Solved Windows update and speakers fail

[sdms96825]

I always check with Windows Explorer to make sure there is nothing on the disk. Based on your statement, I assume that I should not bother doing this. Okay. Will do.

 

[Broni]

Exactly....LOL

 

[sdms96825]

Broni,

I want to mke sure before I do this. My BIOS boot priority looks like this

1. USB FDD
2. ATAPI CDO:HL-DT-STCD-RW/DVD Drive - (PM)
3. USB CD:
4. ATA HDDO: Hitachi HFTS722016k95A00 - (SI)
5. PCI LAN: IBAGE SLOT 00C8 u1240
6. +USB HDD
7. ATA HDD1:
8.

Excluded
:ATA HDD2
ATAPI CD1:

1. Should I just change the positions of #2 and #1?
2. USB FDD -- why would it be looking for a floppy drive as the first priority when there is no floppy drive?

Thanks.

 

[Broni]

No, you're fine

 

[sdms96825]

Morning Bironi,

I have attached the latest MBRcheck log after the CD reboot.

I should alert you to the fact that I have several back-up devices (they are not now attached) and I was wondering how I can insure that none of them are infected? I guess we can address that issue later.

 

[Broni]

Good. MBR issues has been fixed
Good job

Please, re-run Combofix and post new log.

 

[sdms96825]

I rn ComboFix again and saved the log to my desktop. However, when I tried to open Firefox, I got th message:

Illegal operation attempted on registry key that has been marked for deletion."

I then tried to open IE8 and Chrome and got the same message each time.

So, I have driven 20 minutes to the nearest other computer. I was thinking of putting a flash drive in my computer and transferring the combofix.txt file to it, but didn't know if I could be re-introducing an infection.

What should I do?

 

[Broni]

Illegal operation attempted on registry key that has been marked for deletion."

You just have to restart computer. That's all.

 

[sdms96825]

Hi Bironi,

I have attached the latest combofix.txt log for your review.

I am just curious. What are you looking for in this page of (&^*%&$&%&(?

 

[Broni]

What are you looking for in this page of (&^*%&$&%&(?

That, I can't tell you
I don't want bad guys to know

Combofix log looks clean

Do you still use ThreatFire?


Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[sdms96825]

threatfire?

no -- I quit using it (I thought) over a year ago

 

[Broni]

OK. Go on...

 

[sdms96825]

Bironi,

I have attached the OTL.txt file as it would not allow me to paste it in the message since it had too many characters.

 

[sdms96825]

Same problem with Extras log so I have attached it

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - File not found [Auto | Stopped] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)
  SRV - File not found [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
  DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\TfSysMon.sys -- (TfSysMon)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TfNetMon.sys -- (TfNetMon)
  DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\TfFsMon.sys -- (TfFsMon)
  O3 - HKLM\..\Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O9 - Extra Button: FreshDownload - {C8D4B481-EC67-4F44-A179-1A1867B7E4F6} - C:\Program Files\FreshDevices\FreshDownload\fd.exe File not found
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O30 - LSA: Security Packages - (Z2가㫏笔 摷杩獥⹴汤l@뻯㬏┳㬏┳&) -  File not found
  O30 - LSA: Security Packages - (ቹ) -  File not found
  O30 - LSA: Security Packages - () -  File not found
  @Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:D1B5B4F1
  @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:1CA73D29
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
  "DisableMonitoring" =-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
  "AntiVirusOverride" =-
  
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[sdms96825]

Bironi,

I ran the OTL again and when I re-booted I typed in my password like usual and the Welcome sign came up and the little circular thing strted spinning and then I got one of those red circles with a white X in it that said the password is invlid. I did this a few times and now it says "The handle is invalid" I KNOW my password as it has been the same since I bought the computer. I also have that fingerprint swipe, so I tried hnging users but tht did not work.

Any suggestions?

Thanks.

 

[Broni]

Hmmm....
This is not the best solution, but, since we have no other choice....
Try "Last known good configuration".

 

[sdms96825]

Do I find tht when I re-boot and push the blue ThinkVantage button?

 

[Broni]

Restart and keep TAPPING F8 key until menu appears.

 

[sdms96825]

WHEW! I'm glad that worked!

Here is the OTL log after the run/fix (I will now do the other scans) (do the last 3 lines tell why I was unable to re-boot with my password at first?)

All processes killed
========== OTL ==========
Service ThreatFire stopped successfully!
Service ThreatFire deleted successfully!
File C:\Program Files\ThreatFire\TFService.exe not found.
Service aawservice stopped successfully!
Service aawservice deleted successfully!
File C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe not found.
Service TfSysMon stopped successfully!
Service TfSysMon deleted successfully!
File C:\Windows\System32\drivers\TfSysMon.sys not found.
Service TfNetMon stopped successfully!
Service TfNetMon deleted successfully!
File C:\Windows\System32\drivers\TfNetMon.sys not found.
Service TfFsMon stopped successfully!
Service TfFsMon deleted successfully!
File C:\Windows\System32\drivers\TfFsMon.sys not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ED0E8CA5-42FB-4B18-997B-769E0408E79D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED0E8CA5-42FB-4B18-997B-769E0408E79D}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C8D4B481-EC67-4F44-A179-1A1867B7E4F6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C8D4B481-EC67-4F44-A179-1A1867B7E4F6}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages:Z2가㫏笔 摷杩獥⹴汤l@뻯㬏┳㬏┳& deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages:ቹ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages deleted successfully.
ADS C:\ProgramData\TEMP1B5B4F1 deleted successfully.
ADS C:\ProgramData\TEMP:1CA73D29 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride scheduled to be deleted on reboot.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: DMS
->Temp folder emptied: 34302 bytes
->Temporary Internet Files folder emptied: 398066 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 40129382 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 913 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7004 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 39.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: DMS
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.11.0 log created on 08292010_134336

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride scheduled to be deleted on reboot.

 

[sdms96825]

Bironi,

Here is the log from running SecurityCheck:

Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 1 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.1.82.76
Adobe Reader 9.3.4
Mozilla Firefox (3.6.8)
Mozilla Thunderbird (3.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
Spybot Teatimer.exe is disabled!
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
Windows Defender MSASCui.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

 

[sdms96825]

By the way, the spybot tea timer is disabled because I disabled it when I started all of these scans. Is it okay to enable it again yet?

 

[Broni]

Good news

You may want to wait with Spybot until you're done with Kaspersky.

 

[sdms96825]

Kaspersky may take awhile as my download speed is only 8-10 kbps and it is downloading some Kaspersky updates that are over 94 Mb!!

 

[Broni]

No worries...
I'll meet you back here after good night sleep