TechSpot

Infected XP PC

By Will40
Sep 22, 2011
  1. Guys,

    I have an infected PC with a number of viruses. It had blocked me from accessing the internet.

    I had removed the virus via MalwareBytes & Avast, However, I could still not access the internet. Pinging works fine, and any browser I tried to use would simply hang.

    I went back and did a complete re-install of XP as I had my folders backed up to an external drive, however, the virus returned. I tried another clean install of XP & again the same problem occurred which leads me to believe that my external drive is also infected (when clicking on the System Volume Information folder, access is denied - on both internal & external drives).

    I am posting via a loaned laptop, whilst running the necessary programs on the infected PC.

    Infected files which were 'cleaned' prior to the re-install of XP were:
    Win32/PrcView
    A003186.msi
    A0043530.exe - Spyware Password
    A0043534.dll - Trojan Downloader
    A0044131.exe - Trojan Generic
    firefox.dll was corrupted
    bonus.screenshot.recorder.exe x 2 (Debugger & Normal)
    Presentation.host.exe x 2 (Debugger & Normal)
    Spirit.exe x 2 (Debugger & Normal)

    Requested files to follow....

    Thanks & Regards
    Will
     
  2. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7622

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    21/09/2011 20:38:15
    mbam-log-2011-09-21 (20-38-15).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 164434
    Time elapsed: 12 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  3. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-09-23 17:13:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6L160M0 rev.BACE1G10
    Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgryypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB8471BF2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB8471A5D]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB84C9398]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Ip UrlFilter.sys (URL Filter/IObit.com)
    AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp UrlFilter.sys (URL Filter/IObit.com)
    AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Udp UrlFilter.sys (URL Filter/IObit.com)
    AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp UrlFilter.sys (URL Filter/IObit.com)

    ---- EOF - GMER 1.0.15 ----
     
  4. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Owner at 17:14:02 on 2011-09-23
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3071.2585 [GMT 1:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Creative\Shared Files\CTSched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
    mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\3connect.lnk - c:\program files\3 mobile broadband\3connect\Wilog.exe
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-explorer: MaxRecentDocs = 18 (0x12)
    mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-21 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-21 309848]
    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-7-19 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-21 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-9-21 42184]
    R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
    R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-9-21 820568]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-21 366152]
    R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-21 22216]
    R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-9-21 30368]
    R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-9-21 16080]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-9-21 79360]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-9-21 100736]
    S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-9-21 239600]
    .
    =============== Created Last 30 ================
    .
    2011-09-23 15:51:31 709968 ----a-w- c:\windows\isRS-000.tmp
    2011-09-21 21:08:54 -------- d--h--w- c:\windows\$hf_mig$
    2011-09-21 17:39:32 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
    2011-09-21 17:39:25 -------- d-----w- c:\documents and settings\owner\application data\VSRevoGroup
    2011-09-21 17:32:10 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
    2011-09-21 17:28:43 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
    2011-09-21 17:28:33 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-09-21 17:28:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-21 17:28:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-21 17:26:37 -------- d-----w- c:\documents and settings\owner\local settings\application data\ESET
    2011-09-21 17:26:37 -------- d-----w- c:\documents and settings\owner\application data\ESET
    2011-09-21 17:26:28 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
    2011-09-21 17:25:39 -------- d-----w- c:\program files\ESET
    2011-09-21 17:19:59 -------- d-----w- c:\documents and settings\owner\local settings\application data\Thunderbird
    2011-09-21 17:18:07 -------- d-----w- c:\documents and settings\owner\application data\IObit
    2011-09-21 17:18:03 -------- d-----w- c:\program files\IObit
    2011-09-21 17:14:45 -------- d-----w- c:\program files\PeerBlock
    2011-09-21 17:13:23 -------- d-----w- c:\program files\VS Revo Group
    2011-09-21 17:12:03 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
    2011-09-21 17:11:59 -------- d-----w- c:\program files\Security Task Manager
    2011-09-21 17:11:38 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
    2011-09-21 17:11:03 -------- d-----w- c:\documents and settings\all users\application data\!SASCORE
    2011-09-21 17:10:59 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-09-21 17:10:59 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-09-21 17:10:42 -------- d-----w- c:\program files\CCleaner
    2011-09-21 17:09:52 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
    2011-09-21 17:09:52 -------- d-----w- c:\program files\MagicDisc
    2011-09-21 17:09:41 544656 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-21 17:09:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-21 17:08:54 -------- d-----w- c:\documents and settings\owner\local settings\application data\Adobe
    2011-09-21 17:08:14 -------- d-----w- c:\program files\FileHippo.com
    2011-09-21 17:07:44 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-09-21 17:07:32 40112 ----a-w- c:\windows\avastSS.scr
    2011-09-21 17:07:21 -------- d-----w- c:\program files\AVAST Software
    2011-09-21 17:07:21 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2011-09-21 17:06:42 -------- d-----w- c:\documents and settings\owner\application data\WinPatrol
    2011-09-21 17:06:39 -------- d-----w- c:\program files\BillP Studios
    2011-09-21 17:06:39 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
    2011-09-21 17:06:19 -------- d-----w- c:\windows\system32\Defaults
    2011-09-21 17:06:13 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
    2011-09-21 17:06:10 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
    2011-09-21 17:06:07 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
    2011-09-21 17:06:05 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
    2011-09-21 17:06:02 142592 ----a-w- c:\windows\system32\drivers\aec.sys
    2011-09-21 17:06:00 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
    2011-09-21 17:05:56 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
    2011-09-21 17:05:54 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
    2011-09-21 17:05:51 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
    2011-09-21 17:05:49 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
    2011-09-21 17:05:46 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
    2011-09-21 17:04:35 7062 ----a-w- c:\windows\system32\audiopid.vxd
    2011-09-21 17:04:26 -------- d-----w- c:\program files\common files\Creative Labs Shared
    .
    ==================== Find3M ====================
    .
    2011-09-21 17:09:31 128000 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-21 17:03:44 445016 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-09-21 17:03:44 109144 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-09-21 11:59:19 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
    .
    ============= FINISH: 17:14:55.39 ===============
     
  5. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 21/09/2011 17:45:23
    System Uptime: 23/09/2011 16:52:19 (1 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0F4491
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 139.495 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    I: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP1: 21/09/2011 17:47:27 - System Checkpoint
    RP2: 21/09/2011 17:49:42 - Installed Microsoft .NET Framework 2.0 Service Pack 2
    RP3: 21/09/2011 17:51:37 - Installed Windows KB971276-v3.
    RP4: 21/09/2011 17:51:46 - Installed RGB9RAST
    RP5: 21/09/2011 17:51:51 - Installed Microsoft .NET Framework 3.0 Service Pack 2
    RP6: 21/09/2011 17:53:26 - Installed Microsoft .NET Framework 3.5 Service Pack 1
    RP7: 21/09/2011 17:54:16 - Installed Java(TM) 6 Update 16
    RP8: 21/09/2011 17:54:34 - Installed User Profile Hive Cleanup Service
    RP9: 21/09/2011 17:54:44 - Installed Alt-Tab Task Switcher Powertoy for Windows XP
    RP10: 21/09/2011 18:22:17 - Before Mozilla Backup
    RP11: 21/09/2011 18:25:36 - Installed ESET Smart Security
    RP12: 21/09/2011 12:58:50 - Installed 3Connect
    RP13: 21/09/2011 22:08:48 - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    3Connect
    7-Zip 4.65
    Adobe AIR
    Adobe Flash Player 11 Plugin
    Alt-Tab Task Switcher Powertoy for Windows XP
    avast! Free Antivirus
    CCleaner
    Creative Audio Console
    Creative Software AutoUpdate
    ESET Smart Security
    FileHippo.com Update Checker
    Foxit Reader 5.0
    HashCheck Shell Extension (x86-32)
    Huawei modem
    IObit Malware Fighter
    Java Auto Updater
    Java(TM) 6 Update 16
    Java(TM) 7
    K-Lite Mega Codec Pack 5.2.0
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 Service Pack 1
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Thunderbird (6.0)
    MSXML 4.0 SP3 Parser
    Open Command Prompt Shell Extension (x86-32)
    PeerBlock 1.1 (r518)
    QuickTime Alternative 3.0.0
    Revo Uninstaller 1.83
    Security Task Manager 1.8d
    Security Update for CAPICOM (KB931906)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB978601)
    SUPERAntiSpyware
    Unlocker 1.8.7
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    User Profile Hive Cleanup Service
    WebFldrs XP
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    WinPatrol
    .
    ==== Event Viewer Messages From Past Week ========
    .
    21/09/2011 20:48:18, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
    21/09/2011 12:37:17, error: PlugPlayManager [12] - The device 'Secondary IDE Channel' (PCIIDE\IDEChannel\4&275adb11&0&1) disappeared from the system without first being prepared for removal.
    .
    ==== End Of File ===========================
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help you sort this out.

    If any of the files you returned to the system after the reinstall, the system could have been And also as you mention, it could be an infected flash drive.
    ============================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
      [o] Please Do not Attach logs or put in code boxes
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    ===================================
    Questions and comments:
    The order for uninstalling is:
    1. Check the program and see if it has it's own uninstaller> if it does, use that.
    2. If it does not, check Add/Remove Programs and uninstall from there if listed.
    3. If neither #1 or #2 are available, then use an uninstaller like Revo or the Windows Installer Cleanup Utility.[/COLOR][/B]

    After an uninstall, you should use Windows Explorer> Computer> Double click Local Drive> Programs> right click on the program folder for the uninstall> Delete.
    =================================
    You have 2 antivirus programs running:
    Eset Smart Security
    Avast
    Please remove one of them. It is advised that you only run 1 AV .
    Please reboot the computer when finished.
    ===================================
    There are some entries that need to be removed:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
     
  7. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Thanks Bobbye....

    Eset removed with Revo.

    Due to the fact I can't connect the infected machine to the net, ComboFix could not install the Windows Recovery Console. Report below.

    Not sure if this is relevant Bobbye - Flash Disinfector did install the folder autorun on flash drive, but not the external hdd. (There is an autorun.inf file there already).



    ComboFix 11-09-21.02 - Owner 24/09/2011 8:37.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3071.2620 [GMT 1:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
    .
    .
    c:\windows\System32\wscntfy.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-21 4603264]
    "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "CTHelper"="CTHELPER.EXE" [2010-03-18 19456]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-07-20 4393816]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-10-19 128512]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2011-9-21 38640]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 18 (0x12)
    "NoSMConfigurePrograms"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    "MemCheckBoxInRunDlg"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [21/09/2011 18:07 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/09/2011 18:07 309848]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [19/07/2011 01:02 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/09/2011 18:07 19544]
    R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [21/09/2011 18:18 820568]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/09/2011 18:28 366152]
    R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/09/2011 18:28 22216]
    R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [21/09/2011 18:18 30368]
    R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [21/09/2011 18:18 16080]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 09:29 9472]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [21/09/2011 18:04 79360]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/09/2011 12:59 100736]
    S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [21/09/2011 18:18 239600]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-24 c:\windows\Tasks\User_Feed_Synchronization-{FB65A161-6BC0-42E1-8CE4-EA6A63487A68}.job
    - c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-24 08:45
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTHelper = CTHELPER.EXE?
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(748)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2988)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-09-24 08:48:27
    ComboFix-quarantined-files.txt 2011-09-24 07:48
    .
    Pre-Run: 149,827,477,504 bytes free
    Post-Run: 149,961,801,728 bytes free
    .
    - - End Of File - - 109A7B3547D07A167835B9D089B35C50
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Eset Online scan. I'd like to see what Eset is calling the Worm you have that is named W32/Ganensar.A.worm by Panda. It appears to be one of the 'autoruns'.
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===============================
    Are you finding any/some/most/none of the following: It makes many modifications in the Windows Registry, which prevent doing the following;
    • It disables the option Search from the Start menu.
    • It prevents Viewing the processes that are being run through the Task Manager
    • It prevents the display of the right click Context menu
    • It disables Windows File Protection (WFP)
    • It spreads via shared and mapped drives.
    • It Is easily recognizable as it enters the computer in a file with the name MIYABI-NEW EPISODE(NO SENSOR).EXE and the icon of Windows Media Player:
      [o] If this button is pressed: [​IMG]
      [o]]You will be greeted by this:
    [​IMG]
    ======================================
    I can see some of the entries from it but I think the reinstall removed some.
     
  9. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Hi Bobbye,

    Just to preempt slightly!! I see the wscntfy file is missing and have located it on my XP CD. I will obviously wait for your instructions before proceeding with anything.....

    We both posted at same time......!

    I can't get online to do the online scanner....

    The Search button does work, as does Windows Media Player - I don't get the dialog box as above....

    Right Click works fine (couldn't access System Volume previously before re-install)

    Task Manager works fine now too....

    Will
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for the reminder- I meant to put this in:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      wscntfy.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  11. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    File not found Bobbye. I do have it on my XP CD though. I take it I should copy it to desktop, zip it, and put it in my System32 folder...?

    SystemLook 30.07.11 by jpshortstuff
    Log created at 10:20 on 24/09/2011 by Owner
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "wscntfy.exe"
    No files found.

    -= EOF =-
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Since the file has really gone missing, yes, since you have the CD, you can replace it. Since it is the process for the Windows Security Center, it needs to be on the system. You might want to use the System File Checker (SFC) to replace it:
    From Bleeping computer: System File Checker SFC
    When finished, reboot and run Combofix again to make sure it's been found!
     
  13. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Bobbye,

    Just to add to the above - BEFORE the re-install.

    Q.It disables the option Search from the Start menu.
    Yes. I remember I had to try to search from within folders.

    Q.It prevents Viewing the processes that are being run through the Task Manager
    Yes & No! Task Manager did work sometimes, however, it would be an age before it appeared, and sometimes would not at all.

    Q,It prevents the display of the right click Context menu
    No. Right click worked.

    Q. It disables Windows File Protection (WFP)
    Not sure exactly how to tell?

    Q. It spreads via shared and mapped drives.
    I believe so, as it seems to have gotten into my backup drive (which I have left disconnected for the moment whilst working on the main machine.)

    Q. It Is easily recognizable as it enters the computer in a file with the name MIYABI-NEW EPISODE(NO SENSOR).EXE and the icon of Windows Media Player:
    I had not noticed this before install as I don't use WMP. As earlier post, works fine now.

    New ComboFix Log:


    ComboFix 11-09-21.02 - Owner 25/09/2011 11:33:36.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3071.2537 [GMT 1:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-09-24_07.45.24 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-09-25 10:30 . 2011-09-25 10:30 16384 c:\windows\Temp\Perflib_Perfdata_2b8.dat
    + 2011-09-25 10:25 . 2008-04-14 04:42 13824 c:\windows\system32\wscntfy.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-21 4603264]
    "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "CTHelper"="CTHELPER.EXE" [2010-03-18 19456]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-07-20 4393816]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-10-19 128512]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2011-9-21 38640]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 18 (0x12)
    "NoSMConfigurePrograms"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    "MemCheckBoxInRunDlg"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [21/09/2011 18:07 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/09/2011 18:07 309848]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [19/07/2011 01:02 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/09/2011 18:07 19544]
    R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [21/09/2011 18:18 820568]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/09/2011 18:28 366152]
    R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/09/2011 18:28 22216]
    R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [21/09/2011 18:18 30368]
    R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [21/09/2011 18:18 16080]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 09:29 9472]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [21/09/2011 18:04 79360]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/09/2011 12:59 100736]
    S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [21/09/2011 18:18 239600]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-25 c:\windows\Tasks\User_Feed_Synchronization-{FB65A161-6BC0-42E1-8CE4-EA6A63487A68}.job
    - c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-25 11:41
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTHelper = CTHELPER.EXE?
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(748)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3220)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-09-25 11:44:14
    ComboFix-quarantined-files.txt 2011-09-25 10:44
    ComboFix2.txt 2011-09-24 07:48
    .
    Pre-Run: 149,959,028,736 bytes free
    Post-Run: 149,944,954,880 bytes free
    .
    - - End Of File - - FB40E0204F2B8C98DF186D9CAF21D665
     
  14. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Bobbye

    Any further instructions....?

    Cheers
    Will
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for your patience. I had a really great weekend with my family celebrating a special event.

    I see you got the missing file on the system. Are you able to access the internet yet? Is there any other update on the system? We need to get the Recovery Console on the system.
     
  16. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    No problem at all Bobbye! :)

    No, still cannot get onto the internet, and am still working via loaned laptop. Is the Recovery Console downloadable, or would it be on XP CD? I have a slipstreamed XP SP3 which Broni showed me how to do previously.

    Re the infected external drive, I was looking at this: ClamWin Portable. http://portableapps.com/apps/utilities/clamwin_portable Do you know anything about it?

    Thanks....
     
  17. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Bobbye

    I have the Recovery Console booted from my CD - with the 'press R to repair Windows XP using Recovery Console' ready. I have no problem re-installing via this method if necessary.....
     
  18. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Hi Bobbye,

    Good news! Recovery Console is now installed and can be chosen from the Startup menu options......:grinthumb

    Just for future reference, the information on how to do this is here: http://support.microsoft.com/kb/314058
     
  19. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Bobbye, just to keep you fully in the picture of what has happened.

    I wanted to ensure the Recovery Console would run correctly when the time came for us to use it, however, it came up with the error:
    Windows could not start because the following file is missing or corrupt:
    <Windows root>\system32\hal.dll
    Please re-install a copy of the above file.

    Upon re-booting, the file was where it should be (System32 folder). I renamed it hal_original, and copied the hal.dl_ file from the XP SP3 CD to the Desktop & extracted it to the System32 folder.

    I re-booted the machine again. However, the error message occurred again in trying to run Recovery Console, and upon escaping, the system would not boot at all. I have deleted the hal.dll file and restored the original dll file by renaming it through the XP Repair CD. Everything now back to as it was when I installed the Recovery Console. But I am still getting the error message : <Windows root>\system32\hal.dll when trying to run the RC. I just wanted to ensure you knew about the events in question!
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you getting the message that Windows root>\system32\hal.dll is missing or corrupt?
     
  21. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    As above - exact quote. But only when trying to run Recovery Console.

    In case you need it, here is the Boot.ini File:

    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    Also Bobbye, upon further investigation, the BOOTSECT.DAT file (& the hal.dl_ file) are located in a folder called C:\$WIN_NT$.~BT. There is no folder called C:\CMDCONS. I'm not sure whether this is relevant or not.

    Thanks,
    Will
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorrry Will- I still haven't caught up!

    Please give me an update on system status as of now. Let's not try anything else out or do any renaming at this point.
     
  23. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    No Change at all Bobbye.

    Still can't get online - waiting to see what we can do with RC.....

    Cheers
    Will
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Per Microsoft: http://support.microsoft.com/kb/314477

    Editing attributes are mine.

    I hope this is helpful.
     
  25. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Hi Bobbye,

    Hope you had a good weekend! Just to re-cap - the Windows XP loads with no problems at all. The hal.dll error message only comes up when I choose the Recovery Console option on start-up from the C: drive.

    I did change the boot file entry for the Recovery Console option at startup to point to the folder where the Recovery Console had been installed from earlier i.e. from C:\CMDCONS to the C:\$WIN_NT$.~BT folder. On re-boot, I was told the NTLDR is missing! (I have since changed it back to the original C:\CMDCONS).

    However, regardless of all this, I can load the Recovery Console from the CD Drive. As you said earlier, that we need to get the Recovery Conole working, can we use this option (run it from the XP CD) and bypass the installation of the Recovery Console on the system? Or is it necessary to actually have it installed?

    Thanks,
    Will
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...