Search:

Type: Posts; User: yettyn; Keyword(s):

Search: Search took 0.01 seconds.

  1. Need help to trace and remove source of malious HDD write activity.

    As I only read but didn't properly follow the instructions by attaching the log files rather than paste the text in my thread started yesterday late night, I decided to start all over in a new thread...
  2. huh you must bet getting tired to repeat that in...

    huh you must bet getting tired to repeat that in basically every post, but I'm sure you have a snippet ready to paste :)

    but, yes I have got that, many legit items in the list, so nothing to be...
  3. Suspect HDD activity and lots of suspectly named keys and key values in Registry

    Long story short, I decided to go Full S&D Professional after noticing some suspect activity on my Windows 10 system (more or less constant HDD activity on C:), which still is ongoing at this after...
  4. Replies
    58
    Views
    35,799

    Oh by the way, I noticed there is an account not...

    Oh by the way, I noticed there is an account not added by me called "ASP.NET Machine A..." but I have a vague idea this once was created by "LogMeIn" which I once tried out but then removed. It's set...
  5. Replies
    58
    Views
    35,799

    Ok but I have XP Pro One thing I noticed thow...

    Ok but I have XP Pro

    One thing I noticed thow is that I only have 2 account types, Administrator and Limited - which is the same as for XP Home, Pro is supposed to have other types as well I...
  6. Replies
    58
    Views
    35,799

    Ok I am back at the wheel

    It appear reg is not or no longer a part of RC on XP SP2 CD, but I managed the situation anyhow.

    This url helped me to get back into windows
    http://www.easydesksoftware.com/news/news36.htm
    ...
  7. Replies
    58
    Views
    35,799

    I managed to get back into safe mode and should...

    I managed to get back into safe mode and should now be able to restore registry with my backup. Then what I need is to find where and what make programs think we are in safe mode. There must be some...
  8. Replies
    58
    Views
    35,799

    So the keys there really should be hidden then?...

    So the keys there really should be hidden then? Well I think I screwed it again then as I did tuch them, and now I cannot boot as I get a lsass.exe system - system error : Object not found. I did...
  9. Replies
    58
    Views
    35,799

    I found a very suspisous registry entry, the key...

    I found a very suspisous registry entry, the key HKEY_LOCAL_MACHINE\SAM\SAM with several sub keys that certainly is invalid. Question is just if all the sub keys can be deleted or parts are needed....
  10. Replies
    58
    Views
    35,799

    cmd window dump

    SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : delete Perm. ACE 1 builtin\admin
    istrators
    SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : new ace for builtin\administrato
    rs...
  11. Replies
    58
    Views
    35,799

    Some progress

    Yes I know what COM+ is :crowned: just wondered if it could affect the system start up in some way, and you know more about that area... anyhow, I have had some progress.

    Obviously a lot of places...
  12. Replies
    58
    Views
    35,799

    Ok I think I figured it out basically, the virus...

    Ok I think I figured it out basically, the virus changed permision on certain keys. Question is if there is a some what easy was to change them back in batch or it has to be done one by one?

    Like...
  13. Replies
    58
    Views
    35,799

    I managed to get IE to start and open WU but...

    I managed to get IE to start and open WU but there it ends as it fail to install Windows Installed 3.1 - something must be missing or screwed in registry. Appearently folder options had been messed...
  14. Replies
    58
    Views
    35,799

    It seem like I still have a serious problem, I...

    It seem like I still have a serious problem, I cannot run IE only FF but the latter is no good for windows update :sad:

    I tried to install Windows Installer but it goes to some point and I get an...
  15. Replies
    58
    Views
    35,799

    Repair reinstall

    I reinstalled with the repair option, it went almost fine. I got some kind of COM+ error during install, but just an OK button so install continue - it couldn't register COM+ I think it was or at...
  16. Replies
    58
    Views
    35,799

    Yes just to face the facts, it has gone too bad...

    Yes just to face the facts, it has gone too bad or I screwed it up somewere on my own. I am doing a repair reinstall now and see where it will take me. Hopefully it should leave me somewhat near to...
  17. Replies
    58
    Views
    35,799

    Well it looks like I screwed up that restore...

    Well it looks like I screwed up that restore point... or system restore is on but say it cannot protect my computer - probably because some critical services dont run, also I have no network in...
  18. Replies
    58
    Views
    35,799

    Windows installer link, yes please as I have...

    Windows installer link, yes please as I have problems accessing windows update now.

    Logfile.Etl was RegRun yes, a trace I ran.

    I know reinstall windows would be a sane act, however it's not...
  19. Replies
    58
    Views
    35,799

    Fresh HJT

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:02, on 2008-02-25
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running...
  20. Replies
    58
    Views
    35,799

    Safeboot repair results

    I meant above if I try to copy something in this editor I cannot paste it back, like copy doesn't take. I can copy in my text editor though and paste it here (using FF).

    Reg export of SafeBoot key...
  21. Replies
    58
    Views
    35,799

    steam, something is still wicked with my...

    steam, something is still wicked with my system...

    After changing that reg key you gave me and rebooted I noticed the following.

    1. it took (and still takes) extremely long time to boot.
    2. at...
  22. Replies
    58
    Views
    35,799

    Hmm I assume you talk about the file uploaded to...

    Hmm I assume you talk about the file uploaded to bleepingcomputer? was it winlicense.zip or you got a winlicense.exe as 0 ? I ask as at the time I was a bit tired in my head ;-) and first tried to...
  23. Replies
    58
    Views
    35,799

    Removal report

    Some tighing up comments about the removal. There were 2 identical infectors to remove actually, the one that popped up the "select file" dialog, which I assume is the original of the dropped copy,...
  24. Replies
    58
    Views
    35,799

    I will run a kav but last time it took 20 hours,...

    I will run a kav but last time it took 20 hours, but it might have been due to the infection - although I do have a big system :alien:

    As you said, it's sunday. I have written a separrate report I...
  25. Replies
    58
    Views
    35,799

    HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:33, on 2008-02-24
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running...
  26. Replies
    58
    Views
    35,799

    Part 2

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    ...
  27. Replies
    58
    Views
    35,799

    ComboFix.log Part 1

    ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
    Running from: C:\Documents and...
  28. Replies
    58
    Views
    35,799

    Fresh logs coming

    Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but...
  29. Replies
    58
    Views
    35,799

    We did it!

    The :spider: is dead and I am out of the web :santa:, I will post back later today with details and CF logs etc. as there still is some clean up and system repair to do. Just thought to let you know...
  30. Replies
    58
    Views
    35,799

    Then I was right in my suspision of the ati...

    Then I was right in my suspision of the ati driver, although it was more intuition then technical analys :santa: and now it hits me I havenät seen the avast popper about updated deffinitions for a...
  31. Replies
    58
    Views
    35,799

    Part 2

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    ...
  32. Replies
    58
    Views
    35,799

    My latest (old) CF log Part 1

    ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]
    Running from: C:\Documents and...
  33. Replies
    58
    Views
    35,799

    Part 2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-20 01:00 --------- d-----w C:\Documents and...
  34. Replies
    58
    Views
    35,799

    My oldest CF log - Part 1

    ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]
    Running from: C:\Documents and...
  35. Replies
    58
    Views
    35,799

    There are more registry values I have found...

    There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to...
  36. Replies
    58
    Views
    35,799

    Windows Registry Editor Version 5.00 ...

    Windows Registry Editor Version 5.00

    [HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun]
    "First12Ru123n"=dword:00000001

    that's all in that key, I will post some of my...
  37. Replies
    58
    Views
    35,799

    Part 4

    --- ActiveX list ---
    Microsoft XML Parser for Java (Microsoft XML Parser for Java)
    DPF name: Microsoft XML Parser for Java
    CLSID name:
    Installer:
    Codebase:...
  38. Replies
    58
    Views
    35,799

    Part 3

    --- Browser helper object list ---
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser...
  39. Replies
    58
    Views
    35,799

    Part 2

    --- Startup entries list ---
    Located: HK_LM:Run, @RegRunOnSecure
    command: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    file: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    size: 57856
    MD5:...
  40. Replies
    58
    Views
    35,799

    Part 1

    --- Search result list ---
    Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
    ...
  41. Replies
    58
    Views
    35,799

    First some logs

    Spybot in Safe Mode
    23.02.2008 19:52:32 - ##### check started #####
    23.02.2008 19:52:32 - ### Version: 1.5.2
    23.02.2008 19:52:32 - ### Date: 2008-02-23 19:52:32
    23.02.2008 19:52:33 - #####...
  42. Replies
    58
    Views
    35,799

    So here we kinda start over with fresh logs....

    So here we kinda start over with fresh logs. First an observation though. Last friday when this started I happened to double click that file I told you about resulting in a dialog saying "select file...
  43. Replies
    58
    Views
    35,799

    All virus junk was deleted right away, in fact it...

    All virus junk was deleted right away, in fact it was mostly old stuff taking up HDD space anyway - I must get myself a smaller HDD to become less lazy :red: I am pretty sure my infection didn't come...
  44. Replies
    58
    Views
    35,799

    Thanks for finally coming at my assistance, I was...

    Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)

    I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite...
  45. Replies
    58
    Views
    35,799

    need help w/ hard to kill trojan

    Hi, find HJT and KOS logs below, and I have taken all the steps given in sticky post :angel:

    I need help to complete and clean up a partly successful struggle with a nasty trojan that has bloggers...
Results 1 to 45 of 50