Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Trojandownloader:Win32/Renos.IO - Help?...On Vista


  • This topic is locked This topic is locked
6 replies to this topic

#1 NeedHelpFast

NeedHelpFast

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 20 July 2009 - 09:51 PM

Hello My windows defender is saying that i am infected with trojandownloader:win32/renos.io on Windows Vista I tried to remove it but it is popping up again. Since then my internet explorer and firfox are both working in a weird manner. I don't know where to start and how to get the logs. Can someone please help me on a step by step process? Thanks!

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 July 2009 - 10:42 AM

Hi and Welcome,

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted.
  • Please DO NOT run any scans or fix items without my direction.



Please do the following:

STEP #1

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


STEP #2


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 NeedHelpFast

NeedHelpFast

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 21 July 2009 - 11:54 AM

DDS (Ver_09-06-26.01) - NTFSx86 Run by Tom at 13:43:14.87 on Tue 07/21/2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.965 [GMT -4:00] AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: Norton AntiVirus *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\ATK Hotkey\ASLDRSrv.exe C:\Windows\System32\spoolsv.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\ATK Hotkey\Hcontrol.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\WLANExt.exe C:\Program Files\ATK Hotkey\ATKOSD.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ATK Hotkey\WDC.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLCapSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdjserv.exe C:\Windows\system32\lxdjcoms.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Lenovo\ShuttleCenter\Kernel\TV\CLSched.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Lenovo\EnergyCut\utilty.exe C:\Program Files\Lenovo\EnergyCut\EnergyCut.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Lenovo\ShuttleCenter\PCMService.exe C:\Program Files\Lenovo\VeriFace\PManage.exe C:\Program Files\Lexmark 1400 Series\lxdjamon.exe C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\Tom\Desktop\dds(2).pif ============== Pseudo HJT Report =============== uStart Page = hxxp://home.jzip.com mDefault_Page_URL = hxxp://www.lenovo.com uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Philadelphia Phillies Toolbar: {f722f063-925c-43d2-8308-584cfc1297fe} - c:\program files\philadelphia_phillies\tbPhil.dll mURLSearchHooks: Philadelphia Phillies Toolbar: {f722f063-925c-43d2-8308-584cfc1297fe} - c:\program files\philadelphia_phillies\tbPhil.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Smart-Shopper: {4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Philadelphia Phillies Toolbar: {f722f063-925c-43d2-8308-584cfc1297fe} - c:\program files\philadelphia_phillies\tbPhil.dll TB: Philadelphia Phillies Toolbar: {f722f063-925c-43d2-8308-584cfc1297fe} - c:\program files\philadelphia_phillies\tbPhil.dll EB: SmartShopper: {8bcb5337-ec01-4e38-840c-a964f174255b} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe" uRun: [AdobeBridge] mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [Unattend0000000001{CE1C30CE-8390-4E54-A1C0-A091EBC35790}] c:\windows\test.bat mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [EnergyUtility] c:\program files\lenovo\energycut\utilty.exe mRun: [EnergyCut] c:\program files\lenovo\energycut\EnergyCut.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [PCMService] "c:\program files\lenovo\shuttlecenter\PCMService.exe" mRun: [VeriFacePassManager] c:\program files\lenovo\veriface\PManage.exe mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll" mRun: [lxdjmon.exe] "c:\program files\lexmark 1400 series\lxdjmon.exe" mRun: [lxdjamon] "c:\program files\lexmark 1400 series\lxdjamon.exe" mRun: [Skytel] Skytel.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Performance Center] c:\program files\ascentive\performance center\APCMain.exe -m mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - c:\program files\lenovo\veriface\OpenWnd.exe IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {6FAC4823-815E-4361-836E-46D65ED2550B} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab TCP: NameServer = 85.255.112.181,85.255.112.81 TCP: {A42E227A-D97F-47BE-B97C-1E363B63C567} = 85.255.112.181,85.255.112.81 TCP: {F9BBA57F-9DFA-4A99-A698-660E7CB0AD76} = 85.255.112.181,85.255.112.81 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\tom\appdata\roaming\mozilla\firefox\profiles\uxe9ms1r.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: c:\users\tom\appdata\roaming\mozilla\firefox\profiles\uxe9ms1r.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\users\tom\appdata\roaming\mozilla\firefox\profiles\uxe9ms1r.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ids-di~1\20081210.002\IDSvix86.sys [2008-12-10 270384] R2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdjserv.exe [2007-6-11 99248] R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-5 24652] R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2008-3-21 11776] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-7-22 180736] R3 CapFilt;CapFilt;c:\windows\system32\drivers\CapFilt.sys [2008-3-21 18048] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376] R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200] =============== Created Last 30 ================ 2009-07-15 09:35 289,792 a------- c:\windows\system32\atmfd.dll 2009-07-15 09:35 156,672 a------- c:\windows\system32\t2embed.dll 2009-07-15 09:35 72,704 a------- c:\windows\system32\fontsub.dll 2009-07-15 09:35 10,240 a------- c:\windows\system32\dciman32.dll 2009-07-11 22:16 <DIR> --d----- c:\programdata\TVU Networks 2009-07-11 22:16 <DIR> --d----- c:\progra~2\TVU Networks 2009-06-26 12:50 <DIR> --d----- c:\programdata\Google 2009-06-25 15:01 <DIR> --d----- c:\users\tom\appdata\roaming\OpenOffice.org 2009-06-25 14:52 <DIR> --d----- c:\program files\OpenOffice.org 3 ==================== Find3M ==================== 2009-06-25 14:51 410,984 a------- c:\windows\system32\deploytk.dll 2009-06-10 22:12 143,360 a------- c:\windows\inf\infstrng.dat 2009-06-10 22:12 86,016 a------- c:\windows\inf\infstor.dat 2009-06-10 22:12 51,200 a------- c:\windows\inf\infpub.dat 2009-04-30 08:37 293,376 a------- c:\windows\system32\psisdecd.dll 2009-04-30 08:37 428,544 a------- c:\windows\system32\EncDec.dll 2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll 2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll 2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll 2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll 2008-11-09 20:09 22,328 a------- c:\users\tom\appdata\roaming\PnkBstrK.sys 2008-10-31 20:04 174 a--sh--- c:\program files\desktop.ini 2008-10-31 19:48 665,600 a------- c:\windows\inf\drvindex.dat 2008-09-15 19:44 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe 2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat ============= FINISH: 13:45:10.78 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-06-26.01) Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 3/21/2008 12:08:54 AM System Uptime: 7/21/2009 1:38:04 PM (0 hours ago) Motherboard: LENOVO | | SPEEDY Processor: Intel® Pentium® Dual CPU T2370 @ 1.73GHz | Socket 478 | 800/133mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 29 GiB total, 3.5 GiB free. D: is FIXED (NTFS) - 105 GiB total, 104.929 GiB free. E: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Microsoft ISATAP Adapter Device ID: ROOT\*ISATAP\0040 Manufacturer: Microsoft Name: Microsoft ISATAP Adapter #3 PNP Device ID: ROOT\*ISATAP\0040 Service: tunnel Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Microsoft ISATAP Adapter Device ID: ROOT\*ISATAP\0042 Manufacturer: Microsoft Name: Microsoft ISATAP Adapter #4 PNP Device ID: ROOT\*ISATAP\0042 Service: tunnel ==== System Restore Points =================== RP383: 7/20/2009 11:46:49 PM - Windows Defender Checkpoint ==== Installed Programs ====================== 2007 Microsoft Office Suite Service Pack 1 (SP1) 2007 Microsoft Office system Acrobat.com Adobe AIR Adobe ConnectNow Add-in Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Media Player Adobe Reader 9 Adobe Shockwave Player AIM 6 AppCore Apple Mobile Device Support Apple Software Update Applian FLV Player ATK Hotkey AV Bonjour Broadcom Gigabit Integrated Controller Business Contact Manager for Outlook 2007 ccCommon DHTML Editing Component Download Updater (AOL LLC) EasyCapture eMusic Download Manager 4.1.1 EnergyCut ESPN Java Check Google Updater Intel® Graphics Media Accelerator Driver Intel® PROSet/Wireless Software Internet Worm Protection iTunes J2SE Runtime Environment 5.0 Update 6 Java™ 6 Update 13 Lenovo Easy Camera lenovo scrnsave Lexmark 1400 Series LiveUpdate 3.2 (Symantec Corporation) LiveUpdate Notice (Symantec Corporation) mCore mDriver mHelp Microsoft Application Error Reporting Microsoft Office 2003 Web Components Microsoft Office 2007 Primary Interop Assemblies Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional Hybrid 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Small Business Connectivity Components Microsoft Office Word MUI (English) 2007 Microsoft Silverlight Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) Microsoft SQL Server Native Client Microsoft SQL Server Setup Support Files (English) Microsoft SQL Server VSS Writer Microsoft VC9 runtime libraries Microsoft Visual C++ 2005 Redistributable mMHouse Motorola SM56 Speakerphone Modem Mozilla Firefox (3.0.11) mPfMgr MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB941833) MSXML 4.0 SP2 (KB954430) Norton AntiVirus Norton AntiVirus (Symantec Corporation) Norton AntiVirus Help Norton AntiVirus Parent MSI Norton AntiVirus SYMLT MSI Norton Protection Center Power2Go 5.0 QuickTime Realtek High Definition Audio Driver RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 Security Update for 2007 Microsoft Office System (KB951550) Security Update for 2007 Microsoft Office System (KB951944) Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB969679) Security Update for Microsoft Office Excel 2007 (KB969682) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office Publisher 2007 (KB969693) Security Update for Microsoft Office system 2007 (KB954326) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office Word 2007 (KB969604) Shuttle Center II SmartShopper SPBBC 32bit Symantec Symantec Real Time Storage Protection Component SymNet Synaptics Pointing Device Driver Unity Web Player Update for 2007 Microsoft Office System (KB967642) Update for Microsoft Office Access 2007 Help (KB963663) Update for Microsoft Office Excel 2007 Help (KB963678) Update for Microsoft Office Outlook 2007 (KB969907) Update for Microsoft Office Outlook 2007 Help (KB963677) Update for Microsoft Office Powerpoint 2007 Help (KB963669) Update for Microsoft Office Publisher 2007 Help (KB963667) Update for Microsoft Office Word 2007 Help (KB963665) Update for Outlook 2007 Junk Email Filter (kb971933) VeriFace Viewpoint Media Player Windows Media Player Firefox Plugin WinFlash ==== Event Viewer Messages From Past Week ======== 7/19/2009 2:00:58 AM, Error: EventLog [6008] - The previous system shutdown at 1:49:47 AM on 7/19/2009 was unexpected. 7/19/2009 12:10:21 AM, Error: Service Control Manager [7000] - The AVG Free On-access Scanner Minifilter Driver x86 service failed to start due to the following error: The system cannot find message text for message number 0xAVG Free On-access Scanner Minifilter Driver x86 in the message file for The system cannot find message text for message number 0x%1 in the message file for %2.. 7/19/2009 1:30:35 AM, Error: Service Control Manager [7023] - The Secure Socket Tunneling Protocol Service service terminated with the following error: The RPC server is unavailable. 7/19/2009 1:30:35 AM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The RPC server is unavailable. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC eeCtrl NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb SPBBCDrv spldr SRTSP SRTSPX SYMTDI tdx Wanarpv6 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 7/19/2009 1:16:23 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 7/19/2009 1:16:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 7/19/2009 1:15:42 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030} 7/19/2009 1:15:07 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89} 7/19/2009 1:15:07 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 7/19/2009 1:15:07 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF} 7/19/2009 1:15:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 7/19/2009 1:14:58 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 7/19/2009 1:14:51 AM, Error: EventLog [6008] - The previous system shutdown at 1:13:44 AM on 7/19/2009 was unexpected. 7/18/2009 11:01:55 PM, Error: EventLog [6008] - The previous system shutdown at 11:00:26 PM on 7/18/2009 was unexpected. 7/18/2009 10:59:56 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Appinfo service. 7/18/2009 10:46:21 PM, Error: EventLog [6008] - The previous system shutdown at 10:45:13 PM on 7/18/2009 was unexpected. 7/18/2009 1:22:19 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 001CBFAD4B0C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). 7/17/2009 3:12:27 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001CBFAD4B0C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). 7/17/2009 2:00:19 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001CBFAD4B0C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). 7/14/2009 4:44:07 PM, Error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified. 7/14/2009 4:43:51 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 001CBFAD4B0C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). 7/14/2009 3:24:19 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit. ==== End Of File =========================== Those are the DDS and Attach...I did the Rootkit scan as instructed, but it said that it didn't find any system modification, and I haven't been notified of any Trojan in a little while, but I highly doubt that it just went away. What should I do now?

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 July 2009 - 12:03 PM

Hi,

Please do the following:

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2



**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 NeedHelpFast

NeedHelpFast

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 21 July 2009 - 02:02 PM

My computer isn't allowing me to use that program for some reason, keeps saying there's a problem that caused it to not work.

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 July 2009 - 02:04 PM

Hi,

Delete the copy you have from your desktop,

download this copy - making sure it is renamed as instructed - be certain your security programs are disabled before continuing



Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:

Posted Image


Posted Image
--------------------------------------------------------------------
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.


-----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" for further review.
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


    -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 27 July 2009 - 08:45 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users