Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 34

Thread: Infected XP Security 2012

  1. #21
    Senior Member
    Join Date
    Oct 2009
    Posts
    100

    Default

    I believe I have the Windows CD, but I would have to locate it.

    Below is the FSS log.

    Farbar Service Scanner
    Ran by Raymond Green (administrator) on 21-12-2011 at 15:21:22
    Microsoft Windows XP Professional Service Pack 2 (X86)
    ********************************************************

    Service Check:
    ==============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.


    File Check:
    ===========
    C:\WINDOWS\system32\svchost.exe
    [2004-08-04 00:00] - [2004-08-04 00:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2005-07-25 23:39] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

    C:\WINDOWS\system32\services.exe
    [2004-08-04 00:00] - [2004-08-04 00:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

    C:\WINDOWS\system32\dhcpcsvc.dll
    [2004-08-04 00:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-04 00:00] - [2004-08-04 00:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2006-01-12 21:28] - [2006-04-20 06:51] - 0359808 ____A (Microsoft Corporation) 1DBF125862891817F374F407626967F4

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-04 00:00] - [2004-08-04 00:00] - 0074752 ____A () EA66D9A13E73B54F7E9AE34A0D835114

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-04 00:00] - [2004-08-04 00:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


    Connection Status:
    ==================
    Localhost is blocked.
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors

    **** End of log ****

  2. #22
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    You need the standard 32bit version, not the 64

    Download and Run SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64 Bit Version

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      ipsec.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Last edited by ken545; 2011-12-21 at 23:01.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #23
    Senior Member
    Join Date
    Oct 2009
    Posts
    100

    Default

    I have the Windows XP disk.
    I presume it is the one for this computer.
    I had XP on another older computer.

    Here is the SystemLook log.

    SystemLook 30.07.11 by jpshortstuff
    Log created at 15:01 on 22/12/2011 by Raymond Green
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "ipsec.sys"
    C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ipsec.sys --a---- 75264 bytes [19:19 13/04/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
    C:\WINDOWS\system32\dllcache\ipsec.sys --a---- 74752 bytes [05:00 04/08/2004] [05:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
    C:\WINDOWS\system32\drivers\ipsec.sys --a---- 74752 bytes [05:00 04/08/2004] [05:00 04/08/2004] EA66D9A13E73B54F7E9AE34A0D835114

    -= EOF =-

  4. #24
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hang off on using the disk for now, that file is infected and we are going to replace it.


    Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )

    and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste

    it into Notepad, make sure there is no space before and above FCopy::


    Code:
    FCopy::
    C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys
    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


    Then check your internet connection
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #25
    Senior Member
    Join Date
    Oct 2009
    Posts
    100

    Default

    ComboFix needed to be downloaded again for a full scan to be done.
    Re-boot was not automatic.
    Re-boot was much faster than previous reboots and fastest since infection.
    Internet connectivity is restored.

    Below is ComboFix log with CFScript


    ComboFix 11-12-22.04 - Raymond Green 12/22/2011 22:34:47.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1353 [GMT -5:00]
    Running from: c:\documents and settings\Raymond Green\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Raymond Green\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\oobe\isperror
    c:\windows\system32\oobe\isperror\ispcnerr.htm
    c:\windows\system32\oobe\isperror\ispdtone.htm
    c:\windows\system32\oobe\isperror\isphdshk.htm
    c:\windows\system32\oobe\isperror\ispins.htm
    c:\windows\system32\oobe\isperror\ispnoanw.htm
    c:\windows\system32\oobe\isperror\isppberr.htm
    c:\windows\system32\oobe\isperror\ispphbsy.htm
    c:\windows\system32\oobe\isperror\ispsbusy.htm
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\system32\dllcache\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-21 02:29 . 2011-12-21 02:29 -------- d-----w- C:\_OTL
    2011-12-18 19:52 . 2004-08-04 05:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2011-12-18 19:52 . 2004-08-04 05:00 187776 ----a-w- c:\windows\system32\dllcache\acpi.sys
    2011-12-15 16:14 . 2011-12-16 03:34 -------- d-----w- c:\documents and settings\Raymond Green\Application Data\Voypab
    2011-12-14 22:31 . 2011-12-14 22:31 -------- d-----w- c:\documents and settings\Raymond Green\Local Settings\Application Data\WMTools Downloaded Files
    2011-12-08 18:05 . 2011-12-08 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-12-08 03:27 . 2011-12-08 03:27 -------- d-sh--w- c:\documents and settings\Raymond Green\PrivacIE
    2011-12-08 03:25 . 2011-12-08 03:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-12-08 03:20 . 2011-12-08 03:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-12-08 03:20 . 2011-12-08 03:20 -------- d-sh--w- c:\documents and settings\Raymond Green\IETldCache
    2011-12-08 03:15 . 2011-12-08 03:16 -------- dc-h--w- c:\windows\ie8
    2011-12-08 02:59 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2011-12-08 02:59 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-12-08 02:59 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-12-08 02:59 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-12-08 02:59 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-12-08 02:59 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
    2011-12-08 02:59 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
    2011-11-29 23:44 . 2011-11-29 23:44 -------- d-----w- c:\program files\Common Files\xing shared
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-10 22:57 . 2011-07-09 22:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-18 19:32 . 2011-08-02 18:50 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-15 18:16 . 2011-08-02 18:50 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 18:16 . 2011-08-02 18:50 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-10-15 18:16 . 2011-08-02 18:50 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 18:16 . 2011-08-02 18:50 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-10-15 18:16 . 2011-08-02 18:50 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 18:16 . 2011-08-02 18:50 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 18:16 . 2011-08-02 18:50 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 18:16 . 2011-08-02 18:50 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 18:16 . 2011-08-02 18:50 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-15 18:16 . 2011-08-02 18:50 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-09-28 01:09 . 2011-09-21 22:22 8192 ----a-r- c:\documents and settings\Raymond Green\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" [X]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
    "ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
    "RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
    "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "TkBellExe"="c:\progra~1\real\REALPL~1\update\realsched.exe" [2011-11-29 296056]
    .
    c:\documents and settings\Raymond Green\Start Menu\Programs\Startup\
    DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\eSignal\\winros.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "23133:UDP"= 23133:UDP:UDP 23133
    "27193:TCP"= 27193:TCP:TCP 27193
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/2/2011 1:50 PM 89792]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/2/2011 1:50 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/2/2011 1:50 PM 160608]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/2/2011 1:50 PM 150856]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/2/2011 1:50 PM 338176]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/2/2011 1:50 PM 83856]
    S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
    S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/2/2011 1:50 PM 57600]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/2/2011 1:50 PM 83856]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/2/2011 1:50 PM 87656]
    S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/15/2003 5:57 PM 3456]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
    - c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
    .
    2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
    - c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
    .
    2011-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
    .
    2011-12-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.kitco.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-22 22:39
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B8E1FB93-079B-2B97-101B-0EB5A984DF5A}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "oaoadgjmbdoampifiodljojoflofdp"=hex:64,61,6f,6f,64,61,64,6c,00,85
    "oacalbkokdbgmefcbfejcedebenifl"=hex:6a,61,6f,6f,66,61,69,6b,67,6e,64,65,6d,64,
    70,66,61,6d,6f,66,00,07
    "namabpalabciffjhlfiogkpocmje"=hex:6a,61,70,6f,69,62,66,70,61,61,66,67,6a,6d,
    67,6d,69,65,6b,6c,00,07
    .
    [HKEY_USERS\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F81AD052-41FF-D428-BFF6-E1945EC1FC35}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "ianpealnfohffgmoea"=hex:64,61,6d,66,6d,66,6a,6c,00,70
    "iajoeedbfeehambipd"=hex:6a,61,6d,66,61,67,64,69,68,63,63,70,6a,6b,67,69,67,61,
    68,6b,00,fd
    "hapoocjogchlogdi"=hex:6a,61,6d,66,61,67,64,69,68,63,63,70,6a,6b,67,69,67,61,
    68,6b,00,fd
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(532)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-12-22 22:41:09
    ComboFix-quarantined-files.txt 2011-12-23 03:41
    ComboFix2.txt 2011-12-19 05:01
    ComboFix3.txt 2011-12-19 00:16
    ComboFix4.txt 2010-12-19 14:50
    .
    Pre-Run: 50,688,737,280 bytes free
    Post-Run: 50,670,821,376 bytes free
    .
    - - End Of File - - EDD98355F4E5E96FA0E6F45D4C4ED329

  6. #26
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default



    Lets see if Malwarebytes will run now


    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please






    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #27
    Senior Member
    Join Date
    Oct 2009
    Posts
    100

    Default

    Malwarebytes was already installed on the desktop computer.
    Updated files and ran program.
    after about 30,000 files the program encountered an error and stopped.
    The 'Send error message to Microsoft' appeared.

    Re-installed Malwarebytes from link provided.
    2 infected files were found (see log Malwarebytes log below).
    Computer reboot performed.

    Will run 'aswMBR.exe' next and post log.

    Malwarebytes log.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122308

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    12/23/2011 3:08:46 PM
    mbam-log-2011-12-23 (15-08-46).txt

    Scan type: Quick scan
    Objects scanned: 181671
    Time elapsed: 10 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\raymond green\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
    c:\documents and settings\raymond green\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

  8. #28
    Senior Member
    Join Date
    Oct 2009
    Posts
    100

    Default

    aswMBR log

    aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-23 15:30:27
    -----------------------------
    15:30:27.718 OS Version: Windows 5.1.2600 Service Pack 2
    15:30:27.718 Number of processors: 2 586 0x604
    15:30:27.718 ComputerName: RAYMOND-DESKTOP UserName: Raymond Green
    15:30:28.562 Initialize success
    15:31:23.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    15:31:23.687 Disk 0 Vendor: ST3250820AS 3.AAD Size: 238475MB BusType: 3
    15:31:23.687 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19
    15:31:23.687 Disk 1 Vendor: ST3250820AS 3.AAE Size: 238475MB BusType: 3
    15:31:25.718 Disk 0 MBR read successfully
    15:31:25.718 Disk 0 MBR scan
    15:31:25.718 Disk 0 unknown MBR code
    15:31:25.734 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 4996 MB offset 63
    15:31:25.750 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 224996 MB offset 10233405
    15:31:25.765 Disk 0 Partition 3 00 0C FAT32 LBA MSWIN4.1 8479 MB offset 471025800
    15:31:25.796 Disk 0 scanning sectors +488392065
    15:31:25.875 Disk 0 scanning C:\WINDOWS\system32\drivers
    15:31:30.828 Service scanning
    15:31:32.046 Modules scanning
    15:31:39.500 Disk 0 trace - called modules:
    15:31:39.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    15:31:39.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ab0cab8]
    15:31:39.546 3 CLASSPNP.SYS[ba8f905b] -> nt!IofCallDriver -> \Device\00000071[0x8ab9d418]
    15:31:39.546 5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8aaf6940]
    15:31:39.546 Scan finished successfully
    15:32:00.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Raymond Green\Desktop\MBR.dat"
    15:32:00.437 The log file has been saved successfully to "C:\Documents and Settings\Raymond Green\Desktop\aswMBR.txt"

  9. #29
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default



    How are things running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #30
    Senior Member
    Join Date
    Oct 2009
    Posts
    100

    Default

    Running very well.
    The computer seems to be back to its pre-virus status.
    Boot-up times as well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •