

A full scan by AVG no longer reports the trojan the led to my initial post.

 

The registry mod files LEGACY_WSCSVC.reg and LEGACY_SHAREDACCESS.reg would not run. Both of them produced a message, "Cannot import (file). Error accdessing the registry." The other two ran fine.

 

I tried again to run TFC.exe to eliminate temp files, with no success. Same behavior as before; the program hangs right after it clears the desktop, and the 'exit' function also hangs -- requires power down and restart.

 

I thank you again for all of your  help. Here's the FSS.txt:

 

------------------------------------

 

Farbar Service Scanner Version: 26-07-2013
Ran by Administrator (administrator) on 30-07-2013 at 17:39:28
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
 
Extra List:
=======
Avgtdix(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
0x09000000040000000100000002000000030000000800000009000000050000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****

---------------------------------

 

Best regards,

 

Frank



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 31 July 2013 - 09:48 AM

Try this one.

Download ATF Cleaner by Atribune from here hereand save it to your Desktop.
Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache


The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

* The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 06 August 2013 - 10:40 AM


If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.
===

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful addons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:48 PM

Posted 12 August 2013 - 08:49 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users