also @ TechSpot: Huawei Ascend P6 smartphone is the thinnest in the world at 6.18mm

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

"The maximum number of secrets that may be stored in a single system has exceeded..."

Discussion in 'Virus and Malware Removal' started by JimmaWat, Aug 22, 2011.

Page 4 of 5

Broni Malware Annihilator Posts: 40,051 +187
1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box

Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

FCopy:: C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys | C:\WINDOWS\system32\drivers\isapnp.sys

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
Broni, Aug 27, 2011

#61
JimmaWat Newcomer, in training Posts: 42

Ran ComboFix.exe with CFScript.txt. No problems but internet still is telling me its trying to connect but it doesn't connect.

Here is the log:

ComboFix 11-08-23.06 - Administrator 08/27/2011 16:31:11.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1859 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys --> c:\windows\system32\drivers\isapnp.sys
.
((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
.
.
2073-04-13 21:17 . 2006-11-22 00:48 203576 ---ha-w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-08-27 00:43 . 2011-08-27 00:43 -------- d-----w- C:\ERDNT
2011-08-27 00:00 . 2011-08-27 00:00 -------- d-----w- C:\_OTL
2011-08-26 22:54 . 2011-08-27 20:30 -------- d-----w- c:\windows\system32\CatRoot2
2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 01:07 . 2004-08-04 01:07 35840 c:\windows\system32\dllcache\isapnp.sys
- 2004-08-04 01:07 . 2001-08-17 17:58 35840 c:\windows\system32\dllcache\isapnp.sys
+ 2004-08-04 01:07 . 2008-10-23 12:43 286720 c:\windows\system32\gdi32.dll
+ 2008-10-01 18:23 . 2011-08-27 07:10 3747600 c:\windows\system32\FNTCACHE.DAT
- 2008-10-01 18:23 . 2011-05-31 05:33 3747600 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2009-11-09 c:\windows\Tasks\Test.job
- c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-27 16:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\131.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(2924)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-27 16:49:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-27 20:49
ComboFix2.txt 2011-08-25 02:21
ComboFix3.txt 2011-08-25 01:47
ComboFix4.txt 2011-08-24 18:05
ComboFix5.txt 2011-08-27 20:30
.
Pre-Run: 25,728,917,504 bytes free
Post-Run: 25,698,734,080 bytes free
.
- - End Of File - - E6879BBDB770FA244491C062F6993CF7

JimmaWat, Aug 27, 2011

#62
Broni Malware Annihilator Posts: 40,051 +187
Re-run System Look with the same code as in my reply #59

Then....

Re-run MiniToolbox.

Checkmark following boxes:

Flush DNS

Report IE Proxy Settings

Report FF Proxy Settings

List content of Hosts

List IP configuration

List Winsock Entries

List last 10 Event Viewer log

Click Go and post the result.
Broni, Aug 27, 2011

#63
JimmaWat Newcomer, in training Posts: 42

Reran SystemLook with filefind command for isapnp.sys. Here is the log for that :

SystemLook 30.07.11 by jpshortstuff
Log created at 17:13 on 27/08/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "isapnp.sys"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys --a---- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\system32\drivers\isapnp.sys --a---- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

-= EOF =-

Then reran MiniToolBox. Here is the log :

MiniToolBox by Farbar
Ran by Administrator (administrator) on 27-08-2011 at 17:17:56
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.backup.ftp", ""
"network.proxy.backup.ftp_port", ""
"network.proxy.backup.socks", ""
"network.proxy.backup.socks_port", ""
"network.proxy.backup.ssl", ""
"network.proxy.backup.ssl_port", ""
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp

popd
# End of interface IP configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : jimmawat

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-90-F5-8B-2C-33

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 5300

Physical Address. . . . . . . . . : 00-16-EA-5F-CA-C4

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 0.0.0.0

Subnet Mask . . . . . . . . . . . : 0.0.0.0

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 255.255.255.255

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 90 f5 8b 2c 33 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
0x10004 ...00 16 ea 5f ca c4 ...... Intel(R) Wireless WiFi Link 5300
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 10003 1
255.255.255.255 255.255.255.255 255.255.255.255 10004 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Windows\System32\nwprovau.dll [144384] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1985

Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1985

Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver) (User: )
Description: WmpContent::CreateInstance()0x80040154

Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver) (User: )
Description: OpenConnection()0x80040154

Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver) (User: )
Description: DataConnection::OpenConnection()0x80040154

Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver) (User: )
Description: WmpContent::CreateInstance()0x80040154

Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver) (User: )
Description: OpenConnection()0x80040154

Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver) (User: )
Description: DataConnection::OpenConnection()0x80040154

Error: (08/27/2011 01:08:52 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1554062

System errors:
=============
Error: (08/16/2011 01:05:56 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.69 for the Network Card with network address 0016EA5FCAC4 has been
denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/16/2011 01:05:47 PM) (Source: Dhcp) (User: )
Description: The IP address lease 129.133.127.105 for the Network Card with network address 0090F58B2C33 has been
denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).

Error: (08/15/2011 10:32:39 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 0016EA5FCAC4. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (08/15/2011 10:31:30 PM) (Source: Dhcp) (User: )
Description: The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been
denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/15/2011 06:24:22 PM) (Source: Dhcp) (User: )
Description: The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been
denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/14/2011 10:28:55 PM) (Source: Service Control Manager) (User: )
Description: The HDD & SSD access service service failed to start due to the following error:
%%3

Error: (08/14/2011 10:28:55 PM) (Source: Service Control Manager) (User: )
Description: The adfs service failed to start due to the following error:
%%2

Error: (08/14/2011 10:26:18 PM) (Source: Dhcp) (User: )
Description: The IP address lease 129.133.168.57 for the Network Card with network address 0016EA5FCAC4 has been
denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

Error: (08/14/2011 10:18:25 PM) (Source: Dhcp) (User: )
Description: The IP address lease 129.133.60.51 for the Network Card with network address 0090F58B2C33 has been
denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).

Error: (08/14/2011 00:18:07 PM) (Source: Service Control Manager) (User: )
Description: The HDD & SSD access service service failed to start due to the following error:
%%3

Microsoft Office Sessions:
=========================
Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1985

Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1985

Error: (08/27/2011 05:10:21 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver)(User: )
Description: WmpContent::CreateInstance()0x80040154

Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver)(User: )
Description: OpenConnection()0x80040154

Error: (08/27/2011 04:43:49 PM) (Source: M4iPodWPDDriver)(User: )
Description: DataConnection::OpenConnection()0x80040154

Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver)(User: )
Description: WmpContent::CreateInstance()0x80040154

Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver)(User: )
Description: OpenConnection()0x80040154

Error: (08/27/2011 01:22:34 PM) (Source: M4iPodWPDDriver)(User: )
Description: DataConnection::OpenConnection()0x80040154

Error: (08/27/2011 01:08:52 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1554062

**** End of log ****

JimmaWat, Aug 27, 2011

#64
Broni Malware Annihilator Posts: 40,051 +187
Let's try another file:

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box

Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

FCopy:: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys | C:\WINDOWS\system32\drivers\isapnp.sys

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Also post new System Look log.
Broni, Aug 27, 2011

#65

JimmaWat Newcomer, in training Posts: 42

Ran Combofix.exe. Don't think it rebooted. Internet still doesn't seem to work Here is the log:

ComboFix 11-08-23.06 - Administrator 08/27/2011 19:01:30.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1840 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys --> c:\windows\system32\drivers\isapnp.sys
.
((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
.
.
2073-04-13 21:17 . 2006-11-22 00:48 203576 ---ha-w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-08-27 00:43 . 2011-08-27 00:43 -------- d-----w- C:\ERDNT
2011-08-27 00:00 . 2011-08-27 00:00 -------- d-----w- C:\_OTL
2011-08-26 22:54 . 2011-08-27 23:00 -------- d-----w- c:\windows\system32\CatRoot2
2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-27 20:46 . 2011-08-27 20:46 16384 c:\windows\Temp\Perflib_Perfdata_d6c.dat
+ 2004-08-04 01:07 . 2004-08-04 01:07 35840 c:\windows\system32\dllcache\isapnp.sys
- 2004-08-04 01:07 . 2001-08-17 17:58 35840 c:\windows\system32\dllcache\isapnp.sys
+ 2004-08-04 01:07 . 2008-10-23 12:43 286720 c:\windows\system32\gdi32.dll
+ 2008-10-01 18:23 . 2011-08-27 07:10 3747600 c:\windows\system32\FNTCACHE.DAT
- 2008-10-01 18:23 . 2011-05-31 05:33 3747600 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2009-11-09 c:\windows\Tasks\Test.job
- c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-27 19:07
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\131.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(2960)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-27 19:10:04
ComboFix-quarantined-files.txt 2011-08-27 23:10
ComboFix2.txt 2011-08-27 20:49
ComboFix3.txt 2011-08-25 02:21
ComboFix4.txt 2011-08-25 01:47
ComboFix5.txt 2011-08-27 22:33
.
Pre-Run: 25,712,730,112 bytes free
Post-Run: 25,686,720,512 bytes free
.
- - End Of File - - 9207517C24DCD5E149E8DC455504252F

JimmaWat, Aug 27, 2011

#66

Broni Malware Annihilator Posts: 40,051 +187

Reboot, check for internet connection and give me fresh System Look log.

Broni, Aug 27, 2011

#67
JimmaWat Newcomer, in training Posts: 42

Rebooted and ran SystemLook with filefind command for isapnp.sys again. Here is the log :

SystemLook 30.07.11 by jpshortstuff
Log created at 19:59 on 27/08/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "isapnp.sys"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys ------- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\system32\drivers\isapnp.sys --a---- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

-= EOF =

JimmaWat, Aug 27, 2011

#68
Broni Malware Annihilator Posts: 40,051 +187

Apparently it doesn't take changes.
Let's try different way.

Here is isapnp.sys file from my XP CD: http://www.filedropper.com/isapnp

Download it and paste it into root C:\ directory.

Post fresh System Look log so I can see it's in correct location.

Broni, Aug 27, 2011

#69
JimmaWat Newcomer, in training Posts: 42

Downloaded it and put it in C:/

Ran SystemLook. Here is the log :

SystemLook 30.07.11 by jpshortstuff
Log created at 21:24 on 27/08/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "isapnp.sys"
C:\isapnp.sys --a---- 37248 bytes [01:23 28/08/2011] [01:22 28/08/2011] 5A59964BFB9DCA86AF0C4AE8CC1D6A32
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys ------- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\system32\drivers\isapnp.sys --a---- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

-= EOF =

JimmaWat, Aug 27, 2011

#70
Broni Malware Annihilator Posts: 40,051 +187
OK.

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

Click OK at the warning.

Click the Script tab and copy/paste the following text there:

Code:

CopyFile: C:\isapnp.sys C:\WINDOWS\system32\drivers\isapnp.sys

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, post the report created by Blitzblank.
You can find it in the root of the drive, normally C:\

Check for internet connection and post new System Look log.
Broni, Aug 27, 2011

#71
JimmaWat Newcomer, in training Posts: 42

Ran BlitzBlank and rebooted. Internet still not working though. Here is the log:

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\isapnp.sys", destinationFile = "\??\c:\windows\system32\drivers\isapnp.sys"

Ran SystemLook with filefind for isapnp.sys again. Here is the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 23:08 on 27/08/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "isapnp.sys"
C:\isapnp.sys --a---- 37248 bytes [01:23 28/08/2011] [01:22 28/08/2011] 5A59964BFB9DCA86AF0C4AE8CC1D6A32
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isapnp.sys ------- 37248 bytes [22:30 25/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\dllcache\isapnp.sys --a--c- 35840 bytes [01:07 04/08/2004] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\system32\drivers\isapnp.sys --a---- 37248 bytes [01:07 04/08/2004] [03:01 28/08/2011] 5A59964BFB9DCA86AF0C4AE8CC1D6A32
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\isapnp.sys ------- 35840 bytes [01:58 02/10/2008] [01:07 04/08/2004] E504F706CCB699C2596E9A3DA1596E87

-= EOF =-

JimmaWat, Aug 27, 2011

#72
Broni Malware Annihilator Posts: 40,051 +187

OK this time it took the file fine.

Go ahead and retry steps from my reply #29.

Broni, Aug 27, 2011

#73
JimmaWat Newcomer, in training Posts: 42

Still no internet. Had to skip BITS again because I still can't find my Windows XP CD.

Something interesting to note: I tried to delete TDSSKiller.exe from my desktop and I couldn't because said:

Cannot delete tdsskiller:Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently is use.

I can delete anything else on the desktop, just not that. And I know the file isn't being used because I just restarted the computer.

JimmaWat, Aug 27, 2011

#74
Broni Malware Annihilator Posts: 40,051 +187

Had to skip BITS again because I still can't find my Windows XP CD.

This may be crucial here.
Possibly we have system files corrupted.

Broni, Aug 28, 2011

#75
JimmaWat Newcomer, in training Posts: 42

Hmm ok. I'll look around some more or see if anybody I know has a spare copy. I'll get back to you when I can find one.

JimmaWat, Aug 28, 2011

#76
Broni Malware Annihilator Posts: 40,051 +187

Meanwhile....

Go Start>Run ("Start Search" in Vista/7), type in:
sfc /scannow
Click OK (hold CTRL, and SHIFT, hit Enter in Vista/7).
Have Windows CD/DVD handy (with Vista/7, most likely, you won't need it).
If System File Checker (sfc) will find any errors, it may ask you for the CD/DVD (rarely in Vista/7 case).

I realize you don't have that CD yet, but I just want you to check if "sfc" WILL ask you for a CD.
That way we'll know if some system files are NOT OK.

Broni, Aug 28, 2011

#77
JimmaWat Newcomer, in training Posts: 42

I found the original CD (it was in a storage) and I popped it in but it still won't recognize the qmgr.dll file it asks for when restoring BITS. And it's weird because I see it right there on the CD. The same happens with my friend's CD. I tried the sfc /scannow and it indeed need the CD to replace some DLL's and it was taking a while so I left it alone for a bit. When I came back, the screen was completely black and didn't seem responsive for a while, so I did a hard reset and it came back to its normal state, internet still not working. I'll try sfc again and keep a closer eye to see why it black screened.

Any suggestions?

JimmaWat, Sep 2, 2011

#78
Broni Malware Annihilator Posts: 40,051 +187

Retry sfc first.

If still no go, try Windows repair: http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

Broni, Sep 2, 2011

#79
JimmaWat Newcomer, in training Posts: 42

So I decided to just give up and reinstall Windows. Nothing was working. But everything seems to be working fine now. Internet and all. I didn't do a clean installation so I don't know if there's still anything potentially dangerous still lurking around, but for now, I believe the WINDOWS folder is clean.

JimmaWat, Sep 2, 2011

#80

Page 4 of 5

Topic Status:: Not open for further replies.

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.