"The maximum number of secrets that may be stored in a single system has exceeded..."

Inactive
By JimmaWat
Aug 22, 2011
Topic Status:
Not open for further replies.
  1. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Can you connect to the net?
  2. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    No, not yet. I'm trying all the steps you gave me for the internet before. I'm about to use winsockfix now.

    It was weird because I could connect to the internet when I booted with the CD, but not with normal booting.
  3. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    OK, let me know.
  4. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    So far no luck. I did everything except for Reinstall BITS because it needs the XP install CD, which I'm looking for right now. But the internet still doesn't work.
  5. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Please download MiniToolBox and run it.

    Checkmark following boxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Users, Partitions and Memory size
    Click Go and post the result.
  6. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    MiniToolBox by Farbar
    Ran by Administrator (administrator) on 26-08-2011 at 20:19:44
    Microsoft Windows XP Service Pack 2 (X86)

    ***************************************************************************

    ========================= Flush DNS: ===================================


    Windows IP Configuration



    Could not flush the DNS Resolver Cache: Function failed during execution.




    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    ========================= FF Proxy Settings: ==============================

    "network.proxy.backup.ftp", ""
    "network.proxy.backup.ftp_port", ""
    "network.proxy.backup.socks", ""
    "network.proxy.backup.socks_port", ""
    "network.proxy.backup.ssl", ""
    "network.proxy.backup.ssl_port", ""
    ========================= Hosts content: =================================


    127.0.0.1 localhost

    ========================= IP Configuration: ================================

    # ----------------------------------
    # Interface IP Configuration
    # ----------------------------------
    pushd interface ip


    # Interface IP Configuration for "Local Area Connection 2"

    set address name="Local Area Connection 2" source=dhcp
    set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
    set wins name="Local Area Connection 2" source=dhcp

    # Interface IP Configuration for "Wireless Network Connection"

    set address name="Wireless Network Connection" source=dhcp
    set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
    set wins name="Wireless Network Connection" source=dhcp


    popd
    # End of interface IP configuration




    Windows IP Configuration



    Host Name . . . . . . . . . . . . : jimmawat

    Primary Dns Suffix . . . . . . . :

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No



    Ethernet adapter Local Area Connection 2:



    Connection-specific DNS Suffix . : gateway.2wire.net

    Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

    Physical Address. . . . . . . . . : 00-90-F5-8B-2C-33

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 0.0.0.0

    Subnet Mask . . . . . . . . . . . : 0.0.0.0

    Default Gateway . . . . . . . . . :

    DHCP Server . . . . . . . . . . . : 192.168.1.254

    DNS Servers . . . . . . . . . . . : 192.168.1.254

    NetBIOS over Tcpip. . . . . . . . : Disabled



    Ethernet adapter Wireless Network Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 5300

    Physical Address. . . . . . . . . : 00-16-EA-5F-CA-C4

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 0.0.0.0

    Subnet Mask . . . . . . . . . . . : 0.0.0.0

    Default Gateway . . . . . . . . . :

    DHCP Server . . . . . . . . . . . : 255.255.255.255

    NetBIOS over Tcpip. . . . . . . . : Disabled

    Server: UnKnown
    Address: 127.0.0.1

    Ping request could not find host google.com. Please check the name and try again.

    Server: UnKnown
    Address: 127.0.0.1

    Ping request could not find host yahoo.com. Please check the name and try again.



    Pinging 127.0.0.1 with 32 bytes of data:



    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



    Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 90 f5 8b 2c 33 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
    0x10004 ...00 16 ea 5f ca c4 ...... Intel(R) Wireless WiFi Link 5300
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    255.255.255.255 255.255.255.255 255.255.255.255 10003 1
    255.255.255.255 255.255.255.255 255.255.255.255 10004 1
    ===========================================================================
    Persistent Routes:
    None
    ========================= Winsock entries =====================================

    Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
    Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog5 04 C:\Windows\System32\nwprovau.dll [144384] (Microsoft Corporation)
    Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 18 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
    Catalog9 19 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)

    ========================= Event log errors: ===============================

    Application errors:
    ==================
    Error: (08/26/2011 08:45:56 PM) (Source: M4iPodWPDDriver) (User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/26/2011 08:45:55 PM) (Source: M4iPodWPDDriver) (User: )
    Description: OpenConnection()0x80040154

    Error: (08/26/2011 08:45:55 PM) (Source: M4iPodWPDDriver) (User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/26/2011 08:15:08 PM) (Source: M4iPodWPDDriver) (User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/26/2011 08:15:08 PM) (Source: M4iPodWPDDriver) (User: )
    Description: OpenConnection()0x80040154

    Error: (08/26/2011 08:15:08 PM) (Source: M4iPodWPDDriver) (User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/26/2011 08:04:02 PM) (Source: M4iPodWPDDriver) (User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/26/2011 08:04:02 PM) (Source: M4iPodWPDDriver) (User: )
    Description: OpenConnection()0x80040154

    Error: (08/26/2011 08:04:02 PM) (Source: M4iPodWPDDriver) (User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/24/2011 05:12:00 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 2031


    System errors:
    =============
    Error: (08/16/2011 01:05:56 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 192.168.1.69 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

    Error: (08/16/2011 01:05:47 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.127.105 for the Network Card with network address 0090F58B2C33 has been
    denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).

    Error: (08/15/2011 10:32:39 PM) (Source: Dhcp) (User: )
    Description: Your computer was not assigned an address from the network (by the DHCP
    Server) for the Network Card with network address 0016EA5FCAC4. The following error
    occurred:
    %%121.
    Your computer will continue to try and obtain an address on its own from
    the network address (DHCP) server.

    Error: (08/15/2011 10:31:30 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

    Error: (08/15/2011 06:24:22 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

    Error: (08/14/2011 10:28:55 PM) (Source: Service Control Manager) (User: )
    Description: The HDD & SSD access service service failed to start due to the following error:
    %%3

    Error: (08/14/2011 10:28:55 PM) (Source: Service Control Manager) (User: )
    Description: The adfs service failed to start due to the following error:
    %%2

    Error: (08/14/2011 10:26:18 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.168.57 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

    Error: (08/14/2011 10:18:25 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.60.51 for the Network Card with network address 0090F58B2C33 has been
    denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).

    Error: (08/14/2011 00:18:07 PM) (Source: Service Control Manager) (User: )
    Description: The HDD & SSD access service service failed to start due to the following error:
    %%3


    Microsoft Office Sessions:
    =========================
    Error: (08/26/2011 08:45:56 PM) (Source: M4iPodWPDDriver)(User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/26/2011 08:45:55 PM) (Source: M4iPodWPDDriver)(User: )
    Description: OpenConnection()0x80040154

    Error: (08/26/2011 08:45:55 PM) (Source: M4iPodWPDDriver)(User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/26/2011 08:15:08 PM) (Source: M4iPodWPDDriver)(User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/26/2011 08:15:08 PM) (Source: M4iPodWPDDriver)(User: )
    Description: OpenConnection()0x80040154

    Error: (08/26/2011 08:15:08 PM) (Source: M4iPodWPDDriver)(User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/26/2011 08:04:02 PM) (Source: M4iPodWPDDriver)(User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/26/2011 08:04:02 PM) (Source: M4iPodWPDDriver)(User: )
    Description: OpenConnection()0x80040154

    Error: (08/26/2011 08:04:02 PM) (Source: M4iPodWPDDriver)(User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/24/2011 05:12:00 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 2031


    ========================= Memory info: ===================================

    Percentage of memory in use: 34%
    Total physical RAM: 2554.81 MB
    Available physical RAM: 1663.43 MB
    Total Pagefile: 4443.71 MB
    Available Pagefile: 3851.25 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1992.04 MB

    ========================= Partitions: =====================================

    1 Drive c: () (Fixed) (Total:150.94 GB) (Free:23.93 GB) NTFS
    2 Drive d: (Charmanchu) (Fixed) (Total:81.94 GB) (Free:1.89 GB) NTFS
    5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
    6 Drive h: () (Removable) (Total:3.75 GB) (Free:3.2 GB) NTFS

    ========================= Users: ========================================

    User accounts for \\JIMMAWAT

    Administrator ASPNET Guest
    HelpAssistant HsUser_foE4nW6BPEh Jimmy
    SUPPORT_388945a0


    **** End of log ****
  7. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    There is definitely something wrong with your settings.

    It may have something to do with a file which has been replaced by TDSSKiller - isapnp.sys

    Did you find Windows XP CD?
  8. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Can't seem to find it. Can I download a Windows XP CD and put it on a USB?
  9. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    You can't download Windows. Legally at least.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      isapnp.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  10. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Heh, my line of thought was that since I already own a legal copy of Windows, I would be able to download one as a backup legally. But if we don't need it for this, I won't.

    Ran SystemLook.exe. Here is the log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 03:03 on 27/08/2011 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "isapnp.sys"
    C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys --a---- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
    C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [17:58 17/08/2001] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\drivers\isapnp.sys --a---- 35840 bytes [01:07 04/08/2004] [03:51 23/08/2011] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys --a---- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

    -= EOF =-
  11. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys | C:\WINDOWS\system32\drivers\isapnp.sys
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  12. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Ran ComboFix.exe with CFScript.txt. No problems but internet still is telling me its trying to connect but it doesn't connect.

    Here is the log:

    ComboFix 11-08-23.06 - Administrator 08/27/2011 16:31:11.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1859 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: H:\CFScript.txt
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys --> c:\windows\system32\drivers\isapnp.sys
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 21:17 . 2006-11-22 00:48 203576 ---ha-w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-08-27 00:43 . 2011-08-27 00:43 -------- d-----w- C:\ERDNT
    2011-08-27 00:00 . 2011-08-27 00:00 -------- d-----w- C:\_OTL
    2011-08-26 22:54 . 2011-08-27 20:30 -------- d-----w- c:\windows\system32\CatRoot2
    2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
    2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
    2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
    2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
    2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
    2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
    2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
    2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
    2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
    2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
    2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
    2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
    2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
    .
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
    [-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
    .
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2004-08-04 01:07 . 2004-08-04 01:07 35840 c:\windows\system32\dllcache\isapnp.sys
    - 2004-08-04 01:07 . 2001-08-17 17:58 35840 c:\windows\system32\dllcache\isapnp.sys
    + 2004-08-04 01:07 . 2008-10-23 12:43 286720 c:\windows\system32\gdi32.dll
    + 2008-10-01 18:23 . 2011-08-27 07:10 3747600 c:\windows\system32\FNTCACHE.DAT
    - 2008-10-01 18:23 . 2011-05-31 05:33 3747600 c:\windows\system32\FNTCACHE.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
    "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2009-11-09 c:\windows\Tasks\Test.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.orbitdownloader.com/
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 16:46
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\131.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(604)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    c:\program files\Protector Suite QL\crypto.dll
    .
    - - - - - - - > 'explorer.exe'(2924)
    c:\program files\Protector Suite QL\farchns.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\msi.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\WinSCP\DragExt.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Protector Suite QL\psqltray.exe
    c:\program files\Orbitdownloader\orbitnet.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 16:49:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 20:49
    ComboFix2.txt 2011-08-25 02:21
    ComboFix3.txt 2011-08-25 01:47
    ComboFix4.txt 2011-08-24 18:05
    ComboFix5.txt 2011-08-27 20:30
    .
    Pre-Run: 25,728,917,504 bytes free
    Post-Run: 25,698,734,080 bytes free
    .
    - - End Of File - - E6879BBDB770FA244491C062F6993CF7
  13. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Re-run System Look with the same code as in my reply #59

    Then....

    Re-run MiniToolbox.

    Checkmark following boxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    Click Go and post the result.
  14. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Reran SystemLook with filefind command for isapnp.sys. Here is the log for that :

    SystemLook 30.07.11 by jpshortstuff
    Log created at 17:13 on 27/08/2011 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "isapnp.sys"
    C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys --a---- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
    C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\drivers\isapnp.sys --a---- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

    -= EOF =-

    Then reran MiniToolBox. Here is the log :

    MiniToolBox by Farbar
    Ran by Administrator (administrator) on 27-08-2011 at 17:17:56
    Microsoft Windows XP Service Pack 2 (X86)

    ***************************************************************************

    ========================= Flush DNS: ===================================


    Windows IP Configuration



    Successfully flushed the DNS Resolver Cache.


    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    ========================= FF Proxy Settings: ==============================

    "network.proxy.backup.ftp", ""
    "network.proxy.backup.ftp_port", ""
    "network.proxy.backup.socks", ""
    "network.proxy.backup.socks_port", ""
    "network.proxy.backup.ssl", ""
    "network.proxy.backup.ssl_port", ""
    ========================= Hosts content: =================================

    127.0.0.1 localhost

    ========================= IP Configuration: ================================

    # ----------------------------------
    # Interface IP Configuration
    # ----------------------------------
    pushd interface ip


    # Interface IP Configuration for "Local Area Connection 2"

    set address name="Local Area Connection 2" source=dhcp
    set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
    set wins name="Local Area Connection 2" source=dhcp

    # Interface IP Configuration for "Wireless Network Connection"

    set address name="Wireless Network Connection" source=dhcp
    set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
    set wins name="Wireless Network Connection" source=dhcp


    popd
    # End of interface IP configuration




    Windows IP Configuration



    Host Name . . . . . . . . . . . . : jimmawat

    Primary Dns Suffix . . . . . . . :

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No



    Ethernet adapter Local Area Connection 2:



    Media State . . . . . . . . . . . : Media disconnected

    Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

    Physical Address. . . . . . . . . : 00-90-F5-8B-2C-33



    Ethernet adapter Wireless Network Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 5300

    Physical Address. . . . . . . . . : 00-16-EA-5F-CA-C4

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 0.0.0.0

    Subnet Mask . . . . . . . . . . . : 0.0.0.0

    Default Gateway . . . . . . . . . :

    DHCP Server . . . . . . . . . . . : 255.255.255.255

    NetBIOS over Tcpip. . . . . . . . : Disabled

    Server: UnKnown
    Address: 127.0.0.1

    Ping request could not find host google.com. Please check the name and try again.

    Server: UnKnown
    Address: 127.0.0.1

    Ping request could not find host yahoo.com. Please check the name and try again.



    Pinging 127.0.0.1 with 32 bytes of data:



    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



    Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 90 f5 8b 2c 33 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
    0x10004 ...00 16 ea 5f ca c4 ...... Intel(R) Wireless WiFi Link 5300
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    255.255.255.255 255.255.255.255 255.255.255.255 10003 1
    255.255.255.255 255.255.255.255 255.255.255.255 10004 1
    ===========================================================================
    Persistent Routes:
    None
    ========================= Winsock entries =====================================

    Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
    Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog5 04 C:\Windows\System32\nwprovau.dll [144384] (Microsoft Corporation)
    Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 18 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
    Catalog9 19 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)

    ========================= Event log errors: ===============================

    Application errors:
    ==================
    Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 1985

    Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 1985

    Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver) (User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver) (User: )
    Description: OpenConnection()0x80040154

    Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver) (User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver) (User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver) (User: )
    Description: OpenConnection()0x80040154

    Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver) (User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/27/2011 01:08:52 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 1554062


    System errors:
    =============
    Error: (08/16/2011 01:05:56 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 192.168.1.69 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

    Error: (08/16/2011 01:05:47 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.127.105 for the Network Card with network address 0090F58B2C33 has been
    denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).

    Error: (08/15/2011 10:32:39 PM) (Source: Dhcp) (User: )
    Description: Your computer was not assigned an address from the network (by the DHCP
    Server) for the Network Card with network address 0016EA5FCAC4. The following error
    occurred:
    %%121.
    Your computer will continue to try and obtain an address on its own from
    the network address (DHCP) server.

    Error: (08/15/2011 10:31:30 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

    Error: (08/15/2011 06:24:22 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

    Error: (08/14/2011 10:28:55 PM) (Source: Service Control Manager) (User: )
    Description: The HDD & SSD access service service failed to start due to the following error:
    %%3

    Error: (08/14/2011 10:28:55 PM) (Source: Service Control Manager) (User: )
    Description: The adfs service failed to start due to the following error:
    %%2

    Error: (08/14/2011 10:26:18 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.168.57 for the Network Card with network address 0016EA5FCAC4 has been
    denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

    Error: (08/14/2011 10:18:25 PM) (Source: Dhcp) (User: )
    Description: The IP address lease 129.133.60.51 for the Network Card with network address 0090F58B2C33 has been
    denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).

    Error: (08/14/2011 00:18:07 PM) (Source: Service Control Manager) (User: )
    Description: The HDD & SSD access service service failed to start due to the following error:
    %%3


    Microsoft Office Sessions:
    =========================
    Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 1985

    Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 1985

    Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver)(User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver)(User: )
    Description: OpenConnection()0x80040154

    Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver)(User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver)(User: )
    Description: WmpContent::CreateInstance()0x80040154

    Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver)(User: )
    Description: OpenConnection()0x80040154

    Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver)(User: )
    Description: DataConnection::OpenConnection()0x80040154

    Error: (08/27/2011 01:08:52 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 1554062


    **** End of log ****
  15. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Let's try another file:

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys | C:\WINDOWS\system32\drivers\isapnp.sys
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt

    Also post new System Look log.
  16. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Ran Combofix.exe. Don't think it rebooted. Internet still doesn't seem to work Here is the log:


    ComboFix 11-08-23.06 - Administrator 08/27/2011 19:01:30.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1840 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: H:\CFScript.txt
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys --> c:\windows\system32\drivers\isapnp.sys
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 21:17 . 2006-11-22 00:48 203576 ---ha-w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-08-27 00:43 . 2011-08-27 00:43 -------- d-----w- C:\ERDNT
    2011-08-27 00:00 . 2011-08-27 00:00 -------- d-----w- C:\_OTL
    2011-08-26 22:54 . 2011-08-27 23:00 -------- d-----w- c:\windows\system32\CatRoot2
    2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
    2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
    2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
    2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
    2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
    2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
    2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
    2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
    2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
    2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
    2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
    2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
    2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
    .
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
    [-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
    .
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-27 20:46 . 2011-08-27 20:46 16384 c:\windows\Temp\Perflib_Perfdata_d6c.dat
    + 2004-08-04 01:07 . 2004-08-04 01:07 35840 c:\windows\system32\dllcache\isapnp.sys
    - 2004-08-04 01:07 . 2001-08-17 17:58 35840 c:\windows\system32\dllcache\isapnp.sys
    + 2004-08-04 01:07 . 2008-10-23 12:43 286720 c:\windows\system32\gdi32.dll
    + 2008-10-01 18:23 . 2011-08-27 07:10 3747600 c:\windows\system32\FNTCACHE.DAT
    - 2008-10-01 18:23 . 2011-05-31 05:33 3747600 c:\windows\system32\FNTCACHE.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
    "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2009-11-09 c:\windows\Tasks\Test.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.orbitdownloader.com/
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 19:07
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\131.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(604)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    c:\program files\Protector Suite QL\crypto.dll
    .
    - - - - - - - > 'explorer.exe'(2960)
    c:\program files\Protector Suite QL\farchns.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\msi.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-27 19:10:04
    ComboFix-quarantined-files.txt 2011-08-27 23:10
    ComboFix2.txt 2011-08-27 20:49
    ComboFix3.txt 2011-08-25 02:21
    ComboFix4.txt 2011-08-25 01:47
    ComboFix5.txt 2011-08-27 22:33
    .
    Pre-Run: 25,712,730,112 bytes free
    Post-Run: 25,686,720,512 bytes free
    .
    - - End Of File - - 9207517C24DCD5E149E8DC455504252F
  17. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Reboot, check for internet connection and give me fresh System Look log.
  18. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Rebooted and ran SystemLook with filefind command for isapnp.sys again. Here is the log :

    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:59 on 27/08/2011 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "isapnp.sys"
    C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys ------- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
    C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\drivers\isapnp.sys --a---- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

    -= EOF =
     
  19. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Apparently it doesn't take changes.
    Let's try different way.

    Here is isapnp.sys file from my XP CD: http://www.filedropper.com/isapnp

    Download it and paste it into root C:\ directory.

    Post fresh System Look log so I can see it's in correct location.
  20. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Downloaded it and put it in C:/

    Ran SystemLook. Here is the log :

    SystemLook 30.07.11 by jpshortstuff
    Log created at 21:24 on 27/08/2011 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "isapnp.sys"
    C:\isapnp.sys --a---- 37248 bytes [01:23 28/08/2011] [01:22 28/08/2011] 5A59964BFB9DCA86AF0C4AE8CC1D6A32
    C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys ------- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
    C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\drivers\isapnp.sys --a---- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

    -= EOF =
  21. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    OK.

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    C:\isapnp.sys C:\WINDOWS\system32\drivers\isapnp.sys
    

    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\

    Check for internet connection and post new System Look log.
  22. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Ran BlitzBlank and rebooted. Internet still not working though. Here is the log:


    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\isapnp.sys", destinationFile = "\??\c:\windows\system32\drivers\isapnp.sys"


    Ran SystemLook with filefind for isapnp.sys again. Here is the log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 23:08 on 27/08/2011 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "isapnp.sys"
    C:\isapnp.sys --a---- 37248 bytes [01:23 28/08/2011] [01:22 28/08/2011] 5A59964BFB9DCA86AF0C4AE8CC1D6A32
    C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys ------- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
    C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
    C:\WINDOWS\system32\drivers\isapnp.sys --a---- 37248 bytes [01:07 04/08/2004] [03:01 28/08/2011] 5A59964BFB9DCA86AF0C4AE8CC1D6A32
    C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

    -= EOF =-
  23. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    OK this time it took the file fine.

    Go ahead and retry steps from my reply #29.
  24. JimmaWat

    JimmaWat Newcomer, in training Topic Starter Posts: 42

    Still no internet. Had to skip BITS again because I still can't find my Windows XP CD.

    Something interesting to note: I tried to delete TDSSKiller.exe from my desktop and I couldn't because said:

    Cannot delete tdsskiller:Access is denied.

    Make sure the disk is not full or write-protected and that the file is not currently is use.

    I can delete anything else on the desktop, just not that. And I know the file isn't being used because I just restarted the computer.
  25. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    This may be crucial here.
    Possibly we have system files corrupted.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.