Solved Infected XP PC

[Will40]

Guys,

I have an infected PC with a number of viruses. It had blocked me from accessing the internet.

I had removed the virus via MalwareBytes & Avast, However, I could still not access the internet. Pinging works fine, and any browser I tried to use would simply hang.

I went back and did a complete re-install of XP as I had my folders backed up to an external drive, however, the virus returned. I tried another clean install of XP & again the same problem occurred which leads me to believe that my external drive is also infected (when clicking on the System Volume Information folder, access is denied - on both internal & external drives).

I am posting via a loaned laptop, whilst running the necessary programs on the infected PC.

Infected files which were 'cleaned' prior to the re-install of XP were:
Win32/PrcView
A003186.msi
A0043530.exe - Spyware Password
A0043534.dll - Trojan Downloader
A0044131.exe - Trojan Generic
firefox.dll was corrupted
bonus.screenshot.recorder.exe x 2 (Debugger & Normal)
Presentation.host.exe x 2 (Debugger & Normal)
Spirit.exe x 2 (Debugger & Normal)

Requested files to follow....

Thanks & Regards
Will

 

[Will40]

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/09/2011 20:38:15
mbam-log-2011-09-21 (20-38-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 164434
Time elapsed: 12 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Will40]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-23 17:13:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6L160M0 rev.BACE1G10
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgryypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB8471BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB8471A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB84C9398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Ip UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp UrlFilter.sys (URL Filter/IObit.com)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp UrlFilter.sys (URL Filter/IObit.com)

---- EOF - GMER 1.0.15 ----

 

[Will40]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 17:14:02 on 2011-09-23
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3071.2585 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\3connect.lnk - c:\program files\3 mobile broadband\3connect\Wilog.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-21 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-21 309848]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-7-19 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-21 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-9-21 42184]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-9-21 820568]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-21 366152]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-21 22216]
R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-9-21 30368]
R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-9-21 16080]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-9-21 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-9-21 100736]
S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-9-21 239600]
.
=============== Created Last 30 ================
.
2011-09-23 15:51:31 709968 ----a-w- c:\windows\isRS-000.tmp
2011-09-21 21:08:54 -------- d--h--w- c:\windows\$hf_mig$
2011-09-21 17:39:32 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
2011-09-21 17:39:25 -------- d-----w- c:\documents and settings\owner\application data\VSRevoGroup
2011-09-21 17:32:10 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2011-09-21 17:28:43 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2011-09-21 17:28:33 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-21 17:28:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-21 17:28:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-21 17:26:37 -------- d-----w- c:\documents and settings\owner\local settings\application data\ESET
2011-09-21 17:26:37 -------- d-----w- c:\documents and settings\owner\application data\ESET
2011-09-21 17:26:28 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2011-09-21 17:25:39 -------- d-----w- c:\program files\ESET
2011-09-21 17:19:59 -------- d-----w- c:\documents and settings\owner\local settings\application data\Thunderbird
2011-09-21 17:18:07 -------- d-----w- c:\documents and settings\owner\application data\IObit
2011-09-21 17:18:03 -------- d-----w- c:\program files\IObit
2011-09-21 17:14:45 -------- d-----w- c:\program files\PeerBlock
2011-09-21 17:13:23 -------- d-----w- c:\program files\VS Revo Group
2011-09-21 17:12:03 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2011-09-21 17:11:59 -------- d-----w- c:\program files\Security Task Manager
2011-09-21 17:11:38 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2011-09-21 17:11:03 -------- d-----w- c:\documents and settings\all users\application data\!SASCORE
2011-09-21 17:10:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-21 17:10:59 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-21 17:10:42 -------- d-----w- c:\program files\CCleaner
2011-09-21 17:09:52 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2011-09-21 17:09:52 -------- d-----w- c:\program files\MagicDisc
2011-09-21 17:09:41 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-21 17:09:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-21 17:08:54 -------- d-----w- c:\documents and settings\owner\local settings\application data\Adobe
2011-09-21 17:08:14 -------- d-----w- c:\program files\FileHippo.com
2011-09-21 17:07:44 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-21 17:07:32 40112 ----a-w- c:\windows\avastSS.scr
2011-09-21 17:07:21 -------- d-----w- c:\program files\AVAST Software
2011-09-21 17:07:21 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-09-21 17:06:42 -------- d-----w- c:\documents and settings\owner\application data\WinPatrol
2011-09-21 17:06:39 -------- d-----w- c:\program files\BillP Studios
2011-09-21 17:06:39 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2011-09-21 17:06:19 -------- d-----w- c:\windows\system32\Defaults
2011-09-21 17:06:13 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-09-21 17:06:10 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2011-09-21 17:06:07 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2011-09-21 17:06:05 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2011-09-21 17:06:02 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2011-09-21 17:06:00 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2011-09-21 17:05:56 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2011-09-21 17:05:54 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2011-09-21 17:05:51 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
2011-09-21 17:05:49 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
2011-09-21 17:05:46 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2011-09-21 17:04:35 7062 ----a-w- c:\windows\system32\audiopid.vxd
2011-09-21 17:04:26 -------- d-----w- c:\program files\common files\Creative Labs Shared
.
==================== Find3M ====================
.
2011-09-21 17:09:31 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-21 17:03:44 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-09-21 17:03:44 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-09-21 11:59:19 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
.
============= FINISH: 17:14:55.39 ===============

 

[Will40]

DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 21/09/2011 17:45:23
System Uptime: 23/09/2011 16:52:19 (1 hours ago)
.
Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 139.495 GiB free.
E: is CDROM ()
F: is CDROM ()
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Service:
.
==== System Restore Points ===================
.
RP1: 21/09/2011 17:47:27 - System Checkpoint
RP2: 21/09/2011 17:49:42 - Installed Microsoft .NET Framework 2.0 Service Pack 2
RP3: 21/09/2011 17:51:37 - Installed Windows KB971276-v3.
RP4: 21/09/2011 17:51:46 - Installed RGB9RAST
RP5: 21/09/2011 17:51:51 - Installed Microsoft .NET Framework 3.0 Service Pack 2
RP6: 21/09/2011 17:53:26 - Installed Microsoft .NET Framework 3.5 Service Pack 1
RP7: 21/09/2011 17:54:16 - Installed Java(TM) 6 Update 16
RP8: 21/09/2011 17:54:34 - Installed User Profile Hive Cleanup Service
RP9: 21/09/2011 17:54:44 - Installed Alt-Tab Task Switcher Powertoy for Windows XP
RP10: 21/09/2011 18:22:17 - Before Mozilla Backup
RP11: 21/09/2011 18:25:36 - Installed ESET Smart Security
RP12: 21/09/2011 12:58:50 - Installed 3Connect
RP13: 21/09/2011 22:08:48 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
3Connect
7-Zip 4.65
Adobe AIR
Adobe Flash Player 11 Plugin
Alt-Tab Task Switcher Powertoy for Windows XP
avast! Free Antivirus
CCleaner
Creative Audio Console
Creative Software AutoUpdate
ESET Smart Security
FileHippo.com Update Checker
Foxit Reader 5.0
HashCheck Shell Extension (x86-32)
Huawei modem
IObit Malware Fighter
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 7
K-Lite Mega Codec Pack 5.2.0
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Thunderbird (6.0)
MSXML 4.0 SP3 Parser
Open Command Prompt Shell Extension (x86-32)
PeerBlock 1.1 (r518)
QuickTime Alternative 3.0.0
Revo Uninstaller 1.83
Security Task Manager 1.8d
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB978601)
SUPERAntiSpyware
Unlocker 1.8.7
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
User Profile Hive Cleanup Service
WebFldrs XP
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinPatrol
.
==== Event Viewer Messages From Past Week ========
.
21/09/2011 20:48:18, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
21/09/2011 12:37:17, error: PlugPlayManager [12] - The device 'Secondary IDE Channel' (PCIIDE\IDEChannel\4&275adb11&0&1) disappeared from the system without first being prepared for removal.
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! I'll be glad to help you sort this out.

If any of the files you returned to the system after the reinstall, the system could have been And also as you mention, it could be an infected flash drive.
============================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
  [o] Please Do not Attach logs or put in code boxes
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
===================================
Questions and comments:
The order for uninstalling is:
1. Check the program and see if it has it's own uninstaller> if it does, use that.
2. If it does not, check Add/Remove Programs and uninstall from there if listed.
3. If neither #1 or #2 are available, then use an uninstaller like Revo or the Windows Installer Cleanup Utility.[/COLOR][/B]

After an uninstall, you should use Windows Explorer> Computer> Double click Local Drive> Programs> right click on the program folder for the uninstall> Delete.
=================================
You have 2 antivirus programs running:
Eset Smart Security
Avast
Please remove one of them. It is advised that you only run 1 AV .
Please reboot the computer when finished.
===================================
There are some entries that need to be removed:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================

 

[Will40]

Thanks Bobbye....

Eset removed with Revo.

Due to the fact I can't connect the infected machine to the net, ComboFix could not install the Windows Recovery Console. Report below.

Not sure if this is relevant Bobbye - Flash Disinfector did install the folder autorun on flash drive, but not the external hdd. (There is an autorun.inf file there already).



ComboFix 11-09-21.02 - Owner 24/09/2011 8:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3071.2620 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-21 4603264]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"CTHelper"="CTHELPER.EXE" [2010-03-18 19456]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-07-20 4393816]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2011-9-21 38640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [21/09/2011 18:07 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/09/2011 18:07 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [19/07/2011 01:02 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/09/2011 18:07 19544]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [21/09/2011 18:18 820568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/09/2011 18:28 366152]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/09/2011 18:28 22216]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [21/09/2011 18:18 30368]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [21/09/2011 18:18 16080]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 09:29 9472]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [21/09/2011 18:04 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/09/2011 12:59 100736]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [21/09/2011 18:18 239600]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-24 c:\windows\Tasks\User_Feed_Synchronization-{FB65A161-6BC0-42E1-8CE4-EA6A63487A68}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-24 08:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2988)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-24 08:48:27
ComboFix-quarantined-files.txt 2011-09-24 07:48
.
Pre-Run: 149,827,477,504 bytes free
Post-Run: 149,961,801,728 bytes free
.
- - End Of File - - 109A7B3547D07A167835B9D089B35C50

 

[Bobbye]

Please run this Eset Online scan. I'd like to see what Eset is calling the Worm you have that is named W32/Ganensar.A.worm by Panda. It appears to be one of the 'autoruns'.

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===============================
Are you finding any/some/most/none of the following: It makes many modifications in the Windows Registry, which prevent doing the following;

• It disables the option Search from the Start menu.
• It prevents Viewing the processes that are being run through the Task Manager
• It prevents the display of the right click Context menu
• It disables Windows File Protection (WFP)
• It spreads via shared and mapped drives.
• It Is easily recognizable as it enters the computer in a file with the name MIYABI-NEW EPISODE(NO SENSOR).EXE and the icon of Windows Media Player:
  [o] If this button is pressed:
  
  
  [o]]You will be greeted by this:

======================================
I can see some of the entries from it but I think the reinstall removed some.

 

[Will40]

Hi Bobbye,

Just to preempt slightly!! I see the wscntfy file is missing and have located it on my XP CD. I will obviously wait for your instructions before proceeding with anything.....

We both posted at same time......!

I can't get online to do the online scanner....

The Search button does work, as does Windows Media Player - I don't get the dialog box as above....

Right Click works fine (couldn't access System Volume previously before re-install)

Task Manager works fine now too....

Will

 

[Bobbye]

Thanks for the reminder- I meant to put this in:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  wscntfy.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Will40]

File not found Bobbye. I do have it on my XP CD though. I take it I should copy it to desktop, zip it, and put it in my System32 folder...?

SystemLook 30.07.11 by jpshortstuff
Log created at 10:20 on 24/09/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "wscntfy.exe"
No files found.

-= EOF =-

 

[Bobbye]

Since the file has really gone missing, yes, since you have the CD, you can replace it. Since it is the process for the Windows Security Center, it needs to be on the system. You might want to use the System File Checker (SFC) to replace it:
From Bleeping computer: System File Checker SFC

Instructions

1. . Have your Windows XP installation CD handy.
2. . Go to Start> Run> type in SFC.EXE /SCANNOW (with a space between the SFC.EXE and the /SCANNOW)> Enter.
3. . The program may (or it may not) ask you for your Windows XP installation CD - please insert it at the prompt. If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.
4. . In the event the the system asks you for the CD, you must visit Windows Update immediately after the scan is completed (Please note that there won't be any confirmation dialog - the program will just exit without telling you anything).
5. . If this doesn't repair the problem with your system other troubleshooting procedures are required.

When finished, reboot and run Combofix again to make sure it's been found!

 

[Will40]

Bobbye,

Just to add to the above - BEFORE the re-install.

Q.It disables the option Search from the Start menu.
Yes. I remember I had to try to search from within folders.

Q.It prevents Viewing the processes that are being run through the Task Manager
Yes & No! Task Manager did work sometimes, however, it would be an age before it appeared, and sometimes would not at all.

Q,It prevents the display of the right click Context menu
No. Right click worked.

Q. It disables Windows File Protection (WFP)
Not sure exactly how to tell?

Q. It spreads via shared and mapped drives.
I believe so, as it seems to have gotten into my backup drive (which I have left disconnected for the moment whilst working on the main machine.)

Q. It Is easily recognizable as it enters the computer in a file with the name MIYABI-NEW EPISODE(NO SENSOR).EXE and the icon of Windows Media Player:
I had not noticed this before install as I don't use WMP. As earlier post, works fine now.

New ComboFix Log:


ComboFix 11-09-21.02 - Owner 25/09/2011 11:33:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3071.2537 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2011-09-24_07.45.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-25 10:30 . 2011-09-25 10:30 16384 c:\windows\Temp\Perflib_Perfdata_2b8.dat
+ 2011-09-25 10:25 . 2008-04-14 04:42 13824 c:\windows\system32\wscntfy.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-21 4603264]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"CTHelper"="CTHELPER.EXE" [2010-03-18 19456]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-07-20 4393816]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2011-9-21 38640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [21/09/2011 18:07 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/09/2011 18:07 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [19/07/2011 01:02 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/09/2011 18:07 19544]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [21/09/2011 18:18 820568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/09/2011 18:28 366152]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/09/2011 18:28 22216]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [21/09/2011 18:18 30368]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [21/09/2011 18:18 16080]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 09:29 9472]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [21/09/2011 18:04 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/09/2011 12:59 100736]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [21/09/2011 18:18 239600]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-25 c:\windows\Tasks\User_Feed_Synchronization-{FB65A161-6BC0-42E1-8CE4-EA6A63487A68}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-25 11:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-25 11:44:14
ComboFix-quarantined-files.txt 2011-09-25 10:44
ComboFix2.txt 2011-09-24 07:48
.
Pre-Run: 149,959,028,736 bytes free
Post-Run: 149,944,954,880 bytes free
.
- - End Of File - - FB40E0204F2B8C98DF186D9CAF21D665

 

[Will40]

Bobbye

Any further instructions....?

Cheers
Will

 

[Bobbye]

Thank you for your patience. I had a really great weekend with my family celebrating a special event.

I see you got the missing file on the system. Are you able to access the internet yet? Is there any other update on the system? We need to get the Recovery Console on the system.

 

[Will40]

No problem at all Bobbye!

No, still cannot get onto the internet, and am still working via loaned laptop. Is the Recovery Console downloadable, or would it be on XP CD? I have a slipstreamed XP SP3 which Broni showed me how to do previously.

Re the infected external drive, I was looking at this: ClamWin Portable. http://portableapps.com/apps/utilities/clamwin_portable Do you know anything about it?

Thanks....

 

[Will40]

Bobbye

I have the Recovery Console booted from my CD - with the 'press R to repair Windows XP using Recovery Console' ready. I have no problem re-installing via this method if necessary.....

 

[Will40]

Hi Bobbye,

Good news! Recovery Console is now installed and can be chosen from the Startup menu options......:grinthumb

Just for future reference, the information on how to do this is here: http://support.microsoft.com/kb/314058

 

[Will40]

Bobbye, just to keep you fully in the picture of what has happened.

I wanted to ensure the Recovery Console would run correctly when the time came for us to use it, however, it came up with the error:
Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll
Please re-install a copy of the above file.

Upon re-booting, the file was where it should be (System32 folder). I renamed it hal_original, and copied the hal.dl_ file from the XP SP3 CD to the Desktop & extracted it to the System32 folder.

I re-booted the machine again. However, the error message occurred again in trying to run Recovery Console, and upon escaping, the system would not boot at all. I have deleted the hal.dll file and restored the original dll file by renaming it through the XP Repair CD. Everything now back to as it was when I installed the Recovery Console. But I am still getting the error message : <Windows root>\system32\hal.dll when trying to run the RC. I just wanted to ensure you knew about the events in question!

 

[Bobbye]

Are you getting the message that Windows root>\system32\hal.dll is missing or corrupt?

 

[Will40]

Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll
Please re-install a copy of the above file.

As above - exact quote. But only when trying to run Recovery Console.

In case you need it, here is the Boot.ini File:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Also Bobbye, upon further investigation, the BOOTSECT.DAT file (& the hal.dl_ file) are located in a folder called C:\$WIN_NT$.~BT. There is no folder called C:\CMDCONS. I'm not sure whether this is relevant or not.

Thanks,
Will

 

[Bobbye]

Sorrry Will- I still haven't caught up!

Please give me an update on system status as of now. Let's not try anything else out or do any renaming at this point.

 

[Will40]

No Change at all Bobbye.

Still can't get online - waiting to see what we can do with RC.....

Cheers
Will

 

[Bobbye]

Per Microsoft: http://support.microsoft.com/kb/314477

Error message: "Windows could not start because of a computer disk hardware configuration problem"

Error Message 3: Winnt_root\System32\Hal.dll missing or corrupt:

Please re-install a copy of the above file.

Additionally, you may experience one or more of the following behaviors:

• If you start the computer to the Recovery Console, a command prompt may appear with no option to log on to the Windows installation.
• If you try to access the Windows folder, you may receive the following error message:
  Access denied.
• If you try to perform a Repair operation from the Windows XP CD-ROM, the Windows installation is not detected and you cannot repair Windows.

Cause:
This behavior can occur if any or some of the following conditions are true:

• The Default value in the [Boot Loader] section of the Boot.ini file is missing or invalid.
• Windows XP is not installed in the location specified in the Boot.ini file.
• The Ntoskrnl.exe file is missing or damaged.
• The partition path in the Boot.ini file is not set correctly.
• General hardware failure.

Resolution:

Method 1
Edit the Boot.ini file to restore or correct the Default entry and to ensure that the other entries in the [Operating Systems] section of the Boot.ini file point to the appropriate directories.

For more information about how to edit the Boot.ini file, click the following article number to view the article in the Microsoft Knowledge Base:
289022 (http://support.microsoft.com/kb/289022/ ) How to edit the Boot.ini file in Windows XP

Method 2
Use the Bootcfg utility in the Recovery Console to correct the Boot.ini file:

1. Use the Windows XP CD-ROM to start your computer.
2. When you receive the message to press R to repair Windows by using the Recovery Console, press the R key.
3. Select the Windows installation that you want, and then type the administrator password when prompted.
4. Type bootcfg /rebuild, and then press ENTER.
5. When the Windows installation is located, the following instructions are displayed:
Add installation to boot list? (Yes/No/All)
[Type Y in response to this message.]

Enter Load Identifier:
This is the name of the operating system. Type Windows XP Professional or Windows XP Home Edition.]

Enter OS Load options:
Leave this field blank, and then press ENTER].
After you perform the preceding steps, restart the computer, and then select the first item on the boot menu. This should allow Windows XP to start normally.

After Windows XP has successfully loaded, the Boot.ini can be modified to remove the incorrect entry.

Editing attributes are mine.

I hope this is helpful.

 

[Will40]

Hi Bobbye,

Hope you had a good weekend! Just to re-cap - the Windows XP loads with no problems at all. The hal.dll error message only comes up when I choose the Recovery Console option on start-up from the C: drive.

I did change the boot file entry for the Recovery Console option at startup to point to the folder where the Recovery Console had been installed from earlier i.e. from C:\CMDCONS to the C:\$WIN_NT$.~BT folder. On re-boot, I was told the NTLDR is missing! (I have since changed it back to the original C:\CMDCONS).

However, regardless of all this, I can load the Recovery Console from the CD Drive. As you said earlier, that we need to get the Recovery Conole working, can we use this option (run it from the XP CD) and bypass the installation of the Recovery Console on the system? Or is it necessary to actually have it installed?

Thanks,
Will