WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93124 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

win32:sirefef-sm[trj] & win32:rootkit-gen[rtk] [Closed]

Started by portboy123 , May 08 2012 09:16 AM

This topic is locked

134 replies to this topic

#1 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 09:16 AM

Hi my nephew was here over the weekend using an older sony and it got infected did a scan with avast and malware bytes and anti spyware came back with many problems so he went ahead and deleated or put them in the virus chest and now cant connect to the internet? i am doing this from another computer. Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:07:47 AM, on 5/8/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
G:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O1 - Hosts: 94.63.147.20 www.google.com
O1 - Hosts: 94.63.147.21 www.bing.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: PackageCab - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: vzTCPConfig - http://www2.verizon....vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://dcode.suppor...veX/MSDcode.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://pcpitstop.com...t/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onec...lscbase8942.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - http://ccfiles.creat...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194880429139
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://picture.vzw.c...loadControl.cab
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - https://www36.verizo...l/VCAVMUtil.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - http://www.cvsphoto....veX_Control.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://ccfiles.creat...15112/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcp.../pcpitstop2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 8250 bytes

Advertisements

Register to Remove

#2 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 May 2012 - 09:41 AM

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.
----------

Since you can't connect to the internet with this system, you will need to transfer the tools for the time being using either a USB drive or CD.

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

----------

Please download DDS from one of the following links and save it to your desktop.

- DDS.scr
- DDS.pif
Disable any script blocking protection (How to Disable your Security Programs)
Double click DDS icon to run the tool (may take up to 3 minutes to run)
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.

---------------------------------------------------

Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

----------

Please download aswMBR to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it
----------

In your next reply please post both of the logs created by Farbar Service Scanner, DDS and the log created by aswMBR.exe.

#3 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 12:07 PM

Hi thanks for taking the time to help. Here is the logs you requested. Farbar Service Scanner Version: 30-04-2012 01 Ran by Frank (administrator) on 08-05-2012 at 12:28:21 Running from "G:\" Microsoft Windows XP Home Edition Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Dhcp Service is not running. Checking service configuration: The start type of Dhcp service is OK. The ImagePath of Dhcp service is OK. The ServiceDll of Dhcp service is OK. NetBt Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open NetBt registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open NetBt registry key. The service key does not exist. Connection Status: ============== Localhost is accessible. There is no connection to network. Attempt to access Google IP returned error: Google IP is unreachable Attempt to access Yahoo IP returned error: Yahoo IP is unreachable File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit ATTENTION!=====> C:\WINDOWS\system32\Drivers\netbt.sys FILE IS MISSING AND SHOULD BE RESTORED. C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= aswTdi(9) Gpc(3) IPSec(5) PSched(7) Tcpip(4) 0x0A0000000500000001000000020000000300000004000000090000000800000006000000070000 000A000000 IpSec Tag value is correct. **** End of log **** . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Frank at 12:38:12 on 2012-05-08 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.204 [GMT -4:00] . AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ZoneAlarm Firewall *Disabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe svchost.exe C:\Program Files\SUPERAntiSpyware\SASCORE.EXE C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\WINDOWS\system32\ctfmon.exe svchost.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\ntvdm.exe . ============== Pseudo HJT Report =============== . uSearch Page = uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uWindow Title = Windows Internet Explorer provided by Yahoo! uStart Page = hxxp://www.yahoo.com/ uDefault_Page_URL = hxxp://verizon.my.yahoo.com mDefault_Page_URL = hxxp://verizon.my.yahoo.com mStart Page = hxxp://verizon.my.yahoo.com uSearchAssistant = mSearchAssistant = mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813 DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1319572156188 DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194880429139 DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/CallAssistant/MyAccount/UnProtected/Voice%20Mail/VCAVMUtil.CAB DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 TCP: Interfaces\{9A7FC335-BA8A-4532-A6ED-0D8332339ED9} : DhcpNameServer = 192.168.1.1 192.168.1.1 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12 Hosts: 94.63.147.20 www.google.com Hosts: 94.63.147.21 www.bing.com . ============= SERVICES / DRIVERS =============== . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-16 612184] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-8 337880] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664] R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-8 20696] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-8 44768] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-8 654408] R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-8 22344] S2 pctavsvc;AcronisOSSReinstallSvc;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336] S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;c:\windows\system32\drivers\bulkusb.sys --> c:\windows\system32\drivers\BULKUSB.sys [?] S3 CA500AV;CaptureView VGA;c:\windows\system32\drivers\ca500av.sys --> c:\windows\system32\drivers\CA500AV.SYS [?] S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2003-7-10 96256] S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?] S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336] . =============== File Associations =============== . JSEFile=NOTEPAD.EXE %1 VBEFile=NOTEPAD.EXE %1 VBSFile=NOTEPAD.EXE %1 . =============== Created Last 30 ================ . 2012-05-08 14:56:09 -------- d-----w- c:\docume~1\frank\applic~1\SpeedMaxPc 2012-05-08 14:56:09 -------- d-----w- c:\docume~1\alluse~1\application data\SpeedMaxPc 2012-05-08 02:06:46 -------- d-----w- c:\docume~1\frank\applic~1\DriverCure 2012-05-07 03:19:59 711240 ----a-w- c:\windows\isRS-000.tmp . ==================== Find3M ==================== . 2012-05-07 16:55:00 0 --sha-w- c:\windows\system32\dds_trash_log.cmd 2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-03-24 15:17:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr 2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr 2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll 2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll 2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll 2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec 2010-09-05 20:27:24 203776 --sha-w- c:\windows\system32\unrar.exe . ============= FINISH: 12:40:18.77 =============== aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-05-08 12:43:49 ----------------------------- 12:43:49.985 OS Version: Windows 5.1.2600 Service Pack 3 12:43:49.985 Number of processors: 1 586 0x7 12:43:49.985 ComputerName: FRANK-SONY UserName: Frank 12:43:50.616 Initialize success 12:43:55.132 AVAST engine defs: 12050700 12:44:06.028 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 12:44:06.028 Disk 0 Vendor: ST380215A 3.AAD Size: 76319MB BusType: 3 12:44:06.048 Disk 0 MBR read successfully 12:44:06.048 Disk 0 MBR scan 12:44:06.689 Disk 0 Windows XP default MBR code 12:44:06.719 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63 12:44:07.300 Disk 0 scanning sectors +156280320 12:44:07.760 Disk 0 scanning C:\WINDOWS\system32\drivers 12:44:34.919 Service scanning 12:45:11.642 Modules scanning 12:45:39.342 Disk 0 trace - called modules: 12:45:39.352 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS rdbss.sys 12:45:39.362 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f9aab8] 12:45:39.362 3 CLASSPNP.SYS[f8696fd7] -> nt!IofCallDriver -> \Device\00000060[0x82f9ff18] 12:45:39.372 5 ACPI.sys[f85ed620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82f6a940] 12:45:40.173 AVAST engine scan C:\WINDOWS 12:45:48.795 AVAST engine scan C:\WINDOWS\system32 12:51:45.438 AVAST engine scan C:\WINDOWS\system32\drivers 12:52:36.051 AVAST engine scan C:\Documents and Settings\Frank 13:39:14.175 AVAST engine scan C:\Documents and Settings\All Users 13:48:28.692 Scan finished successfully 13:50:00.434 Disk 0 MBR has been saved successfully to "G:\MBR.dat" 13:50:00.514 The log file has been saved successfully to "G:\aswMBR.txt"

Attached Files

attach.txt 14.83KB 441 downloads
attach.txt 14.83KB 476 downloads

Edited by portboy123, 08 May 2012 - 12:32 PM.

#4 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 May 2012 - 01:47 PM

Hi,

Click Start > Run type Notepad click OK.
This will open an empty Notepad file.

Copy/Paste the contents of the box below into Notepad.

@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0

Click Format and ensure Wordwrap is unchecked.
Save as RegExp.bat
Save as file type All Files or it won't work.
Now double click on RegExp.bat to run it.
A file look.txt will open on your Desktop, please post the contents in your next reply.

#5 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 03:20 PM

Hi dont know if i got this right but here it is. G:\>CODE@echo off 'CODE@echo' is not recognized as an internal or external command, operable program or batch file. G:\>regedit.exe /e "C:\Documents and Settings\Frank\Desktop\look.txt" "HKEY_LOCA L_MACHINE\SYSTEM\CurrentControlSet\services\NetBT" G:\>Notepad.exe C:\Documents and Settings\Frank\Desktop\look.txt

#6 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 May 2012 - 04:19 PM

Hi, Be sure not to include the word Code....just the information within the Code Box. Give that a whirl and when finished it should create a log on your Desktop. Post that here.

#7 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 04:47 PM

i seem not able to get this to copy right onto my flash drive cannot get it to work i am copying everything inside the box and hitting save as and renaming file name to RegExp.bat and as all files the encoding is ANSI am i doing something wrong? ill put the flashdrive in the infected computer and click on it and it opens but nothing is in the look.txt

Edited by portboy123, 08 May 2012 - 04:59 PM.

#8 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 May 2012 - 04:56 PM

Hi,

Download the file from here named RegExp.bat. Just download it to your Desktop >> double-click to run it.

There should be a file created. Post that when you get it.

#9 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 05:17 PM

Hi Jeff , i downloaded it from that site and onto my flashdrive when i ran it on the bad computer it comes up as a blank black page and the look notepad is empty? i ran it on this working computer and the look notepad had a lt of stuff.

Edited by portboy123, 08 May 2012 - 05:20 PM.

#10 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 May 2012 - 06:32 PM

Hi,

Let's do this...

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Next I would like you to take the following steps:

Click Start then Run type Notepad and click Ok

Copy and Paste the contents of the Code box below into Notepad

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
  00,69,00,70,00,5f,00,7b,00,32,00,36,00,39,00,32,00,36,00,39,00,43,00,46,00,\
  2d,00,46,00,43,00,39,00,31,00,2d,00,34,00,34,00,33,00,45,00,2d,00,42,00,35,\
  00,36,00,33,00,2d,00,34,00,39,00,31,00,34,00,31,00,43,00,45,00,36,00,46,00,\
  38,00,44,00,39,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
  00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,34,00,43,00,46,00,33,00,33,00,\
  43,00,36,00,34,00,2d,00,39,00,33,00,30,00,35,00,2d,00,34,00,44,00,35,00,42,\
  00,2d,00,42,00,30,00,31,00,42,00,2d,00,46,00,30,00,35,00,31,00,43,00,33,00,\
  35,00,36,00,45,00,35,00,33,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
  00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,30,00,42,00,\
  33,00,39,00,35,00,31,00,42,00,33,00,2d,00,44,00,34,00,32,00,38,00,2d,00,34,\
  00,41,00,32,00,34,00,2d,00,42,00,30,00,35,00,34,00,2d,00,41,00,33,00,38,00,\
  31,00,39,00,45,00,35,00,37,00,44,00,38,00,32,00,38,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,32,\
  00,36,00,39,00,32,00,36,00,39,00,43,00,46,00,2d,00,46,00,43,00,39,00,31,00,\
  2d,00,34,00,34,00,33,00,45,00,2d,00,42,00,35,00,36,00,33,00,2d,00,34,00,39,\
  00,31,00,34,00,31,00,43,00,45,00,36,00,46,00,38,00,44,00,39,00,7d,00,22,00,\
  00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,4e,00,64,00,69,\
  00,73,00,57,00,61,00,6e,00,49,00,70,00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
  00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,32,00,36,00,\
  39,00,32,00,36,00,39,00,43,00,46,00,2d,00,46,00,43,00,39,00,31,00,2d,00,34,\
  00,34,00,33,00,45,00,2d,00,42,00,35,00,36,00,33,00,2d,00,34,00,39,00,31,00,\
  34,00,31,00,43,00,45,00,36,00,46,00,38,00,44,00,39,00,7d,00,00,00,5c,00,44,\
  00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
  54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,34,00,43,00,46,00,33,00,33,00,43,\
  00,36,00,34,00,2d,00,39,00,33,00,30,00,35,00,2d,00,34,00,44,00,35,00,42,00,\
  2d,00,42,00,30,00,31,00,42,00,2d,00,46,00,30,00,35,00,31,00,43,00,33,00,35,\
  00,36,00,45,00,35,00,33,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
  63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
  00,70,00,5f,00,7b,00,30,00,42,00,33,00,39,00,35,00,31,00,42,00,33,00,2d,00,\
  44,00,34,00,32,00,38,00,2d,00,34,00,41,00,32,00,34,00,2d,00,42,00,30,00,35,\
  00,34,00,2d,00,41,00,33,00,38,00,31,00,39,00,45,00,35,00,37,00,44,00,38,00,\
  32,00,38,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{0B3951B3-D428-4A24-B054-A3819E57D828}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{269269CF-FC91-443E-B563-49141CE6F8D9}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{4CF33C64-9305-4D5B-B01B-F051C356E537}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
  00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
  00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
  01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Save as regfix.reg to your Desktop
Make sure to save file type as All Files
Now right-click regfix.reg and select Merge

Advertisements

Register to Remove

#11 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 06:50 PM

hi jeff i did what you told me i think i got it right when i use the flashdrive and install it on the bad computer it comes up as g documents and settings is that ok?

Edited by portboy123, 08 May 2012 - 06:55 PM.

#12 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 May 2012 - 06:58 PM

So you already merged the file correct? Have you tried your internet access yet? Is it working?

#13 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 07:09 PM

yes i tryed and it still isnt working

#14 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 May 2012 - 07:13 PM

Press the WinKey +R to open a run box > type in CMD to open a command prompt.

Right click cmd.exe and "Run as an Administrator"

Type in the following command in the command prompt and press Enter.

netsh int ip reset reset.log

Then also type the following command and hit Enter.

netsh winsock reset catalog

Once that completes then restart the system and see then if you are able to get online.

#15 portboy123

Authentic Member

Authentic Member
124 posts

Posted 08 May 2012 - 08:15 PM

i dont have an option to run as administrator when i right click it

Body Background

skin color theme