[Closed]Search redirect, Ping.exe, Rootkit.Gen2

[winxpuser]

Looking for help with following issues.

1) Google and Yahoo search results are redirected

2) PIng.exe appears in TaskManager - don't recall seeing it before

3) Avira warns that Rootkit.Gen2 is present

4) Occasionally get new Tab in Firefox opening

5) Occasionally get TCP/IP error from Windows

Thanks for your help!

Step 2 - (Anti-Malware Log)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8211

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/21/2011 7:07:39 PM
mbam-log-2011-11-21 (19-07-39).txt

Scan type: Quick scan
Objects scanned: 196052
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 3 - GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-21 19:13:13
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST316002 rev.8.05
Running: gmer.exe; Driver: C:\DOCUME~1\Rich\LOCALS~1\Temp\fgdyapod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 kbdcap.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 kbdcap.SYS

---- EOF - GMER 1.0.15 ----

 

[winxpuser]

Having trouble posting rest of logs.

 

[winxpuser]

Unable to post remaining logs - keep getting server timeout.

Is this a common problem?

 

[Bobbye]

Welcome back to this forum- one you would most likely not have to come back to! I'll be glad to help with the malware.

About the server problem> no, that is not a common problem on TechSpot. But I would like you to see if this problem occurs if you try to access another site. When is this message coming up? When you click on Post or when you attempt to get the site?

Servers can become overloaded anywhere, but I haven't seen it when I've attempted anything here. When you are ready to post, do a right click on the Taskbar> Task Manager> if ping.exe is running, highlight it then click on End Task. See if that allows you to post the 2 DDS logs..
---------------------------------------
Let's see if we can find anything with the following scan:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

You do need an internet connection to run this- but it's short and has a small log.

 

[winxpuser]

Bobbye,

Thanks for the reply.

I recevie the 'Server Timeout' error when i click 'Submit Reply'. I have tried ending the ping.exe process in Task Manager as you suggested, but still get the same error when I try to reply. After a few minutes, ping.exe reappears. It tooks several tries to get the above replies to go through.

I will run the online scan you suggested and reply back shortly.

Thanks again for the help!

*****Updated - Had no trouble submitting this reply.

 

[Bobbye]

I think you jinxed me! About 5 minutes after I replied to you, my internet went down! It wasn't TechSpot though.

Post the logs when you're finished. I do know that Julio has been doing some work on TechSpot. There is a possibility that something might have been going on that caused the intermittent problem. Let me know if it happens here again and I'll send him a PM>

 

[winxpuser]

Bobbye,

Here is the log from ESET

C:\Program Files\FlashGet\ads\cache434\B_434_2_1_613800.htm HTML/ScrInject.B.Gen virus
Operating memory multiple threats

 

[winxpuser]

Bobbye,

Since my last post, I have lost access to the internet. When I try to enable my network connection, I am unable to get an IP for the PC that is infected. All other PCs connected to the same router are fine.

I think this is related to the above problems.

Is it a good idea to copy the log files from the infected PC, move them to another PC using a USB drive, and upload here? I don't want to spread the problem to another PC.

Thanks again for all of your help.

 

[Bobbye]

You can download programs to flash drive, then run then on the infected computer. If you cannot access to paste, save the log first. Then copy it to flash drive and paste here.

Please go ahead and run the following for the Eset entries:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Program Files\FlashGet\ads\cache434\B_434_2_1_613800.htm
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Try the internet access after you remove the above.

 

[winxpuser]

Bobbye,

Log file from MoveIt is below

Still unable to connect to internet.

When I go into Network Connections, I right click Local Area Connection. The Status gets to 'Acquiring Network Address' and goes no further.

I right clicked and selected Repair and received the notice that Windows could not repair because it was unable to Renew IP Address.

All processes killed
========== FILES ==========
C:\Program Files\FlashGet\ads\cache434\B_434_2_1_613800.htm moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2129280 bytes
->Temporary Internet Files folder emptied: 782098 bytes
->Flash cache emptied: 83 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 83 bytes

User: Jorene
->Temp folder emptied: 45198186 bytes
->Temporary Internet Files folder emptied: 22038501 bytes
->Java cache emptied: 64745 bytes
->FireFox cache emptied: 35993695 bytes
->Flash cache emptied: 732 bytes

User: LocalService
->Temp folder emptied: 2055272 bytes
->Temporary Internet Files folder emptied: 1646058 bytes
->Flash cache emptied: 405 bytes

User: NetworkService
->Temp folder emptied: 1986088 bytes
->Temporary Internet Files folder emptied: 175368483 bytes
->Flash cache emptied: 8103 bytes

User: Rich
->Temp folder emptied: 739063785 bytes
->Temporary Internet Files folder emptied: 1901627 bytes
->Java cache emptied: 471823 bytes
->FireFox cache emptied: 117306430 bytes
->Flash cache emptied: 1830 bytes

%systemdrive% .tmp files removed: 6597 bytes
%systemroot% .tmp files removed: 129209 bytes
%systemroot%\System32 .tmp files removed: 2405721 bytes
%systemroot%\System32\dllcache .tmp files removed: 33792 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8240303 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 688687 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,104.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 11222011_095722

Thanks!

 

[winxpuser]

After running MoveIt, I re-ran scans and copied using flash drive.

Results below.

MalWare Log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8211

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/22/2011 10:16:22 AM
mbam-log-2011-11-22 (10-16-22).txt

Scan type: Quick scan
Objects scanned: 191917
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-22 10:18:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST316002 rev.8.05
Running: gmer.exe; Driver: C:\DOCUME~1\Rich\LOCALS~1\Temp\fgdyapod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 kbdcap.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 kbdcap.SYS

---- EOF - GMER 1.0.15 ----

DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_26
Run by Rich at 10:19:05 on 2011-11-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2640 [GMT -5:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Windows SteadyState\SCTSvc.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Windows SteadyState\Bubble.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FlashCatchBHO Class: {88618a96-6d8a-42e7-b932-9073d5b2080f} - c:\program files\flashcatch\flashcatch.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\program files\flashget\jccatch.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: FlashCatch: {10cecf4f-a96e-4803-8ac2-f565fb29ff47} - c:\program files\flashcatch\flashcatch.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4D5E343-9494-97E4-8635-440B49E25FD5} - No File
TB: {CF745ACA-6FA6-45ED-AB49-E10A0D1870C5} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [Bubble] c:\program files\windows steadystate\Bubble.exe
mRun: [Logoff] c:\program files\windows steadystate\SCTUINotify.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ISW]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [msiexec.exe] msiconf.exe
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302816107968
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306104091687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-000000000000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{594FB6E3-AFDE-4E88-BF61-4DA9C1952C2A} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: jbtmqa.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rich\application data\mozilla\firefox\profiles\4gb4jobp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-21 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-10 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-21 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-21 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-21 74640]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [2006-5-22 15793]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
R2 Windows SteadyState;Windows SteadyState Service;c:\program files\windows steadystate\SCTSvc.exe [2008-5-30 115728]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\KbdCap.sys [2007-4-20 109440]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;\??\c:\program files\checkpoint\zaforcefield\iswkl.sys --> c:\program files\checkpoint\zaforcefield\ISWKL.sys [?]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;"c:\program files\checkpoint\zaforcefield\iswsvc.exe" --> c:\program files\checkpoint\zaforcefield\IswSvc.exe [?]
S3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys --> c:\windows\system32\drivers\appliand.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 musbehco;musbehco;\??\c:\docume~1\rich\locals~1\temp\musbehco.sys --> c:\docume~1\rich\locals~1\temp\musbehco.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2005-9-5 37781]
S3 STSService;STSService;c:\program files\soundtaxi media suite\STSService.exe [2010-3-19 344064]
S4 iPCAgent;iPCAgent;c:\program files\ipass\ipassconnect\ipcagent.exe --> c:\program files\ipass\ipassconnect\iPCAgent.exe [?]
.
=============== File Associations ===============
.
.txt=CrimsonEditor.txt
.
=============== Created Last 30 ================
.
2011-11-22 14:57:22 -------- d-----w- C:\_OTM
2011-11-22 02:06:56 -------- d-----w- c:\program files\ESET
2011-11-21 22:17:44 -------- d-----w- c:\documents and settings\rich\application data\Avira
2011-11-21 22:11:54 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-11-21 22:11:54 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-21 22:11:53 -------- d-----w- c:\program files\Avira
2011-11-21 22:11:53 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-11-13 15:04:17 -------- d-----w- c:\windows\Internet Logs
2011-11-13 15:02:34 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2011-11-12 18:45:58 -------- d-----w- c:\documents and settings\rich\local settings\application data\SmartPadUsb
2011-10-27 00:45:41 -------- d-----w- c:\program files\JDownloader
.
==================== Find3M ====================
.
2011-10-13 00:52:02 48 ----a-w- c:\windows\wpd99.drv
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 10:19:51.20 ===============


Attach Log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/15/2004 7:47:51 PM
System Uptime: 11/22/2011 9:59:36 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0J3492
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 145 GiB total, 121.214 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetXtreme 57xx Gigabit Controller
Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01771028&REV_01\4&1D7EFF9E&0&00E0
Manufacturer: Broadcom
Name: Broadcom NetXtreme 57xx Gigabit Controller
PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01771028&REV_01\4&1D7EFF9E&0&00E0
Service: b57w2k
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1105C30A23C04
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1105C30A23C04
Service: NIC1394
.
==== System Restore Points ===================
.
RP331: 10/16/2011 3:10:01 PM - System Checkpoint
RP332: 10/17/2011 6:34:20 PM - System Checkpoint
RP333: 10/20/2011 6:34:05 PM - System Checkpoint
RP334: 10/21/2011 11:38:01 PM - System Checkpoint
RP335: 10/23/2011 5:38:54 PM - System Checkpoint
RP336: 10/24/2011 8:31:02 PM - System Checkpoint
RP337: 10/25/2011 9:03:33 PM - System Checkpoint
RP338: 10/27/2011 9:21:33 PM - System Checkpoint
RP339: 10/29/2011 12:17:59 AM - System Checkpoint
RP340: 10/31/2011 4:44:13 PM - System Checkpoint
RP341: 11/2/2011 6:15:57 PM - System Checkpoint
RP342: 11/6/2011 3:46:33 PM - System Checkpoint
RP343: 11/7/2011 8:43:03 PM - System Checkpoint
RP344: 11/9/2011 6:13:50 PM - System Checkpoint
RP345: 11/10/2011 6:14:52 PM - System Checkpoint
RP346: 11/11/2011 6:49:35 PM - System Checkpoint
RP347: 11/13/2011 12:22:24 PM - System Checkpoint
RP348: 11/14/2011 8:12:03 PM - System Checkpoint
RP349: 11/15/2011 8:37:27 PM - System Checkpoint
RP350: 11/16/2011 9:20:07 PM - System Checkpoint
RP351: 11/19/2011 5:29:31 PM - System Checkpoint
RP352: 11/20/2011 5:55:52 PM - System Checkpoint
RP353: 11/21/2011 5:07:42 PM - Removed Ad-Aware
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader X (10.1.1)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Audacity 1.2.6
AutoUpdate
Avira Free Antivirus
Banctec Service Agreement
Battlefield 2(TM)
Bonjour
Broadcom Advanced Control Suite 2
CCleaner
CCScore
Cisco Connect
Creative MediaSource
Crimson Editor (remove only)
Cryptainer LE
Data Lifeguard Diagnostic for Windows 1.22
Dell Driver Reset Tool
Dell Networking Guide
DivX
DivX Player
DriveImage XML
ESET Online Scanner v3
ESSBrwr
ESSCDBK
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
ffdshow [rev 1972] [2008-05-24]
FlashCatch
FlashGet(JetCar)
FLV Player 1.3.3
GameSpy Arcade
GOM Player
Google SketchUp 8
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel Application Accelerator
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Processor ID Utility
IrfanView (remove only)
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 26
JDownloader
K-Lite Mega Codec Pack 4.9.0
LAME v3.98.3 for Audacity
Malwarebytes' Anti-Malware version 1.51.2.1300
MATLAB 2-11-2007
Media Player Classic - Home Cinema v1.4.2499.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft AntiSpyware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
Movie Joiner v4
Moyea FLV Player version 1.5.2.7
Mozilla Firefox 7.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
netbrdg
NVIDIA Control Panel 266.58
NVIDIA Drivers
NVIDIA Graphics Driver 266.58
NVIDIA Install Application
NVIDIA nTune
NVIDIA nView 135.50
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
OfotoXMI
Opera Plug-in for FlashGet
Orbit Downloader
Pdf995
PlayFLV
PunkBuster Services
QuickTime
RealPlayer
SanDisk ImageMate/SecureMate
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
SHASTA
Shockwave
skin0001
SKINXSDK
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Audigy 2
SoundTaxi Media Suite 3.9.9
staticcr
SUPERAntiSpyware Free Edition
System Requirements Lab
System Requirements Lab for Intel
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
VPRINTOL
WebFldrs XP
WinAce Archiver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Script V5.6 Documentation
Windows SteadyState
Windows XP Service Pack 3
WinPcap 4.0.2
WIRELESS
Xvid 1.1.3 final uninstall
XviD MPEG-4 Codec
ZoneAlarm Toolbar
.
==== Event Viewer Messages From Past Week ========
.
11/22/2011 9:57:23 AM, error: Service Control Manager [7034] - The IAA Event Monitor service terminated unexpectedly. It has done this 1 time(s).
11/22/2011 9:57:23 AM, error: Service Control Manager [7034] - The Cryptainer service service terminated unexpectedly. It has done this 1 time(s).
11/22/2011 9:57:23 AM, error: Service Control Manager [7031] - The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
11/22/2011 9:57:22 AM, error: Service Control Manager [7034] - The Windows SteadyState Service service terminated unexpectedly. It has done this 1 time(s).
11/22/2011 9:57:22 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
11/22/2011 6:19:29 AM, error: Service Control Manager [7003] - The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd
11/22/2011 6:19:04 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
11/22/2011 6:19:03 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
11/22/2011 6:17:44 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Windows SteadyState service.
11/22/2011 6:17:44 AM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: Afd
11/22/2011 6:17:44 AM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: Afd
11/22/2011 6:17:44 AM, error: Service Control Manager [7001] - The ZoneAlarm Toolbar IswSvc service depends on the ZoneAlarm Toolbar ISWKL service which failed to start because of the following error: The system cannot find the path specified.
11/22/2011 6:17:44 AM, error: Service Control Manager [7000] - The ZoneAlarm Toolbar ISWKL service failed to start due to the following error: The system cannot find the path specified.
11/22/2011 2:00:17 AM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library USB Device.
11/22/2011 12:46:50 AM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/22/2011 12:31:29 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD Networking Support Environment service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/22/2011 10:12:53 AM, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

 

[winxpuser]

Bobbye,

After reading up on the issue of not being able to connect to the network, I decide to pull the harddrive and do a complete re-install of XP on another hardrive I had.

I just had a feeling that the trouble to recover would be much greater than a new install.

Can you offer any suggestions on puling some of the data files from the infected drive? I have an external USB enclosure I could use.

Also, any recommendations on which firewall/antispyware/antivirus to use? I had been running Avira/SuperAntiSpyware/Zonealarm at the same time, and encountered the infection after an upgrade of Zone Alarm.

Thanks again for your help. If you feel the need to solve this, I am willing to re-install the infected drive to try to clean it up.

Thanks again.

 

[Bobbye]

I would have liked for you to stick it out bit longer. I would have had you run Combofix> it should have picked up and quarantined the ping.exe entries. Depending on what I saw in that log, I might have gone on and had you run OTL.

There is a procedure to run from Eset also that does a good job on this malware.

I'm shutting down now so I'll be back tomorrow with some security suggestions

 

[winxpuser]

Bobbye,

I am willing to re-install the infected drive and give it a shot. I do have some files on the infected dirve I would like to retrieve. Let me know what to run and if I have some time tomorrow I can give it a shot.

The XP reinstall went OK - I had to start with an XP SP1 disk and upgrade to SP 3 over the net - the MS site was not very cooperative. I was also able to get around HD drivers thanks to my BIOS recognizing the drive - that was one bit of good luck.

I am currently running Avira and MS Security Center Firewall. I also installed Microsoft Security Essentials - I do need advide on which to keep.

 

[winxpuser]

Bobbye - I have several files on the infected drive I would like to retrieve. Is it safe to connect using an exteranl USB drive and extract the files, or should I connect as a boot drive and attempt to clean it before retrieving files?

Appreciate your input!

 

[Bobbye]

You need to consider what you're going to do with those files you extract:

1. Connect flash drive and move the files too it.
2. Disinfect the flash drive before you connect it to a clean hard drive.
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
or this: (not both, it's either/or)

• Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

======================================
3. Save the files you move from the USB to the desktop. Do a right click> Delete and scan with the AV. If they are clean, you can chance putting them on the clean drive. But keep in mind that there were numerous infecting processes.

You really pulled out much too soon- our initial steps are called "preliminary" for a reason, because that what they are. We use the information from those logs long with any description you give, to try and determine what ,malware is on the system and how best to remove it. You hardly gave it a chance.
=====================================
Per your request:
Tips for added security and safer browsing: (Links are in Bold Blue)

1. Browser Security
   [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
   [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
   [o] Replace the Host Files
   [o] Google Toolbar Pop Up Blocker
   [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
   
2. Have layered Security:
   [o]Antivirus :(only one):Both of the following programs are free and known to be good:
   [o]Avira-AntiVir-Personal-Free-Antivirus
   [o]Avast-Free Antivirus
   [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
   [o]Comodo
   [o]Zone Alarm
   
3. Antimalware: I recommend all of the following:
   [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
   [o]Spybot Search & Destroy
   
4. Updates: Stay current:
   [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
   [o]Adobe Reader Install current, uninstall old.
   [o]Java Updates Install current, uninstall old.
   
5. Tracking Cookies
   Reset Cookie:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   
6. Do regular Maintenance
   Clean the temporary internet files often:
   [o] Temporary File Cleaner]
   or
   [o] ATF Cleaner by Atribune
7. Restore Points:
   [o]See System Restore Guide
8. Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.

 

[winxpuser]

Bobbye - Thanks for the help, but I don't understand your instructions for retrieving the files from the infected drive.

The infected drive was my boot drive. I have created a new boot drive and it is working fine.

I have installed the infected drive in an external USB enclosure.

I would like to copy the following data from the infected drive:

1) Documents - mostly .pdf and .xls files
2) Music files - .mp3's and my ITunes library
3) Microsoft Office 2000 CD Key

Before connecting to this USB drive, I would like to make sure I do not re-infect my system.

If we need to go back a couple steps to disinfect the infected drive, I can reinstall the infected drive as my boot drive and continue on the path we were on. I think you were suggesting I run Combofix. (Post 13).

 

[Bobbye]

Before connecting to this USB drive, I would like to make sure I do not re-infect my system.

Go to Darik's Boot And Nuke and download whichever version of your choice (floppy or cd/dvd).

• Turn off your computer and unplug ALL HARDDRIVES (IDE and USB connected).
• Plug in the INFECTED hard drive only.
• Load which ever version of the program you downloaded
• There will be some options- one pass should clear
• The program is a stand alone so no OS needed.

 

[winxpuser]

Bobbye - Looks like this will delete all the data on the drive. That is not what I want. I would like to retreive some of the files.

Thanks again for your help.

 

[Bobbye]

It seems to me that you are asking the impossible! You want to get files from the infected drive. But you don't want to connect the drive to anything.

I do not have any more suggestions for you.

 

[winxpuser]

Bobbye - I am OK connecting the infected drive, I just want to make sure I do not transfer the infection from the infected files to the new boot drive.

I am also willing to try and clean the infected drive.

My goal is to retreive a few data files without infecting the new boot drive.

Can you help with this? If the best was to do this is to try and clean the drive using combofix, I will try this. If you can suggest a better wasy, I will try that too.

Your suggestion of running Darik's Boot And Nuke on the infected drive makes sense once I retreive the data files.

What is not clear to me is how to retreive files from the infected drive without spreading the infection to the new drive.

 

[Bobbye]

This may be a hard lesson for you, but learn it now so you don't find yourself in the same fix again!

Backup, backup, backup!!!!

When you have special files/folders/tunes or other, save it before the bad stuff happens!

The only thing I can consider if for you to go back where we were at the end of Reply #11- put the drive back and let's try to clean it. There were entries in the earlier logs I would have removed> for instance, you are running this:
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
It's not helping the system because it's 5 years out of date! It is for:

GIANT AntiSpyware was a spyware detection and removal application developed by GIANT Company Software, Inc.

GIANT Company Software, Inc. was acquired by Microsoft Corporation on December 16, 2004.[1] GIANT AntiSpyware is no longer sold and Microsoft stopped releasing spyware definition updates for it in August 2006.

-----------------------------------
You are at risk with this:
1. Orbit Downloader is a free social music,video and file downloader.
2. Flashget Download Manager> Added by the W32/Rbot-AGZ WORM/IRC backdoor trojan!

If you can undo what you've done, I'll help try to clean the drive. Hopefully you can then get your files and when the system is clean, you can do a full backup.

Cleaning is orderly, sometimes very time consuming. But I am not willing to spend more time on this if you decide to pull the plug barely into the process.

You my loose the docs and the music- I cannot guarantee that you won't or that the files won't get corrupted.

 

[winxpuser]

OK - I will reinstall the drive and attempt to continue the cleaning.

Based on what I posted in the logs (Posts 10 and 11), what is the next step?

 

[Bobbye]

Let's have Combofix do some of the work:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  Note:Ignore the Combofix query about the Recovery Console if running from the USB drive. Just go on with the scan.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
========================================
After I see this log I will be better able to give you the next step.

Note: I see OTM Total Files Cleaned = 1,104.00 mb Them.at is an exceptionally large number of files. Suggest you increase-or start- doing maintenance on the system.

 

[winxpuser]

Bobbye,

I am not able to establish a network connection.

I downloaded combofix on another machine and transferred to infected machine with a USB flash drive. I ran combofix, and was told it needed to install Windows Restore Console by connecting to the Internet. Since I canot connect, combofix could not run.

Is there an alternate method for getting Windows Recovery Console on the infected machine (eg. download on a different machine and transfer by USB drive)?

Should I try running in Safe Mode with Networking in order to try and regain access to the internet and run combofix?

Thanks for your help.