As I only read but didn't properly follow the instructions by attaching the log files rather than paste the text in my thread started yesterday late night, I decided to start all over in a new thread...
Type: Posts; User: yettyn; Keyword(s):
As I only read but didn't properly follow the instructions by attaching the log files rather than paste the text in my thread started yesterday late night, I decided to start all over in a new thread...
huh you must bet getting tired to repeat that in basically every post, but I'm sure you have a snippet ready to paste :)
but, yes I have got that, many legit items in the list, so nothing to be...
Long story short, I decided to go Full S&D Professional after noticing some suspect activity on my Windows 10 system (more or less constant HDD activity on C:), which still is ongoing at this after...
Oh by the way, I noticed there is an account not added by me called "ASP.NET Machine A..." but I have a vague idea this once was created by "LogMeIn" which I once tried out but then removed. It's set...
Ok but I have XP Pro
One thing I noticed thow is that I only have 2 account types, Administrator and Limited - which is the same as for XP Home, Pro is supposed to have other types as well I...
It appear reg is not or no longer a part of RC on XP SP2 CD, but I managed the situation anyhow.
This url helped me to get back into windows
http://www.easydesksoftware.com/news/news36.htm
...
I managed to get back into safe mode and should now be able to restore registry with my backup. Then what I need is to find where and what make programs think we are in safe mode. There must be some...
So the keys there really should be hidden then? Well I think I screwed it again then as I did tuch them, and now I cannot boot as I get a lsass.exe system - system error : Object not found. I did...
I found a very suspisous registry entry, the key HKEY_LOCAL_MACHINE\SAM\SAM with several sub keys that certainly is invalid. Question is just if all the sub keys can be deleted or parts are needed....
SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : delete Perm. ACE 1 builtin\admin
istrators
SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : new ace for builtin\administrato
rs...
Yes I know what COM+ is :crowned: just wondered if it could affect the system start up in some way, and you know more about that area... anyhow, I have had some progress.
Obviously a lot of places...
Ok I think I figured it out basically, the virus changed permision on certain keys. Question is if there is a some what easy was to change them back in batch or it has to be done one by one?
Like...
I managed to get IE to start and open WU but there it ends as it fail to install Windows Installed 3.1 - something must be missing or screwed in registry. Appearently folder options had been messed...
It seem like I still have a serious problem, I cannot run IE only FF but the latter is no good for windows update :sad:
I tried to install Windows Installer but it goes to some point and I get an...
I reinstalled with the repair option, it went almost fine. I got some kind of COM+ error during install, but just an OK button so install continue - it couldn't register COM+ I think it was or at...
Yes just to face the facts, it has gone too bad or I screwed it up somewere on my own. I am doing a repair reinstall now and see where it will take me. Hopefully it should leave me somewhat near to...
Well it looks like I screwed up that restore point... or system restore is on but say it cannot protect my computer - probably because some critical services dont run, also I have no network in...
Windows installer link, yes please as I have problems accessing windows update now.
Logfile.Etl was RegRun yes, a trace I ran.
I know reinstall windows would be a sane act, however it's not...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running...
I meant above if I try to copy something in this editor I cannot paste it back, like copy doesn't take. I can copy in my text editor though and paste it here (using FF).
Reg export of SafeBoot key...
steam, something is still wicked with my system...
After changing that reg key you gave me and rebooted I noticed the following.
1. it took (and still takes) extremely long time to boot.
2. at...
Hmm I assume you talk about the file uploaded to bleepingcomputer? was it winlicense.zip or you got a winlicense.exe as 0 ? I ask as at the time I was a bit tired in my head ;-) and first tried to...
Some tighing up comments about the removal. There were 2 identical infectors to remove actually, the one that popped up the "select file" dialog, which I assume is the original of the dropped copy,...
I will run a kav but last time it took 20 hours, but it might have been due to the infection - although I do have a big system :alien:
As you said, it's sunday. I have written a separrate report I...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33, on 2008-02-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running...
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
...
ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
Running from: C:\Documents and...
Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but...
The :spider: is dead and I am out of the web :santa:, I will post back later today with details and CF logs etc. as there still is some clean up and system repair to do. Just thought to let you know...
Then I was right in my suspision of the ati driver, although it was more intuition then technical analys :santa: and now it hits me I havenät seen the avast popper about updated deffinitions for a...
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
...
ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]
Running from: C:\Documents and...
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:00 --------- d-----w C:\Documents and...
ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]
Running from: C:\Documents and...
There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to...
Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun]
"First12Ru123n"=dword:00000001
that's all in that key, I will post some of my...
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:...
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser...
--- Startup entries list ---
Located: HK_LM:Run, @RegRunOnSecure
command: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
file: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
size: 57856
MD5:...
--- Search result list ---
Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
...
Spybot in Safe Mode
23.02.2008 19:52:32 - ##### check started #####
23.02.2008 19:52:32 - ### Version: 1.5.2
23.02.2008 19:52:32 - ### Date: 2008-02-23 19:52:32
23.02.2008 19:52:33 - #####...
So here we kinda start over with fresh logs. First an observation though. Last friday when this started I happened to double click that file I told you about resulting in a dialog saying "select file...
All virus junk was deleted right away, in fact it was mostly old stuff taking up HDD space anyway - I must get myself a smaller HDD to become less lazy :red: I am pretty sure my infection didn't come...
Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)
I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite...
Hi, find HJT and KOS logs below, and I have taken all the steps given in sticky post :angel:
I need help to complete and clean up a partly successful struggle with a nasty trojan that has bloggers...