TechSpot

[Closed]Search redirect, Ping.exe, Rootkit.Gen2

By winxpuser
Nov 21, 2011
  1. Looking for help with following issues.

    1) Google and Yahoo search results are redirected

    2) PIng.exe appears in TaskManager - don't recall seeing it before

    3) Avira warns that Rootkit.Gen2 is present

    4) Occasionally get new Tab in Firefox opening

    5) Occasionally get TCP/IP error from Windows

    Thanks for your help!

    Step 2 - (Anti-Malware Log)

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8211

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    11/21/2011 7:07:39 PM
    mbam-log-2011-11-21 (19-07-39).txt

    Scan type: Quick scan
    Objects scanned: 196052
    Time elapsed: 6 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Step 3 - GMER Log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-21 19:13:13
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST316002 rev.8.05
    Running: gmer.exe; Driver: C:\DOCUME~1\Rich\LOCALS~1\Temp\fgdyapod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 kbdcap.SYS
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 kbdcap.SYS

    ---- EOF - GMER 1.0.15 ----
     
  2. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Having trouble posting rest of logs.
     
  3. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Unable to post remaining logs - keep getting server timeout.

    Is this a common problem?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome back to this forum- one you would most likely not have to come back to! I'll be glad to help with the malware.

    About the server problem> no, that is not a common problem on TechSpot. But I would like you to see if this problem occurs if you try to access another site. When is this message coming up? When you click on Post or when you attempt to get the site?

    Servers can become overloaded anywhere, but I haven't seen it when I've attempted anything here. When you are ready to post, do a right click on the Taskbar> Task Manager> if ping.exe is running, highlight it then click on End Task. See if that allows you to post the 2 DDS logs..
    ---------------------------------------
    Let's see if we can find anything with the following scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    You do need an internet connection to run this- but it's short and has a small log.
     
  5. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye,

    Thanks for the reply.

    I recevie the 'Server Timeout' error when i click 'Submit Reply'. I have tried ending the ping.exe process in Task Manager as you suggested, but still get the same error when I try to reply. After a few minutes, ping.exe reappears. It tooks several tries to get the above replies to go through.

    I will run the online scan you suggested and reply back shortly.

    Thanks again for the help!

    *****Updated - Had no trouble submitting this reply.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think you jinxed me! About 5 minutes after I replied to you, my internet went down! It wasn't TechSpot though.

    Post the logs when you're finished. I do know that Julio has been doing some work on TechSpot. There is a possibility that something might have been going on that caused the intermittent problem. Let me know if it happens here again and I'll send him a PM>
     
  7. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye,

    Here is the log from ESET

    C:\Program Files\FlashGet\ads\cache434\B_434_2_1_613800.htm HTML/ScrInject.B.Gen virus
    Operating memory multiple threats
     
  8. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye,

    Since my last post, I have lost access to the internet. When I try to enable my network connection, I am unable to get an IP for the PC that is infected. All other PCs connected to the same router are fine.

    I think this is related to the above problems.

    Is it a good idea to copy the log files from the infected PC, move them to another PC using a USB drive, and upload here? I don't want to spread the problem to another PC.

    Thanks again for all of your help.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can download programs to flash drive, then run then on the infected computer. If you cannot access to paste, save the log first. Then copy it to flash drive and paste here.

    Please go ahead and run the following for the Eset entries:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Program Files\FlashGet\ads\cache434\B_434_2_1_613800.htm
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Try the internet access after you remove the above.
     
  10. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye,

    Log file from MoveIt is below

    Still unable to connect to internet.

    When I go into Network Connections, I right click Local Area Connection. The Status gets to 'Acquiring Network Address' and goes no further.

    I right clicked and selected Repair and received the notice that Windows could not repair because it was unable to Renew IP Address.

    All processes killed
    ========== FILES ==========
    C:\Program Files\FlashGet\ads\cache434\B_434_2_1_613800.htm moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 2129280 bytes
    ->Temporary Internet Files folder emptied: 782098 bytes
    ->Flash cache emptied: 83 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32768 bytes
    ->Flash cache emptied: 83 bytes

    User: Jorene
    ->Temp folder emptied: 45198186 bytes
    ->Temporary Internet Files folder emptied: 22038501 bytes
    ->Java cache emptied: 64745 bytes
    ->FireFox cache emptied: 35993695 bytes
    ->Flash cache emptied: 732 bytes

    User: LocalService
    ->Temp folder emptied: 2055272 bytes
    ->Temporary Internet Files folder emptied: 1646058 bytes
    ->Flash cache emptied: 405 bytes

    User: NetworkService
    ->Temp folder emptied: 1986088 bytes
    ->Temporary Internet Files folder emptied: 175368483 bytes
    ->Flash cache emptied: 8103 bytes

    User: Rich
    ->Temp folder emptied: 739063785 bytes
    ->Temporary Internet Files folder emptied: 1901627 bytes
    ->Java cache emptied: 471823 bytes
    ->FireFox cache emptied: 117306430 bytes
    ->Flash cache emptied: 1830 bytes

    %systemdrive% .tmp files removed: 6597 bytes
    %systemroot% .tmp files removed: 129209 bytes
    %systemroot%\System32 .tmp files removed: 2405721 bytes
    %systemroot%\System32\dllcache .tmp files removed: 33792 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 8240303 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 688687 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,104.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 11222011_095722

    Thanks!
     
  11. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    After running MoveIt, I re-ran scans and copied using flash drive.

    Results below.

    MalWare Log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8211

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    11/22/2011 10:16:22 AM
    mbam-log-2011-11-22 (10-16-22).txt

    Scan type: Quick scan
    Objects scanned: 191917
    Time elapsed: 3 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER Log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-22 10:18:43
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST316002 rev.8.05
    Running: gmer.exe; Driver: C:\DOCUME~1\Rich\LOCALS~1\Temp\fgdyapod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 kbdcap.SYS
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 kbdcap.SYS

    ---- EOF - GMER 1.0.15 ----

    DDS Log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_26
    Run by Rich at 10:19:05 on 2011-11-22
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2640 [GMT -5:00]
    .
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Windows SteadyState\SCTSvc.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\WINDOWS\system32\ssoftsrv.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Windows SteadyState\Bubble.exe
    C:\WINDOWS\System32\wbem\unsecapp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\taskmgr.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: FlashCatchBHO Class: {88618a96-6d8a-42e7-b932-9073d5b2080f} - c:\program files\flashcatch\flashcatch.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\program files\flashget\jccatch.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
    TB: FlashCatch: {10cecf4f-a96e-4803-8ac2-f565fb29ff47} - c:\program files\flashcatch\flashcatch.dll
    TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {C4D5E343-9494-97E4-8635-440B49E25FD5} - No File
    TB: {CF745ACA-6FA6-45ED-AB49-E10A0D1870C5} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
    mRun: [Bubble] c:\program files\windows steadystate\Bubble.exe
    mRun: [Logoff] c:\program files\windows steadystate\SCTUINotify.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [ISW]
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [msiexec.exe] msiconf.exe
    mPolicies-system: HideFastUserSwitching = 1 (0x1)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
    IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\flashget.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302816107968
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306104091687
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-000000000000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{594FB6E3-AFDE-4E88-BF61-4DA9C1952C2A} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    AppInit_DLLs: jbtmqa.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\rich\application data\mozilla\firefox\profiles\4gb4jobp.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-21 36000]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-10 116608]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-21 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-21 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-21 74640]
    R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [2006-5-22 15793]
    R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
    R2 Windows SteadyState;Windows SteadyState Service;c:\program files\windows steadystate\SCTSvc.exe [2008-5-30 115728]
    R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2007-4-20 109440]
    S2 ISWKL;ZoneAlarm Toolbar ISWKL;\??\c:\program files\checkpoint\zaforcefield\iswkl.sys --> c:\program files\checkpoint\zaforcefield\ISWKL.sys [?]
    S2 IswSvc;ZoneAlarm Toolbar IswSvc;"c:\program files\checkpoint\zaforcefield\iswsvc.exe" --> c:\program files\checkpoint\zaforcefield\IswSvc.exe [?]
    S3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys --> c:\windows\system32\drivers\appliand.sys [?]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 musbehco;musbehco;\??\c:\docume~1\rich\locals~1\temp\musbehco.sys --> c:\docume~1\rich\locals~1\temp\musbehco.sys [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
    S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2005-9-5 37781]
    S3 STSService;STSService;c:\program files\soundtaxi media suite\STSService.exe [2010-3-19 344064]
    S4 iPCAgent;iPCAgent;c:\program files\ipass\ipassconnect\ipcagent.exe --> c:\program files\ipass\ipassconnect\iPCAgent.exe [?]
    .
    =============== File Associations ===============
    .
    .txt=CrimsonEditor.txt
    .
    =============== Created Last 30 ================
    .
    2011-11-22 14:57:22 -------- d-----w- C:\_OTM
    2011-11-22 02:06:56 -------- d-----w- c:\program files\ESET
    2011-11-21 22:17:44 -------- d-----w- c:\documents and settings\rich\application data\Avira
    2011-11-21 22:11:54 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-11-21 22:11:54 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-11-21 22:11:53 -------- d-----w- c:\program files\Avira
    2011-11-21 22:11:53 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-11-13 15:04:17 -------- d-----w- c:\windows\Internet Logs
    2011-11-13 15:02:34 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
    2011-11-12 18:45:58 -------- d-----w- c:\documents and settings\rich\local settings\application data\SmartPadUsb
    2011-10-27 00:45:41 -------- d-----w- c:\program files\JDownloader
    .
    ==================== Find3M ====================
    .
    2011-10-13 00:52:02 48 ----a-w- c:\windows\wpd99.drv
    2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    ============= FINISH: 10:19:51.20 ===============


    Attach Log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/15/2004 7:47:51 PM
    System Uptime: 11/22/2011 9:59:36 AM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0J3492
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 145 GiB total, 121.214 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom NetXtreme 57xx Gigabit Controller
    Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01771028&REV_01\4&1D7EFF9E&0&00E0
    Manufacturer: Broadcom
    Name: Broadcom NetXtreme 57xx Gigabit Controller
    PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01771028&REV_01\4&1D7EFF9E&0&00E0
    Service: b57w2k
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\1105C30A23C04
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\1105C30A23C04
    Service: NIC1394
    .
    ==== System Restore Points ===================
    .
    RP331: 10/16/2011 3:10:01 PM - System Checkpoint
    RP332: 10/17/2011 6:34:20 PM - System Checkpoint
    RP333: 10/20/2011 6:34:05 PM - System Checkpoint
    RP334: 10/21/2011 11:38:01 PM - System Checkpoint
    RP335: 10/23/2011 5:38:54 PM - System Checkpoint
    RP336: 10/24/2011 8:31:02 PM - System Checkpoint
    RP337: 10/25/2011 9:03:33 PM - System Checkpoint
    RP338: 10/27/2011 9:21:33 PM - System Checkpoint
    RP339: 10/29/2011 12:17:59 AM - System Checkpoint
    RP340: 10/31/2011 4:44:13 PM - System Checkpoint
    RP341: 11/2/2011 6:15:57 PM - System Checkpoint
    RP342: 11/6/2011 3:46:33 PM - System Checkpoint
    RP343: 11/7/2011 8:43:03 PM - System Checkpoint
    RP344: 11/9/2011 6:13:50 PM - System Checkpoint
    RP345: 11/10/2011 6:14:52 PM - System Checkpoint
    RP346: 11/11/2011 6:49:35 PM - System Checkpoint
    RP347: 11/13/2011 12:22:24 PM - System Checkpoint
    RP348: 11/14/2011 8:12:03 PM - System Checkpoint
    RP349: 11/15/2011 8:37:27 PM - System Checkpoint
    RP350: 11/16/2011 9:20:07 PM - System Checkpoint
    RP351: 11/19/2011 5:29:31 PM - System Checkpoint
    RP352: 11/20/2011 5:55:52 PM - System Checkpoint
    RP353: 11/21/2011 5:07:42 PM - Removed Ad-Aware
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader X (10.1.1)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Display Driver
    Audacity 1.2.6
    AutoUpdate
    Avira Free Antivirus
    Banctec Service Agreement
    Battlefield 2(TM)
    Bonjour
    Broadcom Advanced Control Suite 2
    CCleaner
    CCScore
    Cisco Connect
    Creative MediaSource
    Crimson Editor (remove only)
    Cryptainer LE
    Data Lifeguard Diagnostic for Windows 1.22
    Dell Driver Reset Tool
    Dell Networking Guide
    DivX
    DivX Player
    DriveImage XML
    ESET Online Scanner v3
    ESSBrwr
    ESSCDBK
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    ffdshow [rev 1972] [2008-05-24]
    FlashCatch
    FlashGet(JetCar)
    FLV Player 1.3.3
    GameSpy Arcade
    GOM Player
    Google SketchUp 8
    Help and Support Customization
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    Intel Application Accelerator
    Intel(R) 537EP V9x DF PCI Modem
    Intel(R) Processor ID Utility
    IrfanView (remove only)
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_03
    Java Auto Updater
    Java(TM) 6 Update 26
    JDownloader
    K-Lite Mega Codec Pack 4.9.0
    LAME v3.98.3 for Audacity
    Malwarebytes' Anti-Malware version 1.51.2.1300
    MATLAB 2-11-2007
    Media Player Classic - Home Cinema v1.4.2499.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft AntiSpyware
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Professional
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Word 2002
    Microsoft Works
    Microsoft Works 2004 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    MobileMe Control Panel
    Movie Joiner v4
    Moyea FLV Player version 1.5.2.7
    Mozilla Firefox 7.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    netbrdg
    NVIDIA Control Panel 266.58
    NVIDIA Drivers
    NVIDIA Graphics Driver 266.58
    NVIDIA Install Application
    NVIDIA nTune
    NVIDIA nView 135.50
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.10.0514
    OfotoXMI
    Opera Plug-in for FlashGet
    Orbit Downloader
    Pdf995
    PlayFLV
    PunkBuster Services
    QuickTime
    RealPlayer
    SanDisk ImageMate/SecureMate
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2497640)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    SHASTA
    Shockwave
    skin0001
    SKINXSDK
    Sonic DLA
    Sonic MyDVD
    Sonic RecordNow!
    Sonic Update Manager
    Sound Blaster Audigy 2
    SoundTaxi Media Suite 3.9.9
    staticcr
    SUPERAntiSpyware Free Edition
    System Requirements Lab
    System Requirements Lab for Intel
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC 9.0 Runtime
    VPRINTOL
    WebFldrs XP
    WinAce Archiver
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Script V5.6 Documentation
    Windows SteadyState
    Windows XP Service Pack 3
    WinPcap 4.0.2
    WIRELESS
    Xvid 1.1.3 final uninstall
    XviD MPEG-4 Codec
    ZoneAlarm Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/22/2011 9:57:23 AM, error: Service Control Manager [7034] - The IAA Event Monitor service terminated unexpectedly. It has done this 1 time(s).
    11/22/2011 9:57:23 AM, error: Service Control Manager [7034] - The Cryptainer service service terminated unexpectedly. It has done this 1 time(s).
    11/22/2011 9:57:23 AM, error: Service Control Manager [7031] - The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    11/22/2011 9:57:22 AM, error: Service Control Manager [7034] - The Windows SteadyState Service service terminated unexpectedly. It has done this 1 time(s).
    11/22/2011 9:57:22 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    11/22/2011 6:19:29 AM, error: Service Control Manager [7003] - The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd
    11/22/2011 6:19:04 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
    11/22/2011 6:19:03 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
    11/22/2011 6:17:44 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Windows SteadyState service.
    11/22/2011 6:17:44 AM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: Afd
    11/22/2011 6:17:44 AM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: Afd
    11/22/2011 6:17:44 AM, error: Service Control Manager [7001] - The ZoneAlarm Toolbar IswSvc service depends on the ZoneAlarm Toolbar ISWKL service which failed to start because of the following error: The system cannot find the path specified.
    11/22/2011 6:17:44 AM, error: Service Control Manager [7000] - The ZoneAlarm Toolbar ISWKL service failed to start due to the following error: The system cannot find the path specified.
    11/22/2011 2:00:17 AM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library USB Device.
    11/22/2011 12:46:50 AM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/22/2011 12:31:29 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD Networking Support Environment service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/22/2011 10:12:53 AM, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
     
  12. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye,

    After reading up on the issue of not being able to connect to the network, I decide to pull the harddrive and do a complete re-install of XP on another hardrive I had.

    I just had a feeling that the trouble to recover would be much greater than a new install.

    Can you offer any suggestions on puling some of the data files from the infected drive? I have an external USB enclosure I could use.

    Also, any recommendations on which firewall/antispyware/antivirus to use? I had been running Avira/SuperAntiSpyware/Zonealarm at the same time, and encountered the infection after an upgrade of Zone Alarm.

    Thanks again for your help. If you feel the need to solve this, I am willing to re-install the infected drive to try to clean it up.

    Thanks again.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I would have liked for you to stick it out bit longer. I would have had you run Combofix> it should have picked up and quarantined the ping.exe entries. Depending on what I saw in that log, I might have gone on and had you run OTL.

    There is a procedure to run from Eset also that does a good job on this malware.

    I'm shutting down now so I'll be back tomorrow with some security suggestions
     
  14. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye,

    I am willing to re-install the infected drive and give it a shot. I do have some files on the infected dirve I would like to retrieve. Let me know what to run and if I have some time tomorrow I can give it a shot.

    The XP reinstall went OK - I had to start with an XP SP1 disk and upgrade to SP 3 over the net - the MS site was not very cooperative. I was also able to get around HD drivers thanks to my BIOS recognizing the drive - that was one bit of good luck.

    I am currently running Avira and MS Security Center Firewall. I also installed Microsoft Security Essentials - I do need advide on which to keep.
     
  15. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye - I have several files on the infected drive I would like to retrieve. Is it safe to connect using an exteranl USB drive and extract the files, or should I connect as a boot drive and attempt to clean it before retrieving files?

    Appreciate your input!
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You need to consider what you're going to do with those files you extract:

    1. Connect flash drive and move the files too it.
    2. Disinfect the flash drive before you connect it to a clean hard drive.
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    or this: (not both, it's either/or)
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    ======================================
    3. Save the files you move from the USB to the desktop. Do a right click> Delete and scan with the AV. If they are clean, you can chance putting them on the clean drive. But keep in mind that there were numerous infecting processes.

    You really pulled out much too soon- our initial steps are called "preliminary" for a reason, because that what they are. We use the information from those logs long with any description you give, to try and determine what ,malware is on the system and how best to remove it. You hardly gave it a chance.
    =====================================
    Per your request:
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
  17. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye - Thanks for the help, but I don't understand your instructions for retrieving the files from the infected drive.

    The infected drive was my boot drive. I have created a new boot drive and it is working fine.

    I have installed the infected drive in an external USB enclosure.

    I would like to copy the following data from the infected drive:

    1) Documents - mostly .pdf and .xls files
    2) Music files - .mp3's and my ITunes library
    3) Microsoft Office 2000 CD Key

    Before connecting to this USB drive, I would like to make sure I do not re-infect my system.

    If we need to go back a couple steps to disinfect the infected drive, I can reinstall the infected drive as my boot drive and continue on the path we were on. I think you were suggesting I run Combofix. (Post 13).
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Go to Darik's Boot And Nuke and download whichever version of your choice (floppy or cd/dvd).
    • Turn off your computer and unplug ALL HARDDRIVES (IDE and USB connected).
    • Plug in the INFECTED hard drive only.
    • Load which ever version of the program you downloaded
    • There will be some options- one pass should clear
    • The program is a stand alone so no OS needed.
     
  19. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye - Looks like this will delete all the data on the drive. That is not what I want. I would like to retreive some of the files.

    Thanks again for your help.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It seems to me that you are asking the impossible! You want to get files from the infected drive. But you don't want to connect the drive to anything.

    I do not have any more suggestions for you.
     
  21. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye - I am OK connecting the infected drive, I just want to make sure I do not transfer the infection from the infected files to the new boot drive.

    I am also willing to try and clean the infected drive.

    My goal is to retreive a few data files without infecting the new boot drive.

    Can you help with this? If the best was to do this is to try and clean the drive using combofix, I will try this. If you can suggest a better wasy, I will try that too.

    Your suggestion of running Darik's Boot And Nuke on the infected drive makes sense once I retreive the data files.

    What is not clear to me is how to retreive files from the infected drive without spreading the infection to the new drive.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This may be a hard lesson for you, but learn it now so you don't find yourself in the same fix again!

    Backup, backup, backup!!!!

    When you have special files/folders/tunes or other, save it before the bad stuff happens!

    The only thing I can consider if for you to go back where we were at the end of Reply #11- put the drive back and let's try to clean it. There were entries in the earlier logs I would have removed> for instance, you are running this:
    mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
    It's not helping the system because it's 5 years out of date! It is for:

    -----------------------------------
    You are at risk with this:
    1. Orbit Downloader is a free social music,video and file downloader.
    2. Flashget Download Manager> Added by the W32/Rbot-AGZ WORM/IRC backdoor trojan!

    If you can undo what you've done, I'll help try to clean the drive. Hopefully you can then get your files and when the system is clean, you can do a full backup.

    Cleaning is orderly, sometimes very time consuming. But I am not willing to spend more time on this if you decide to pull the plug barely into the process.

    You my loose the docs and the music- I cannot guarantee that you won't or that the files won't get corrupted.
     
  23. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    OK - I will reinstall the drive and attempt to continue the cleaning.

    Based on what I posted in the logs (Posts 10 and 11), what is the next step?
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's have Combofix do some of the work:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      Note:Ignore the Combofix query about the Recovery Console if running from the USB drive. Just go on with the scan.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ========================================
    After I see this log I will be better able to give you the next step.

    Note: I see OTM Total Files Cleaned = 1,104.00 mb Them.at is an exceptionally large number of files. Suggest you increase-or start- doing maintenance on the system.
     
  25. winxpuser

    winxpuser TS Rookie Topic Starter Posts: 45

    Bobbye,

    I am not able to establish a network connection.

    I downloaded combofix on another machine and transferred to infected machine with a USB flash drive. I ran combofix, and was told it needed to install Windows Restore Console by connecting to the Internet. Since I canot connect, combofix could not run.

    Is there an alternate method for getting Windows Recovery Console on the infected machine (eg. download on a different machine and transfer by USB drive)?

    Should I try running in Safe Mode with Networking in order to try and regain access to the internet and run combofix?

    Thanks for your help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...