Sign in to follow this  
marquisdeloth

unable to launch exe files

Recommended Posts

did everything. Let me know if I am missing anything.

Thanks

 

 

 

----a-w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe

----a-w- 14,336 2007-12-13 06:04:52 C:\WINDOWS\system32\svchost.exe

-c--a-w- 14,336 2007-12-13 06:04:52 C:\WINDOWS\system32\dllcache\svchost.exe

-c--a-w- 14,336 2007-12-13 06:04:52 C:\WINDOWS\system32\dllcache\cache\svchost.exe

 

Entries: 4 (4)

Directories: 0 Files: 4

Bytes: 57,344 Blocks: 112

Share this post


Link to post
Share on other sites

That went ok :P

 

Show hidden files

-----------------

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

 

 

Upload following files to Virustotal and post back the results or links to the results:

C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe

C:\WINDOWS\system32\svchost.exe

Share this post


Link to post
Share on other sites

Hi again,

 

Open notepad and copy/paste the text in the quotebox below into it:

 

FCopy::
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe | C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe | C:\WINDOWS\system32\dllcache\svchost.exe

 

 

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log & fresh dds.txt contents.

Share this post


Link to post
Share on other sites

Hi,

Here you go !

 

 

 

 

ComboFix 09-07-29.03 - Mandrew 08/03/2009 21:39.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768.568 [GMT -5:00]

Running from: c:\documents and settings\Mandrew\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mandrew\Desktop\CFScript.txt

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

--------------- FCopy ---------------

 

c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe --> c:\windows\system32\svchost.exe

c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe --> c:\windows\system32\dllcache\svchost.exe

.

((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))

.

 

2009-07-29 02:17 . 2009-07-29 02:17 -------- d--h--w- c:\windows\$hf_mig$

2009-07-29 00:43 . 2009-07-29 00:43 -------- d-----w- c:\program files\Trend Micro

2009-07-28 01:33 . 2009-07-28 01:33 286208 ----a-w- C:\somethingElse.com.exe

2009-07-26 16:08 . 2009-07-29 07:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-07-26 16:08 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe

2009-07-26 16:06 . 2009-07-26 16:06 -------- d-----w- c:\program files\Lavasoft

2009-07-26 16:06 . 2009-07-26 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-07-12 18:21 . 2009-07-12 18:21 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-07-11 18:32 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll

2009-07-11 18:32 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-02 20:35 . 2006-05-23 18:51 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-01 17:03 . 2009-03-22 19:59 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-08-01 17:03 . 2006-03-23 04:22 -------- d-----w- c:\program files\Java

2009-07-29 01:14 . 2006-02-15 18:06 64384 ----a-w- c:\documents and settings\Mandrew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-22 13:05 . 2006-05-16 19:46 -------- d-----w- c:\docume~1\Mandrew\APPLIC~1\Lavasoft

2009-06-30 18:31 . 2009-06-30 18:31 -------- d-----w- c:\docume~1\Mandrew\APPLIC~1\Sibelius Software

2009-06-30 18:27 . 2009-06-30 18:26 -------- d-----w- c:\program files\Musicnotes

2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-27 00:50 . 2009-05-31 15:16 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe

2009-05-26 12:01 . 2009-01-31 22:31 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys

2009-05-26 12:01 . 2009-01-31 22:31 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys

2009-05-26 12:01 . 2009-01-31 22:31 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys

2009-05-26 12:01 . 2009-01-31 22:31 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys

2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll

2009-02-23 03:14 . 2009-02-23 03:14 3861671 ----a-w- c:\program files\FileZilla_3.2.2.1_win32-setup.exe

2006-10-12 00:58 . 2006-10-12 00:50 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe

2006-10-12 00:50 . 2006-10-12 00:46 7050552 ----a-w- c:\program files\psa30se_en_us.exe

2006-10-12 00:46 . 2006-10-12 00:46 762512 ----a-w- c:\program files\ytb612_efgsip.exe

2009-07-22 11:47 . 2009-03-18 13:12 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

 

------- Sigcheck -------

 

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe

[7] 2007-12-13 06:04 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\dllcache\cache\svchost.exe

.

((((((((((((((((((((((((((((( [email protected]_04.14.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-03 23:30 . 2009-08-03 23:30 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat

- 2009-03-22 19:59 . 2009-03-22 19:55 148888 c:\windows\system32\javaws.exe

+ 2009-08-01 17:04 . 2009-08-01 17:03 148888 c:\windows\system32\javaws.exe

+ 2009-08-01 17:04 . 2009-08-01 17:03 144792 c:\windows\system32\javaw.exe

- 2009-03-22 19:59 . 2009-03-22 19:55 144792 c:\windows\system32\javaw.exe

+ 2009-08-01 17:04 . 2009-08-01 17:03 144792 c:\windows\system32\java.exe

- 2009-03-22 19:59 . 2009-03-22 19:55 144792 c:\windows\system32\java.exe

+ 2009-08-01 17:03 . 2009-08-01 17:03 1563648 c:\windows\Installer\52d1e.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-24 655360]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-07-15 58992]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-02-16 100056]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-02 180269]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-23 282624]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-01 148888]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-1-17 884838]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Native Instruments\\Absynth 3 Demo\\Absynth 3 Demo.exe"=

 

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]

R3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [2/15/2006 6:36 AM 70528]

R3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [9/17/2007 10:17 AM 215708]

R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [9/17/2007 10:17 AM 84092]

R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [1/24/2009 1:56 PM 84352]

R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [1/24/2009 1:56 PM 14976]

R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [1/24/2009 1:56 PM 110848]

R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [1/24/2009 1:56 PM 90880]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/17/2009 6:34 PM 17149]

S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [1/31/2009 5:31 PM 185584]

S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [9/17/2007 10:17 AM 17263]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [1/17/2009 6:34 PM 362944]

.

Contents of the 'Scheduled Tasks' folder

 

2009-05-31 c:\windows\Tasks\CAAntiSpywareScan_Daily as Mandrew at 2 31 PM.job

- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2009-01-31 22:53]

 

2009-08-03 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 03:18]

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

LSP: c:\windows\system32\VetRedir.dll

FF - ProfilePath - c:\docume~1\Mandrew\APPLIC~1\Mozilla\Firefox\Profiles\5lmuyfc6.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

 

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-03 21:48

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(1244)

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

 

- - - - - - - > 'lsass.exe'(1444)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

 

- - - - - - - > 'explorer.exe'(624)

c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll

c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-08-04 21:52

ComboFix-quarantined-files.txt 2009-08-04 02:51

ComboFix2.txt 2009-08-01 14:39

ComboFix3.txt 2009-08-01 04:18

 

Pre-Run: 30,396,190,720 bytes free

Post-Run: 30,432,374,784 bytes free

 

166 --- E O F --- 2009-07-29 08:05

 

 

 

 

 

 

 

DDS (Ver_09-06-26.01) - NTFSx86

Run by Mandrew at 21:52:54.44 on Mon 08/03/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768.508 [GMT -5:00]

 

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\NETGEAR\WPN111\wpn111.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Mandrew\Desktop\dds.com

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\windows\system32\VetRedir.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://www.teammbi.com/Remote/msrdp.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\mandrew\applic~1\mozilla\firefox\profiles\5lmuyfc6.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

 

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-1-31 26352]

R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-1-31 21104]

R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-1-31 880560]

R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-1-31 21488]

R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-1-31 161008]

R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-1-31 144696]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 198256]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181872]

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-1-31 255216]

R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]

R3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [2006-2-15 70528]

R3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2007-9-17 215708]

R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2007-9-17 84092]

R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [2009-1-24 84352]

R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [2009-1-24 14976]

R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [2009-1-24 110848]

R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [2009-1-24 90880]

R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-1-31 108368]

S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-30 66688]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79472]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-1-17 17149]

S3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-1-31 185584]

S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2007-9-17 17263]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-1-17 362944]

 

=============== Created Last 30 ================

 

2009-08-03 21:37 219,648 a------- c:\windows\PEV.exe

2009-08-03 21:37 161,792 a------- c:\windows\SWREG.exe

2009-08-03 21:37 98,816 a------- c:\windows\sed.exe

2009-08-01 21:52 54,156 a---h--- c:\windows\QTFont.qfn

2009-08-01 21:52 1,409 a------- c:\windows\QTFont.for

2009-08-01 12:04 73,728 a------- c:\windows\system32\javacpl.cpl

2009-07-31 23:15 <DIR> -cd----- c:\windows\system32\dllcache\cache

2009-07-29 19:42 <DIR> a-dshr-- C:\cmdcons

2009-07-28 21:17 <DIR> --d-h--- c:\windows\$hf_mig$

2009-07-28 19:43 <DIR> --d----- c:\program files\Trend Micro

2009-07-27 20:33 286,208 a------- C:\somethingElse.com.exe

2009-07-26 11:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-07-26 11:06 <DIR> --d----- c:\program files\Lavasoft

2009-07-21 20:25 3,255 a------- c:\windows\system32\wbem\Outlook_01ca0a6b3e9cc470.mof

2009-07-19 10:04 3,255 a------- c:\windows\system32\wbem\Outlook_01ca088235b33660.mof

2009-07-12 13:21 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-07-11 13:32 208,744 a------- c:\windows\system32\muweb.dll

2009-07-11 13:32 27,496 a------- c:\windows\system32\mucltui.dll.mui

2009-07-11 13:32 268,648 a------- c:\windows\system32\mucltui.dll

 

==================== Find3M ====================

 

2009-08-01 12:03 410,984 a------- c:\windows\system32\deploytk.dll

2009-06-26 11:18 659,456 a------- c:\windows\system32\wininet.dll

2009-06-26 11:18 81,920 a------- c:\windows\system32\ieencode.dll

2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll

2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll

2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll

2009-02-22 22:14 3,861,671 a------- c:\program files\FileZilla_3.2.2.1_win32-setup.exe

2006-10-11 19:58 21,290,704 a------- c:\program files\AdbeRdr708_en_US.exe

2006-10-11 19:50 7,050,552 a------- c:\program files\psa30se_en_us.exe

2006-10-11 19:46 762,512 a------- c:\program files\ytb612_efgsip.exe

 

============= FINISH: 21:53:33.73 ===============

 

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_09-06-26.01)

 

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 2/15/2006 2:00:20 PM

System Uptime: 8/3/2009 6:30:03 PM (3 hours ago)

 

Motherboard: Intel Corporation | | SE440BX-3

Processor: Intel Pentium III processor | J4J1 | 848/100mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 49 GiB total, 28.363 GiB free.

D: is FIXED (NTFS) - 100 GiB total, 64.415 GiB free.

E: is FIXED (FAT32) - 37 GiB total, 5.419 GiB free.

F: is CDROM ()

 

==== Disabled Device Manager Items =============

 

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}

Description: PS/2 Compatible Mouse

Device ID: ACPI\PNP0F13\5&2920B891&0

Manufacturer: Microsoft

Name: PS/2 Compatible Mouse

PNP Device ID: ACPI\PNP0F13\5&2920B891&0

Service: i8042prt

 

==== System Restore Points ===================

 

RP635: 7/27/2009 10:16:20 PM - System Checkpoint

RP636: 7/29/2009 12:28:10 AM - System Checkpoint

RP637: 7/29/2009 3:01:00 AM - Software Distribution Service 3.0

RP638: 7/29/2009 7:34:21 PM - ComboFix created restore point

RP639: 8/1/2009 9:19:47 AM - ComboFix created restore point

RP640: 8/1/2009 11:38:05 AM - Removed Adobe Reader 7.0.8

RP641: 8/1/2009 11:51:19 AM - Removed Java 6 Update 12

RP642: 8/1/2009 12:03:33 PM - Installed Java 6 Update 14

RP643: 8/2/2009 4:58:39 PM - System Checkpoint

 

==== Installed Programs ======================

 

4200

4200_Help

4200Tour

4200Trb

4Front E-Piano Module 1.0 VSTi

4Front Piano Module 1.0 VSTi

4Front Rhode 1.0 VSTi

Ad-Aware

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe® Photoshop® Album Starter Edition 3.0

AiO_Scan

AIOMinimal

AiOSoftware

CA Anti-Spyware

CA Anti-Virus

CA Internet Security Suite

CA Pest Patrol Realtime Protection

ccCommon

Copy

CreativeProjects

Critical Update for Windows Media Player 11 (KB959772)

CSi STARTER-Reason

daHornet Version 1.34

Director

DocProc

Dolet Light for Finale

Easy CD Creator 5 Basic

Fax

FileZilla Client 3.2.2.1

Finale 2000

Finale 2003

HijackThis 2.0.2

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB952287)

HP Image Zone 3.5

HP PSC & OfficeJet 3.5

HP Software Update

HPSystemDiagnostics

InstantShare

Intel® 536EP Modem

Java 6 Update 14

Lernout & Hauspie TruVoice American English TTS Engine

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office Professional Edition 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft WSE 2.0 SP3 Runtime

Mozilla Firefox (3.0.12)

MSN

Native Instruments Absynth 3 Demo

NETGEAR RangeMax Wireless USB 2.0 Adapter WPN111

Norton Internet Security

Norton WMI Update

Overland

PhotoGallery

PrintScreen

QFolder

QuickLink Mobile

QuickProjects

QuickTime

Readme

RealPlayer

Scan

Security Update for CAPICOM (KB931906)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937143)

Security Update for Windows XP (KB937894)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB939653)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB942615)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB944338-v2)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB973346)

Setup

Sibelius Scorch Plugin 5.2.5.48

SkinsHP1

SkinsHP2

Sonic Foundry Sound Forge 6.0b

SPBBC

Steinberg Cubase SX

Symantec Network Drivers Update

Symantec Script Blocking Installer

SymNet

TrayApp

Unload

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB933360)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB942840)

Update for Windows XP (KB946627)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

US-122

UTStarcom USB Modem Software

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Wave Arts FinalPlug

WebFldrs XP

WebReg

Winamp (remove only)

Windows Genuine Advantage Notifications (KB905474)

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Yahoo! extras

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

Yahoo! Software Update

Yahoo! Toolbar

 

==== Event Viewer Messages From Past Week ========

 

8/3/2009 9:43:29 PM, information: Windows File Protection [64005] - The protected system file svchost.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Mandrew. The file version of the bad file is 5.1.2600.5512.

8/2/2009 8:51:36 AM, error: SideBySide [59] - Generate Activation Context failed for C:\unzipped\[4]-Submit_2009-08-01_09.20.43\desot.exe. Reference error message: The operation completed successfully. .

8/1/2009 9:29:19 AM, error: Service Control Manager [7034] - The AntipyPro_12 service terminated unexpectedly. It has done this 1 time(s).

7/31/2009 7:23:45 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.

7/31/2009 11:04:33 PM, error: Service Control Manager [7016] - The AntipyPro_12 service has reported an invalid current state 0.

7/29/2009 7:45:15 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

7/29/2009 2:16:32 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .

7/29/2009 2:16:32 AM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\desot.exe. Reference error message: The operation completed successfully. .

7/29/2009 2:16:32 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

7/29/2009 1:43:20 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000001, parameter2 00000002, parameter3 00000001, parameter4 804dc11d.

7/27/2009 8:40:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cdudf_xp Fips IPSec MRxSmb NetBIOS NetBT P3 RasAcd Rdbss SYMTDI Tcpip Tcpip6 VET-FILT VET-REC VETEFILE VETMONNT

7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

7/27/2009 8:40:14 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

7/27/2009 8:39:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

7/27/2009 8:39:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

7/27/2009 8:39:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

7/27/2009 6:54:57 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.

7/27/2009 6:54:57 AM, error: atapi [5] - A parity error was detected on \Device\Ide\IdePort1.

 

==== End Of File ===========================

Share this post


Link to post
Share on other sites

That looks pretty good. How's the system running?

Share this post


Link to post
Share on other sites

It seems to run pretty well.

Is it fixed ?

Just kidding.

Is there any any maintenance I can do ?

I will stay away from bit torrent.

Any other advice ?

If I run in to any other problems shouldI try some of the stuff you showed me ?

Questions, questions ...

Thanks so much for helping me. Should I send you a check ? :)

Share this post


Link to post
Share on other sites

Hi,

 

Following post should cover most those questions you asked there :)

 

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

 

 

THESE STEPS ARE VERY IMPORTANT

 

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

 

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

 

 

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now copy-paste Combofix /u in the runbox and click OK

Next we remove all used tools.

 

Please download OTC and save it to desktop.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

 

 

UPDATING WINDOWS AND INTERNET EXPLORER

 

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

 

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

 

 

Make your Internet Explorer more secure

 

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

 

 

 

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!

    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:



    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

 

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Run the spybot and adaware regularly. (Once or twice a week minimum.)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

 

Once again, please post and tell me how things are going with your system... problems etc.

 

Have a great day,

Blade :)

 

 

Should I send you a check ?

You may donate to some charity of your choice if you wish :)

Share this post


Link to post
Share on other sites

When I try to turn off my system restore I go to the desk top - right click on my computer - properties and the only tabs I see are General and Shortcut. There is no System Restore tab.

Share this post


Link to post
Share on other sites

Hi,

 

Go to C:\WINDOWS\inf folder and see if sr.inf file exists. If it does, right click it and select install. Then see if the tab is still missing. Let me know how that goes.

Share this post


Link to post
Share on other sites

I went to the windows-inf-and found an sr file (type is a setup information file 5kb) - did an install and window popped up asking for a file-"the file sr.sys on windows xp prof service pack 2 cd is needed" then it asked me to browse. I put in the cd and found some file and it installed and rebooted, but when I went to my computer and right clicked -no tab.

I guess that sr file wasnt an inf file ? hence the sr.sys message ?

I dont know.

Share this post


Link to post
Share on other sites

Hi,

 

Sounds like you did it correctly.

 

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.

regedit /a c:\regResults.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore"

del %0

Double-click on fixes.bat file to execute it. c:\regResults.txt file should be generated. Please attach it to your post.

Share this post


Link to post
Share on other sites

I ran this 2 times. A DOS window popped up and dissapeared. I looked under my c drive and did not find c:\regResults.txt.

I looked on my desktop and other drives to, but no c:\regResults.txt

Share this post


Link to post
Share on other sites

Hi,

 

Click start->run->write regedit and click ok.

 

Registry editor will open. Click File->Export->select Selected branch as export range and copy paste HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore in the textbox. In file name textbox write "c:\registryexport.txt" and set save as type to All Files.

 

See if c:\registryexport.txt file exists after that operation.

Share this post


Link to post
Share on other sites

I think this is it ?

 

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR"=dword:00000000

"CreateFirstRunRp"=dword:00000001

"DSMin"=dword:000000c8

"DSMax"=dword:00000190

"RPSessionInterval"=dword:00000000

"RPGlobalInterval"=dword:00015180

"RPLifeInterval"=dword:0076a700

"CompressionBurst"=dword:0000003c

"TimerInterval"=dword:00000078

"DiskPercent"=dword:0000000c

"ThawInterval"=dword:00000384

"RestoreDiskSpaceError"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg]

"DiskPercent"=dword:0000000c

"MachineGuid"="{0F4BF90F-72A0-49A9-A811-690DF2979976}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks]

@=""

Share this post


Link to post
Share on other sites

That looks ok. Now, please export this branch in the same way (you may overwrite previous c:\registryexport.txt file): HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore

Share this post


Link to post
Share on other sites

her you go

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR"=dword:00000000

"CreateFirstRunRp"=dword:00000001

"DSMin"=dword:000000c8

"DSMax"=dword:00000190

"RPSessionInterval"=dword:00000000

"RPGlobalInterval"=dword:00015180

"RPLifeInterval"=dword:0076a700

"CompressionBurst"=dword:0000003c

"TimerInterval"=dword:00000078

"DiskPercent"=dword:0000000c

"ThawInterval"=dword:00000384

"RestoreDiskSpaceError"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg]

"DiskPercent"=dword:0000000c

"MachineGuid"="{0F4BF90F-72A0-49A9-A811-690DF2979976}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks]

@=""

Share this post


Link to post
Share on other sites

Hi,

 

You used same branch as on the first case. For this second one you have to export HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore.

Share this post


Link to post
Share on other sites

I put this HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore in the selected branch and saved

as ALL FILES as c:\registryexport.txt file and got this message:

 

"The selected branch does not exist. Make sure that the correct path is given"

Share this post


Link to post
Share on other sites

Hi,

 

See if you're able to access system restore this way but don't do anything else:

Click Start->All Programs->Accessories->System Tools->System Restore

 

Let me know if system restore window opens without errors.

Share this post


Link to post
Share on other sites

Hi,

 

1. Run the Group Policy Editor (click start->run->write gpedit.msc and click ok)

2. Go to Computer Configuration / Administrative Templates / System /

System Restore

3. Set Turn off System Restore and Turn off Configuration to Disable

4. Right click on My Computer

5. Select Manage

6. Go to Services and Applications / Services

7. Scroll down to System Restore Service

8. Set it for Automatic

9. Click on the Start button to start the service

10. Close down this window

11. Go back to the Group Policy Editor and configure both to Not

configured.

 

See if system restore tab appears in properties window now.

Share this post


Link to post
Share on other sites

I got to step 8 and noticed it was already set for automatic. I hit restart and followed the steps as stated.

I went to my cmputer and there was no system restore. :(

Am I doing something wrong ?

Share this post


Link to post
Share on other sites

Did you follow those other steps after step 8 too? Please attach a screenshot of the properties window.

Share this post


Link to post
Share on other sites

Yes, I went through steps 1 thru 11 2x, just to be sure.

I tried to attach a screen shot of my computer properties and it is telling me "you are not permitted to upload this type of file. I did a screen shot and pasted it into a word doc. I tried to paste it into the body of where I am typing this text, but it wont let me.

My coputer properties only has 2 tabs - shortcut and general.

sorry

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this