Got network key PUP incident and firewall weirs behavior

needhelp51 · Mar 16, 2013

Here is OTL fix log:

All processes killed
========== OTL ==========
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File %SystemRoot%\System32\hidserv.dll not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File %SystemRoot%\System32\appmgmts.dll not found.
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service UIUSys stopped successfully!
Service UIUSys deleted successfully!
File system32\DRIVERS\UIUSYS.SYS not found.
Service PROCEXP151 stopped successfully!
Service PROCEXP151 deleted successfully!
File C:\WINDOWS\system32\Drivers\PROCEXP151.SYS not found.
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
Service lbrtfdc stopped successfully!
Service lbrtfdc deleted successfully!
Service Lavasoft Kernexplorer stopped successfully!
Service Lavasoft Kernexplorer deleted successfully!
File C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys not found.
Service i2omgmt stopped successfully!
Service i2omgmt deleted successfully!
Service Changer stopped successfully!
Service Changer deleted successfully!
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\DOCUME~1\Toshiba\LOCALS~1\Temp\catchme.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-2094576669-3068703796-1105417404-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\LaunchApp deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\intu-ir2011\ deleted successfully.
File Protocol\Handler\intu-ir2011 - No CLSID value found not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Toshiba
->Temp folder emptied: 41804 bytes
->Temporary Internet Files folder emptied: 14858093 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 189160114 bytes
->Flash cache emptied: 1054 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16486724 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 881914 bytes

Total Files Cleaned = 211,00 mb

[EMPTYJAVA]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Toshiba
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0,00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Toshiba
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 03162013_222451
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

needhelp51 · Mar 16, 2013

Here is Security Check log:

Results of screen317's Security Check version 0.99.61
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
avast! Free Antivirus
COMODO Internet Security
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware
Secunia PSI (2.0.0.4003)
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Java 7 Update 17
Adobe Flash Player 11.6.602.171
Adobe Reader XI
Mozilla Firefox (19.0.2)
````````Process Check: objlist.exe by Laurent````````
Comodo Firewall cmdagent.exe
Emsisoft Anti-Malware a2service.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
AVAST Software Avast setup avast.setup
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 5%
````````````````````End of Log``````````````````````
Here is FSS log:

Farbar Service Scanner Version: 03-03-2013
Ran by Toshiba (administrator) on 16-03-2013 at 22:37:54
Running from "C:\Documents and Settings\Toshiba\Bureau"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll
[2006-01-18 07:03] - [2009-04-20 13:18] - 0045568 ____A (Microsoft Corporation) 1A1E59377FB6CACD711CC5073C4A7D79
C:\WINDOWS\system32\ipnathlp.dll
[2006-01-18 07:03] - [2008-04-13 22:33] - 0332800 ____A (Microsoft Corporation) F4CE708A7D17A625DE6C0FD746D50E88
C:\WINDOWS\system32\netman.dll
[2006-01-18 07:03] - [2008-04-13 22:33] - 0198144 ____A (Microsoft Corporation) BE0CB143FA427D93440DED18DB8C918B
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2006-01-18 06:28] - [2008-04-13 22:33] - 0145408 ____A (Microsoft Corporation) 5E9DEAE9980FF34BCD6DDE2E9E2BF911
C:\WINDOWS\system32\srsvc.dll
[2006-01-18 06:30] - [2004-08-05 01:00] - 0171008 ____A (Microsoft Corporation) 6469C53F4D16FA6055CCA265BC03DB66
C:\WINDOWS\system32\Drivers\sr.sys
[2006-01-18 06:30] - [2004-08-05 01:00] - 0073600 ____A (Microsoft Corporation) B52181023B827ACDA36C1B76751EBFFD
C:\WINDOWS\system32\wscsvc.dll
[2006-01-18 07:04] - [2008-04-13 22:33] - 0080896 ____A (Microsoft Corporation) C1FD85DB4A80A98D60ECB7A828E77FE0
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2006-01-18 06:28] - [2008-04-13 22:33] - 0145408 ____A (Microsoft Corporation) 5E9DEAE9980FF34BCD6DDE2E9E2BF911
C:\WINDOWS\system32\wuauserv.dll
[2006-01-18 06:30] - [2008-04-13 22:33] - 0006656 ____A (Microsoft Corporation) 75D6C5C3D2C93B1F9931E5DFB693AE2A
C:\WINDOWS\system32\qmgr.dll
[2006-01-18 06:30] - [2008-04-13 22:33] - 0409088 ____A (Microsoft Corporation) BAA0B6E647C1AD593E9BAE5CC31BCFFB
C:\WINDOWS\system32\es.dll
[2006-01-18 07:03] - [2008-07-07 16:28] - 0253952 ____A (Microsoft Corporation) EC16AE9B37EACF871629227A3F3913FD
C:\WINDOWS\system32\cryptsvc.dll
[2006-01-18 07:03] - [2008-04-13 22:33] - 0062464 ____A (Microsoft Corporation) 7A6D0B71035E123FDDA2156A25578AD3
C:\WINDOWS\system32\svchost.exe
[2006-01-18 07:04] - [2008-04-13 22:34] - 0014336 ____A (Microsoft Corporation) E4BDF223CD75478BF44567B4D5C2634D
C:\WINDOWS\system32\rpcss.dll
[2006-01-18 07:04] - [2009-02-09 06:53] - 0401408 ____A (Microsoft Corporation) 0203B1AAD358F206CB0A3C1F93CCE17A
C:\WINDOWS\system32\services.exe
[2006-01-18 07:04] - [2009-02-09 07:23] - 0111104 ____A (Microsoft Corporation) C3FB1D70CB88722267949694BA51759E

Extra List:
=======
aswTdi(10) cmdHlp(13) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) Tcpip6(11)
0x0C000000040000000100000002000000030000000D0000000A00000005000000060000000700000008000000090000000B000000
IpSec Tag value is correct.
**** End of log ****

needhelp51 · Mar 16, 2013

Eset scan is in progress, will post log when it's over.

needhelp51 · Mar 17, 2013

Eset: No threats found, thus, no log .

Broni · Mar 17, 2013

Update Adobe Flash Player: http://get.adobe.com/flashplayer/
Make sure you UN-check Yes, install McAfee Security Scan Plus

NOTE 1: Beginning with Adobe Flash Version 11.3, the universal installer includes the 32-bit and 64-bit versions of the Flash Player.
NOTE 2: While installing make sure you UN-check any extra garbage which wants to install alongside.

==================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.

needhelp51 · Mar 17, 2013

Hello Broni, everything is complete. Thank you very much!

However, am I concerned by the action about "trojans, rootkits or bootkits", did I have any?

Broni · Mar 17, 2013

One of your system file was infected probably by a trojan so it'd safe to change your sensitive passwords.

Way to go!!
Good luck and stay safe

needhelp51 · Mar 17, 2013

Thanks your help has been very much appreciated .

Broni · Mar 17, 2013

You're very welcome

TechSpot

Welcome to TechSpot

Got network key PUP incident and firewall weirs behavior

needhelp51 TechSpot Enthusiast Posts: 144

needhelp51 TechSpot Enthusiast Posts: 144

needhelp51 TechSpot Enthusiast Posts: 144

needhelp51 TechSpot Enthusiast Posts: 144

Broni Malware Annihilator Posts: 39,375 +177

needhelp51 TechSpot Enthusiast Posts: 144

Broni Malware Annihilator Posts: 39,375 +177

needhelp51 TechSpot Enthusiast Posts: 144

Broni Malware Annihilator Posts: 39,375 +177

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.