Solved Help removing virus on drivers ending with netbt.sys & cdrom.sys

[Windex]

After removing threats using AVG, I was promtped to restart for changes to take effect. Then came the blue screen on my Dell inspiron 1501. 1501 and I went into Staples to get a diagnostic and make sure there were no physical problems. it came out clean physically.

I still cannot boot normally. When I do boot, I have to go through the boot screen pressing F8 and "Enable boot logging" to get the system to operate. Steps I have taken to resolve this issue.....Updated and.Ran AVG Virus Scan....Ran Malware Bytes....Logs have shown that I have two threats (listed in subject) that are "white listed" and cannot be removed due to their attachment to critical system files.

All data has been backed up and I can even restore the OS if necessary. Please help.

Thanks
Windex

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[Windex]

Logs , sorry for the delay.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8140

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/14/2011 6:57:33 PM
mbam-log-2011-11-14 (18-57-33).txt

Scan type: Quick scan
Objects scanned: 51003
Time elapsed: 14 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


_____________

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-14 22:24:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HTS541680J9SA00 rev.SB2OC74P
Running: GMER.exe; Driver: C:\DOCUME~1\Michael\LOCALS~1\Temp\kglcakob.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[192] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1757981266-73586283-1801674531-1004@RefCount 61

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB42967$\2303012498 0 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\bckfg.tmp 847 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\cfg.ini 366 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\L 0 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\L\exeuavms 162816 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U 0 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2303012498\U\80000032.@ 96256 bytes
File C:\WINDOWS\$NtUninstallKB42967$\2328178969 0 bytes
File C:\WINDOWS\$NtUninstallKB22568$\2303012498 0 bytes
File C:\WINDOWS\$NtUninstallKB22568$\2303012498\L 0 bytes
File C:\WINDOWS\$NtUninstallKB22568$\2303012498\U 0 bytes
File C:\WINDOWS\$NtUninstallKB22568$\61065199 0 bytes

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Michael at 22:26:44 on 2011-11-14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.509 [GMT -8:00]
.
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Michael\Desktop\LeapFrog Connect\CommandService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\rpcnet.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Michael\Desktop\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Monitor] "c:\documents and settings\michael\desktop\leapfrog connect\Monitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search - http://tbedits.mywebsearch.com/one-...JUS&si=&a=xSNQ2VBJBNmv7Nyn8kTXOA&n=2010040518
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: secureserver.net\email17
Trusted Zone: ucla.edu\remote.mednet
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/f5tunsrv.cab#version=6030,2009,811,2213
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\michael\locals~1\temp\ixp000.tmp\InstallerControl.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://remote.mednet.ucla.edu/vdesk/terminal/f5InspectionHost.cab#version=6031,2009,1204,1603
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://download-games.pogo.com/online2/pogo/diner_dash_2/DinerDash2.1.0.0.53.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/vdeskctrl.cab#version=6030,2009,0824,2130
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://download-games.pogo.com/online2/pogo/diner_dash_flo_on_the_go/ddfotg.1.0.0.33.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/urxshost.cab#version=6030,2009,828,1610
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://myportfolio.brownshoe.com/vdesk/terminal/urxhost.cab#version=6030,2009,828,1606
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
TCP: Interfaces\{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107} : DhcpNameServer = 192.168.1.1 68.238.64.12
Notify: AtiExtEvent - Ati2evxx.dll
Notify: necusb - nwusbw32.dll
Notify: nwusbw32 - nwusbw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2009-11-18 3456]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S2 necusb;NEC USB Device Service;c:\windows\system32\svchost.exe -k necusb3 [2004-8-12 14336]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-1-13 18560]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
.
=============== Created Last 30 ================
.
2011-11-12 21:15:54 -------- d-----w- c:\documents and settings\michael\application data\Windows Search
2011-11-11 17:11:22 37888 ----a-w- c:\windows\system32\nwusbw32.dll
2011-11-11 08:26:52 -------- d-----w- c:\documents and settings\michael\application data\AVG
2011-11-11 07:50:37 -------- d-----w- c:\windows\MATS
2011-11-11 07:50:28 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-11-11 07:40:36 -------- d-----w- c:\documents and settings\michael\application data\ElevatedDiagnostics
2011-11-11 07:26:37 1043 ----a-w- c:\windows\system32\0.2827484657236714.exe
2011-11-11 06:51:43 -------- d-----w- c:\documents and settings\michael\application data\AVG2012
2011-11-11 06:48:39 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-11-10 23:44:24 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-11-10 23:44:24 58288 ------w- c:\windows\system32\rpcnet.exe
2011-11-10 13:11:39 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2011-10-20 06:00:15 -------- d-----w- C:\8B3A3
2011-10-20 05:59:56 -------- d-----w- c:\program files\LP
2011-10-20 04:37:01 -------- d-----w- C:\Adobe
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 01:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 22:27:10.75 ===============

 

[Broni]

Go on............

 

[Windex]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/18/2009 8:50:06 PM
System Uptime: 11/14/2011 9:14:56 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0UW744
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-50 | Socket M2/S1G1 | 1596/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 24.593 GiB free.
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1390 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&2EA2911C&0&0030
Manufacturer: Broadcom
Name: Dell Wireless 1390 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&2EA2911C&0&0030
Service: BCM43XX
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2.15\0000060425022728&1
Manufacturer: (Standard CD-ROM drives)
Name: SanDisk U3 Cruzer Micro USB Device
PNP Device ID: USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2.15\0000060425022728&1
Service: cdrom
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVD+-RW_GSA-T11N_______________A102____\304B364153413246333020342020202020202020
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVD+-RW GSA-T11N
PNP Device ID: IDE\CDROMHL-DT-ST_DVD+-RW_GSA-T11N_______________A102____\304B364153413246333020342020202020202020
Service: cdrom
.
==== System Restore Points ===================
.
RP289: 11/10/2011 10:46:01 PM - Installed AVG 2012
RP290: 11/10/2011 10:46:23 PM - Removed AVG 2012
RP291: 11/10/2011 10:47:33 PM - Installed AVG 2012
RP292: 11/10/2011 11:05:14 PM - Removed AVG 2011
RP293: 11/10/2011 11:36:37 PM - Installed %1 %2.
RP294: 11/11/2011 3:00:43 AM - Software Distribution Service 3.0
RP295: 11/12/2011 3:28:30 AM - System Checkpoint
RP296: 11/12/2011 1:00:11 PM - Software Distribution Service 3.0
RP297: 11/14/2011 8:19:20 PM - Removed AVG 2012
RP298: 11/14/2011 8:20:46 PM - Removed AVG 2012
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
AMD Processor Driver
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Broadcom 440x 10/100 Integrated Controller
Camera Driver
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Coby Media Manager
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dell Resource CD
Dell Wireless WLAN Card
Digital Photo Navigator 1.5
Fritz Grandmaster Challenge
HOTLLAMA Media Player
HOTLLAMA Media Player - Update
Internet Explorer (Enable DEP)
Java Auto Updater
Java(TM) 6 Update 18
LeapFrog Connect
LeapFrog Tag Junior Plugin
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Automated Troubleshooting Services Shim
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Fix it Center
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office File Validation Add-In
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OPSWAT AntiVirus and Firewall Integration Libraries
PowerCinema NE for Everio
PowerDirector Express
PowerProducer
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB923789)
SigmaTel Audio
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Sharepoint Designer 2007 Help (KB963675)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2641690)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Junior Plugin)
WebFldrs XP
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Essentials Media Codec Pack 3.5 [32-Bit]
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WModem Driver Installer
.
==== Event Viewer Messages From Past Week ========
.
11/14/2011 9:34:20 PM, error: AmdK8 [2] - The Acpi 2.0 _PCT object returned an invalid value of 3
11/14/2011 9:32:06 PM, error: Service Control Manager [7023] - The NEC USB Device Service service terminated with the following error: The specified module could not be found.
11/14/2011 9:25:55 PM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
11/14/2011 9:15:32 PM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
11/14/2011 9:15:32 PM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
11/14/2011 9:15:32 PM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
11/14/2011 9:15:32 PM, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: The system cannot find the path specified.
11/14/2011 8:21:01 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NEC USB Device Service service to connect.
11/14/2011 8:21:01 PM, error: Service Control Manager [7000] - The NEC USB Device Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Windex]

Running ComboFix and a message from the Registry Editor states "Cannot export C:\Qoobox\Quarantine\Registry_backups\Notify-box.reg.dat: Error opening the file.There may be a disk or file system error.

I Clicked OK and the scan completed and log displayed. Is that how its supposed to happen?

 

[Windex]

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-22 13:03:01
-----------------------------
13:03:01.796 OS Version: Windows 5.1.2600 Service Pack 3
13:03:01.796 Number of processors: 2 586 0x4802
13:03:01.796 ComputerName: 2B015DF5D9E843D UserName: Michael
13:03:02.187 Initialize success
13:03:15.796 AVAST engine download error: 0
13:03:17.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
13:03:17.953 Disk 0 Vendor: Hitachi_HTS541680J9SA00 SB2OC74P Size: 76319MB BusType: 3
13:03:19.968 Disk 0 MBR read successfully
13:03:19.968 Disk 0 MBR scan
13:03:19.968 Disk 0 Windows XP default MBR code
13:03:19.968 Disk 0 scanning sectors +156280320
13:03:20.031 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:25.640 Service scanning
13:03:27.156 Modules scanning
13:03:32.734 Disk 0 trace - called modules:
13:03:32.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll atiide.sys PCIIDEX.SYS
13:03:32.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b74ab8]
13:03:32.734 3 CLASSPNP.SYS[f7512fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x84b24d98]
13:03:32.734 Scan finished successfully
13:04:13.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael\Desktop\MBR.dat"
13:04:13.265 The log file has been saved successfully to "C:\Documents and Settings\Michael\Desktop\aswMBR.txt"


ComboFix 11-11-22.01 - Michael 11/22/2011 14:06:48.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.616 [GMT -8:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Michael\Application Data\Adobe\plugs
c:\documents and settings\Michael\Application Data\Adobe\shed
C:\install.exe
c:\program files\LP
c:\windows\$NtUninstallKB22568$
c:\windows\$NtUninstallKB22568$\61065199
c:\windows\$NtUninstallKB42967$
c:\windows\$NtUninstallKB42967$\2303012498\@
c:\windows\$NtUninstallKB42967$\2303012498\bckfg.tmp
c:\windows\$NtUninstallKB42967$\2303012498\cfg.ini
c:\windows\$NtUninstallKB42967$\2303012498\Desktop.ini
c:\windows\$NtUninstallKB42967$\2303012498\keywords
c:\windows\$NtUninstallKB42967$\2303012498\kwrd.dll
c:\windows\$NtUninstallKB42967$\2303012498\L\exeuavms
c:\windows\$NtUninstallKB42967$\2303012498\lsflt7.ver
c:\windows\$NtUninstallKB42967$\2303012498\U\00000001.@
c:\windows\$NtUninstallKB42967$\2303012498\U\00000002.@
c:\windows\$NtUninstallKB42967$\2303012498\U\00000004.@
c:\windows\$NtUninstallKB42967$\2303012498\U\80000000.@
c:\windows\$NtUninstallKB42967$\2303012498\U\80000004.@
c:\windows\$NtUninstallKB42967$\2303012498\U\80000032.@
c:\windows\$NtUninstallKB42967$\2328178969
c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53
c:\windows\system32\0.2827484657236714.exe
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService
.
.
((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
.
.
2011-11-12 21:15 . 2011-11-12 21:15 -------- d-----w- c:\documents and settings\Michael\Application Data\Windows Search
2011-11-11 17:11 . 2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
2011-11-11 08:26 . 2011-11-11 08:29 -------- d-----w- c:\documents and settings\Michael\Application Data\AVG
2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\windows\MATS
2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-11-11 07:40 . 2011-11-11 07:40 -------- d-----w- c:\documents and settings\Michael\Application Data\ElevatedDiagnostics
2011-11-11 06:48 . 2011-11-15 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-11-10 23:44 . 2011-11-22 22:21 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-11-10 23:44 . 2011-11-10 23:44 58288 ------w- c:\windows\system32\rpcnet.exe
2011-11-10 13:11 . 2011-11-22 22:21 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2009-11-19 04:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-12 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2009-10-08 21:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-12 14:02 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-12 14:02 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-12 14:09 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 01:00 . 2009-11-20 07:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
"Monitor"="c:\documents and settings\Michael\Desktop\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Michael\\Desktop\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [11/18/2009 9:28 PM 3456]
S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/12/2004 6:06 AM 14336]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/13/2011 2:36 PM 18560]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
necusb3 REG_MULTI_SZ necusb
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 21:15]
.
2011-11-22 c:\windows\Tasks\User_Feed_Synchronization-{F43ADB18-8D83-41B0-AB43-5912F756482B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
2011-11-22 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-27 10:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: secureserver.net\email17
Trusted Zone: ucla.edu\remote.mednet
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
Notify- - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-22 14:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\nwusbw32.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\documents and settings\Michael\Desktop\LeapFrog Connect\CommandService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-22 15:51:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-22 23:51
.
Pre-Run: 26,361,749,504 bytes free
Post-Run: 26,978,529,280 bytes free
.
- - End Of File - - 6E8498087DE84B74E169E6C86F255A50

 

[Broni]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Make sure you allow recovery console installation (as my instructions say!) on next Combofix run.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box
• Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\nwusbw32.dll

Folder::

Driver::
necusb

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Windex]

My internet is stuck "aquiring the address". When I run repair it tells me not able to renew IP address. Not able to connect to the internet beginning with the Combofix. Restart did not resolve the problem. Any suggestions?

 

[Broni]

Did it happen after running the latest fix (my previous reply)?

 

[Windex]

It was the original run that it happened. It happened once before, since the blue screen. and was able to get it going with a restart in "boot logging" mode. Thought it was the wireless and I tried connecting the hard line to the laptop and it still wont connect.

 

[Broni]

Please download Farbar Service Scanner and run it on the computer with the issue.

• Check "Include All Files" option.
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

 

[Windex]

Farbar Service Scanner
Ran by Michael (administrator) on 27-11-2011 at 11:46:25
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Unable to retrieve start type of NetBt. The value might not exist.
Unable to retrieve ImagePath of NetBt. The value might not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-12 06:01] - [2008-04-13 11:21] - 0162816 ____A () 7D093DA5CC1A2BDF3F4FA8CEEE9FE175

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

 

[Broni]

OK, we have couple of issues there.
You have registry key missing and netbt.sys file seems to be infected.
Let's see if we can fix it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:
  

  :filefind
  netbt.sys
  :reg
  HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt /s

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Windex]

SystemLook 30.07.11 by jpshortstuff
Log created at 12:43 on 27/11/2011 by Michael
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [07:03 19/11/2009] [14:01 12/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys -----c- 162816 bytes [19:21 13/04/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [14:01 12/08/2004] [19:21 13/04/2008] 7D093DA5CC1A2BDF3F4FA8CEEE9FE175

========== reg ==========

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt]
"Tag"= 0x0000000057 (87)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Linkage]
"Bind"="\Device\Tcpip_{941BB1AC-C03D-4D54-82DD-A61A395A7AE6} \Device\Tcpip_{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107} \Device\Tcpip_{AF64AB7D-E04E-4636-AF18-A155D7FE42B0} \Device\Tcpip_{7AC9181E-4D4F-4704-BCE5-C770730F05DA}"
"Route"=""Tcpip" "{941BB1AC-C03D-4D54-82DD-A61A395A7AE6}" "Tcpip" "{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107}" "Tcpip" "NdisWanIp""
"Export"="\Device\NetBT_Tcpip_{941BB1AC-C03D-4D54-82DD-A61A395A7AE6} \Device\NetBT_Tcpip_{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107} \Device\NetBT_Tcpip_{AF64AB7D-E04E-4636-AF18-A155D7FE42B0} \Device\NetBT_Tcpip_{7AC9181E-4D4F-4704-BCE5-C770730F05DA}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters]
"EnableLMHOSTS"= 0x0000000001 (1)
"TransportBindName"="\Device\"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{941BB1AC-C03D-4D54-82DD-A61A395A7AE6}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{E34FBB4B-F263-4BFA-A464-0E2CC4EAF107}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Enum]
"0"="Root\LEGACY_NETBT\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


-= EOF =-

 

[Broni]

Registry key is fine but we need to replace netbt.sys file.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys

File::
c:\windows\system32\nwusbw32.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Windex]

ComboFix 11-11-22.01 - Michael 11/27/2011 13:43:16.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.485 [GMT -8:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\windows\system32\nwusbw32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\$NtServicePackUninstall$\netbt.sys --> c:\windows\system32\drivers\netbt.sys
.
((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))
.
.
2011-11-12 21:15 . 2011-11-12 21:15 -------- d-----w- c:\documents and settings\Michael\Application Data\Windows Search
2011-11-11 17:11 . 2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
2011-11-11 08:26 . 2011-11-11 08:29 -------- d-----w- c:\documents and settings\Michael\Application Data\AVG
2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\windows\MATS
2011-11-11 07:50 . 2011-11-11 07:50 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-11-11 07:40 . 2011-11-11 07:40 -------- d-----w- c:\documents and settings\Michael\Application Data\ElevatedDiagnostics
2011-11-11 06:48 . 2011-11-15 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-11-10 23:44 . 2011-11-27 18:11 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-11-10 23:44 . 2011-11-10 23:44 58288 ------w- c:\windows\system32\rpcnet.exe
2011-11-10 13:11 . 2011-11-27 21:37 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2009-11-19 04:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-12 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2009-10-08 21:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-12 14:02 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-12 14:02 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-12 14:09 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-22_22.21.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-27 18:11 . 2011-11-27 18:11 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Monitor"="c:\documents and settings\Michael\Desktop\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
2011-11-11 17:11 37888 ----a-w- c:\windows\system32\nwusbw32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [11/18/2009 9:28 PM 3456]
S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/12/2004 6:06 AM 14336]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/13/2011 2:36 PM 18560]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
necusb3 REG_MULTI_SZ necusb
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 21:15]
.
2011-11-27 c:\windows\Tasks\User_Feed_Synchronization-{F43ADB18-8D83-41B0-AB43-5912F756482B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
2011-11-27 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-27 10:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: secureserver.net\email17
Trusted Zone: ucla.edu\remote.mednet
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-27 13:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\nwusbw32.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1116)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-11-27 13:47:21
ComboFix-quarantined-files.txt 2011-11-27 21:47
ComboFix2.txt 2011-11-22 23:51
.
Pre-Run: 26,946,568,192 bytes free
Post-Run: 26,934,521,856 bytes free
.
- - End Of File - - 1B517C384E66DDBA53F53450726C77E4

 

[Broni]

Is your connection back?

 

[Windex]

Restarting...

 

[Windex]

stuck renewing IP address.

 

[Broni]

More details please.

 

[Windex]

The Windows Device manager displays the orbiting ball around the icon. My Dell device manager is showing me that my connection strength is excellent. The Status is unknown. and the Address is "0.0.0.0"

Right click and run the "repair" function and it disables, enables, and finds connection, then gets hung up on renewing the IP address.

I have Turned off the Firewall to see if that would help. Still nothing. I did a "configure" on the Dell wireless 1390 mini-card, upon reading a Dell community post on trouble shooting the wireless card, I changed the "Antenna Diversity" to "Aux" and "Disabled" the Minimum Power Consumption and Power Save Mode functions.

Thinking about rolling back the driver. But am hesitant as I dont want to roll back to something worse.

 

[Broni]

Re-run Farbar Service Scanner.

 

[Windex]

Farbar Service Scanner
Ran by Michael (administrator) on 27-11-2011 at 18:50:34
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Unable to retrieve start type of NetBt. The value might not exist.
Unable to retrieve ImagePath of NetBt. The value might not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-12 06:01] - [2004-08-12 06:01] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****