Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Can't connect to microsoft.com, symantec.com etc - possible infection?

Options
  • 10-11-2009 9:33pm
    #1
    a96e
    Closed Accounts Posts: 15


    Hi people,

    Need a little help on this one - can't connect to certain sites, or ping them, on either of 2 computers. Microsoft.com, symantec.com, malewarebytes.org, so seems suspicious though no other evidence of malware.

    Have checked my hosts file and there are only references put in by spybot. I'm running ClamWin antivirus, and have run spybot, which finds no immediate threats. On the other computer, I'm running spybot and mbam, which can't update but returns "error 730 (0,0)".

    Have run the Comdian, TFC and Rooter as advised here. System is Windows XP pro on both computers.
    Have also tried flushing dns cache, and resetting the dns servers to "automatic" as I'd switched them to freedns from my isp's default. ISP is UPC.

    Thanks for any suggestions.


Comments

  • Options
    #2
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    hi

    Download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in

      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\eventlog.dll /s /md5
      %SYSTEMDRIVE%\scecli.dll /s /md5
      %SYSTEMDRIVE%\netlogon.dll /s /md5
      %SYSTEMDRIVE%\cngaudit.dll /s /md5
      %SYSTEMDRIVE%\sceclt.dll /s /md5
      %SYSTEMDRIVE%\ntelogon.dll /s /md5
      %SYSTEMDRIVE%\logevent.dll /s /md5
      %SYSTEMDRIVE%\iaStor.sys /s /md5
      %SYSTEMDRIVE%\nvstor.sys /s /md5
      %SYSTEMDRIVE%\atapi.sys /s /md5
      %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
      %SYSTEMDRIVE%\viasraid.sys /s /md5
      %SYSTEMDRIVE%\AGP440.sys /s /md5
      %SYSTEMDRIVE%\vaxscsi.sys /s /md5

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time


  • Options
    #3
    a96e
    Closed Accounts Posts: 15 a96e


    ok
    thank asj
    will try that and report back
    ae


  • Options
    #4
    a96e
    Closed Accounts Posts: 15 a96e


    Here are the files generated.


  • Options
    #5
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    you can post the logs rather than attach them

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following
      :OTL
O33 - MountPoints2\{40c7c194-9ebf-11de-9414-0024d2eacfe4}\Shell - "" = AutoRun
O33 - MountPoints2\{40c7c194-9ebf-11de-9414-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{43686375-c1e4-11de-943b-0024d2eacfe4}\Shell - "" = AutoRun
O33 - MountPoints2\{43686375-c1e4-11de-943b-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9293244a-c6b7-11de-9448-0024d2eacfe4}\Shell - "" = AutoRun
O33 - MountPoints2\{9293244a-c6b7-11de-9448-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a97aa65a-b478-11de-9430-0024d2eacfe4}\Shell - "" = AutoRun
O33 - MountPoints2\{a97aa65a-b478-11de-9430-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e0816dc9-9e66-11de-940c-0024d2eacfe4}\Shell - "" = AutoRun
O33 - MountPoints2\{e0816dc9-9e66-11de-940c-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play
NetSvcs: wyjomdl - C:\WINDOWS\system32\daafg.dll ()
[2001/03/14 04:22:21 | 00,000,080 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll
[2008/08/05 04:38:33 | 00,167,765 | RHS- | C] () -- C:\WINDOWS\System32\daafg.dll
[2003/10/06 08:21:31 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\sdpsenv.dat
@Alternate Data Stream - 160 bytes -> C:\Documents and Settings\All Users\Application Data\sdpsenv.dat:naughtypirates

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done



    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


  • Options
    #6
    a96e
    Closed Accounts Posts: 15 a96e


    Ok, here's the ComboFix log:

    ComboFix 09-11-11.02 - Æ 12/11/2009 4:36.1.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2497 [GMT 0:00]
    Running from: c:\documents and settings\Æ\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
    .

    2009-11-10 20:57 . 2009-11-10 20:57
    d
    w- c:\program files\ERUNT
    2009-11-09 22:50 . 2009-11-09 22:50 3638 ----a-r- c:\documents and settings\Æ\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
    2009-11-09 22:50 . 2009-11-09 22:50
    d
    w- c:\program files\Alex Feinman
    2009-11-05 23:08 . 2009-11-05 23:57
    d
    w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-05 23:08 . 2009-11-05 23:09
    d
    w- c:\program files\Spybot - Search & Destroy
    2009-10-29 13:52 . 2009-10-29 13:52
    d
    w- c:\documents and settings\Æ\Application Data\.clamwin
    2009-10-29 13:52 . 2009-10-29 13:52
    d
    w- c:\program files\ClamWin
    2009-10-29 13:52 . 2009-10-29 13:52
    d
    w- c:\documents and settings\All Users\.clamwin
    2009-10-26 19:24 . 2009-10-26 19:32
    d
    w- c:\documents and settings\Æ\Application Data\Intel
    2009-10-26 19:24 . 2009-10-26 19:32
    d
    w- c:\documents and settings\All Users\Application Data\Intel
    2009-10-25 03:53 . 2009-10-25 03:53
    d
    w- c:\windows\system32\LogFiles
    2009-10-13 18:16 . 2009-10-13 18:16
    d
    w- c:\program files\Lame for Audacity
    2009-10-13 18:15 . 2009-10-13 18:15
    d
    w- c:\program files\Audacity
    2009-10-13 18:13 . 2009-10-15 19:04
    d
    w- C:\Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-11-10 20:58 . 2009-11-10 20:58
    d
    w- c:\program files\Trend Micro
    2009-11-09 22:41 . 2009-09-11 10:38
    d
    w- c:\program files\Opera
    2009-10-28 15:25 . 2009-10-11 20:02 1 ----a-w- c:\documents and settings\Æ\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2009-10-27 00:55 . 2009-09-23 21:00
    d
    w- c:\documents and settings\Æ\Application Data\vlc
    2009-10-26 19:24 . 2008-08-05 12:13
    d
    w- c:\program files\Intel
    2009-10-19 23:52 . 2009-09-21 20:56
    d
    w- c:\documents and settings\Æ\Application Data\Winamp
    2009-10-13 23:34 . 2009-10-09 13:28
    d
    w- c:\documents and settings\Æ\Application Data\dvdcss
    2009-10-12 00:01 . 2009-10-12 00:01
    d
    w- c:\documents and settings\Æ\Application Data\Malwarebytes
    2009-10-11 23:57 . 2009-10-11 20:34
    d
    w- c:\documents and settings\Æ\Application Data\Notepad++
    2009-10-11 20:34 . 2009-10-11 20:34
    d
    w- c:\program files\Notepad++
    2009-10-11 20:02 . 2009-10-11 20:02
    d
    w- c:\documents and settings\Æ\Application Data\OpenOffice.org
    2009-10-11 19:50 . 2009-10-11 19:50
    d
    w- c:\program files\TaskSwitchXP
    2009-10-09 12:07 . 2009-10-09 12:07
    d
    w- c:\documents and settings\All Users\Application Data\Storm
    2009-10-02 00:02 . 2009-10-02 00:01
    d
    w- c:\program files\Exact Audio Copy
    2009-10-01 23:59 . 2009-10-01 23:59
    d
    w- c:\program files\lame3.98.2
    2009-09-23 22:39 . 2009-09-21 22:43
    d
    w- c:\documents and settings\Æ\Application Data\Skype
    2009-09-23 20:59 . 2009-09-23 20:59
    d
    w- c:\program files\VLC
    2009-09-21 20:57 . 2009-09-21 20:56
    d
    w- c:\program files\Winamp
    2009-09-21 16:38 . 2009-09-21 16:38
    d
    w- c:\program files\CubicExplorer
    2009-09-18 22:12 . 2009-09-18 22:12
    d
    w- c:\documents and settings\Æ\Application Data\Media Player Classic
    2009-09-13 14:06 . 2008-08-05 12:21
    d--h--w- c:\program files\InstallShield Installation Information
    2009-09-11 10:02 . 2008-08-05 04:38 218624 ----a-w- c:\windows\system32\uxtheme.dll
    2009-09-05 08:55 . 2008-08-05 11:52 87568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-03 12:35 . 2008-08-05 11:46 86995 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-09-03 12:35 . 2009-09-03 12:35 315392 ----a-w- c:\windows\HideWin.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
    "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-03 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-03 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-03 141848]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-05-27 360448]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
    "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
    "ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
    "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
    "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2008-07-30 266240]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-07 16860672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "Midi1"=ma_cmidn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9075:TCP"= 9075:TCP:apwzxl

    R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 11:22 AM 105856]
    R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 11:15 AM 134016]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/5/2008 12:23 PM 5888]
    S2 ccosm;Contrl Center of Storm Media;e:\chinese media player\stormliv.exe /asservice --> e:\chinese media player\stormliv.exe [?]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/5/2008 12:15 PM 110080]
    S3 NMRKUSBA;Numark USB2 WDM;c:\windows\system32\drivers\nmrkusba.sys [9/11/2009 2:13 PM 31232]
    S3 NMRKUSBU;Numark USB2 driver;c:\windows\system32\drivers\nmrkusbu.sys [9/11/2009 2:13 PM 348160]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/5/2008 12:21 PM 154624]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MBR
    *NewlyCreated* - PROCEXP113
    *Deregistered* - mbr
    *Deregistered* - PROCEXP113
    .
    .
    Supplementary Scan
    .
    uInternet Connection Wizard,ShellNext = iexplore
    TCP: {77BECB9C-12F9-4228-8096-1ED7B5826AC3} = 193.1.100.130,208.67.222.222
    FF - ProfilePath - c:\documents and settings\Æ\Application Data\Mozilla\Firefox\Profiles\dll5r6c7.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

    ---- FIREFOX POLICIES ----
    // Whether or not the application should check at startup each time if it
    // is the default browser.
    FF - user.js: browser.shell.checkDefaultBrowser - true

    // Homepage default
    FF - user.js: browser.startup.homepage - hxxp://www.google.ie

    // First run and update pages that load
    user_pref(startup.homepage_override_url,);
    user_pref(startup.homepage_welcome_url,);

    //Don't show addon window when load
    FF - user.js: extensions.getAddons.showPane - falsec:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("browser.startup.homepage", "http://www.google.ie");
    c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_override_url","");
    c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_welcome_url","");
    c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("extensions.getAddons.showPane", false);.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-11-12 04:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(1828)
    c:\windows\system32\TPwrCfg.DLL
    c:\windows\system32\TPwrReg.dll
    c:\windows\system32\TPSTrace.DLL
    .
    Completion time: 2009-11-12 4:40
    ComboFix-quarantined-files.txt 2009-11-12 04:40

    Pre-Run: 238,399,037,440 bytes free
    Post-Run: 238,367,846,400 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 57E60067C3A650C0506ED87F715B9D1A
    ComboFix 09-11-11.02 - Æ 12/11/2009 4:36.1.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2497 [GMT 0:00]
    Running from: c:\documents and settings\Æ\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
    .

    2009-11-10 20:57 . 2009-11-10 20:57
    d
    w- c:\program files\ERUNT
    2009-11-09 22:50 . 2009-11-09 22:50 3638 ----a-r- c:\documents and settings\Æ\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
    2009-11-09 22:50 . 2009-11-09 22:50
    d
    w- c:\program files\Alex Feinman
    2009-11-05 23:08 . 2009-11-05 23:57
    d
    w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-05 23:08 . 2009-11-05 23:09
    d
    w- c:\program files\Spybot - Search & Destroy
    2009-10-29 13:52 . 2009-10-29 13:52
    d
    w- c:\documents and settings\Æ\Application Data\.clamwin
    2009-10-29 13:52 . 2009-10-29 13:52
    d
    w- c:\program files\ClamWin
    2009-10-29 13:52 . 2009-10-29 13:52
    d
    w- c:\documents and settings\All Users\.clamwin
    2009-10-26 19:24 . 2009-10-26 19:32
    d
    w- c:\documents and settings\Æ\Application Data\Intel
    2009-10-26 19:24 . 2009-10-26 19:32
    d
    w- c:\documents and settings\All Users\Application Data\Intel
    2009-10-25 03:53 . 2009-10-25 03:53
    d
    w- c:\windows\system32\LogFiles
    2009-10-13 18:16 . 2009-10-13 18:16
    d
    w- c:\program files\Lame for Audacity
    2009-10-13 18:15 . 2009-10-13 18:15
    d
    w- c:\program files\Audacity
    2009-10-13 18:13 . 2009-10-15 19:04
    d
    w- C:\Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-11-10 20:58 . 2009-11-10 20:58
    d
    w- c:\program files\Trend Micro
    2009-11-09 22:41 . 2009-09-11 10:38
    d
    w- c:\program files\Opera
    2009-10-28 15:25 . 2009-10-11 20:02 1 ----a-w- c:\documents and settings\Æ\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2009-10-27 00:55 . 2009-09-23 21:00
    d
    w- c:\documents and settings\Æ\Application Data\vlc
    2009-10-26 19:24 . 2008-08-05 12:13
    d
    w- c:\program files\Intel
    2009-10-19 23:52 . 2009-09-21 20:56
    d
    w- c:\documents and settings\Æ\Application Data\Winamp
    2009-10-13 23:34 . 2009-10-09 13:28
    d
    w- c:\documents and settings\Æ\Application Data\dvdcss
    2009-10-12 00:01 . 2009-10-12 00:01
    d
    w- c:\documents and settings\Æ\Application Data\Malwarebytes
    2009-10-11 23:57 . 2009-10-11 20:34
    d
    w- c:\documents and settings\Æ\Application Data\Notepad++
    2009-10-11 20:34 . 2009-10-11 20:34
    d
    w- c:\program files\Notepad++
    2009-10-11 20:02 . 2009-10-11 20:02
    d
    w- c:\documents and settings\Æ\Application Data\OpenOffice.org
    2009-10-11 19:50 . 2009-10-11 19:50
    d
    w- c:\program files\TaskSwitchXP
    2009-10-09 12:07 . 2009-10-09 12:07
    d
    w- c:\documents and settings\All Users\Application Data\Storm
    2009-10-02 00:02 . 2009-10-02 00:01
    d
    w- c:\program files\Exact Audio Copy
    2009-10-01 23:59 . 2009-10-01 23:59
    d
    w- c:\program files\lame3.98.2
    2009-09-23 22:39 . 2009-09-21 22:43
    d
    w- c:\documents and settings\Æ\Application Data\Skype
    2009-09-23 20:59 . 2009-09-23 20:59
    d
    w- c:\program files\VLC
    2009-09-21 20:57 . 2009-09-21 20:56
    d
    w- c:\program files\Winamp
    2009-09-21 16:38 . 2009-09-21 16:38
    d
    w- c:\program files\CubicExplorer
    2009-09-18 22:12 . 2009-09-18 22:12
    d
    w- c:\documents and settings\Æ\Application Data\Media Player Classic
    2009-09-13 14:06 . 2008-08-05 12:21
    d--h--w- c:\program files\InstallShield Installation Information
    2009-09-11 10:02 . 2008-08-05 04:38 218624 ----a-w- c:\windows\system32\uxtheme.dll
    2009-09-05 08:55 . 2008-08-05 11:52 87568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-03 12:35 . 2008-08-05 11:46 86995 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-09-03 12:35 . 2009-09-03 12:35 315392 ----a-w- c:\windows\HideWin.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
    "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-03 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-03 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-03 141848]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-05-27 360448]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
    "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
    "ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
    "ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
    "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2008-07-30 266240]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-07 16860672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "Midi1"=ma_cmidn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9075:TCP"= 9075:TCP:apwzxl

    R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 11:22 AM 105856]
    R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 11:15 AM 134016]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/5/2008 12:23 PM 5888]
    S2 ccosm;Contrl Center of Storm Media;e:\chinese media player\stormliv.exe /asservice --> e:\chinese media player\stormliv.exe [?]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/5/2008 12:15 PM 110080]
    S3 NMRKUSBA;Numark USB2 WDM;c:\windows\system32\drivers\nmrkusba.sys [9/11/2009 2:13 PM 31232]
    S3 NMRKUSBU;Numark USB2 driver;c:\windows\system32\drivers\nmrkusbu.sys [9/11/2009 2:13 PM 348160]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/5/2008 12:21 PM 154624]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MBR
    *NewlyCreated* - PROCEXP113
    *Deregistered* - mbr
    *Deregistered* - PROCEXP113
    .
    .
    Supplementary Scan
    .
    uInternet Connection Wizard,ShellNext = iexplore
    TCP: {77BECB9C-12F9-4228-8096-1ED7B5826AC3} = 193.1.100.130,208.67.222.222
    FF - ProfilePath - c:\documents and settings\Æ\Application Data\Mozilla\Firefox\Profiles\dll5r6c7.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

    ---- FIREFOX POLICIES ----
    // Whether or not the application should check at startup each time if it
    // is the default browser.
    FF - user.js: browser.shell.checkDefaultBrowser - true

    // Homepage default
    FF - user.js: browser.startup.homepage - hxxp://www.google.ie

    // First run and update pages that load
    user_pref(startup.homepage_override_url,);
    user_pref(startup.homepage_welcome_url,);

    //Don't show addon window when load
    FF - user.js: extensions.getAddons.showPane - falsec:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("browser.startup.homepage", "http://www.google.ie");
    c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_override_url","");
    c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_welcome_url","");
    c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("extensions.getAddons.showPane", false);.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-11-12 04:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(1828)
    c:\windows\system32\TPwrCfg.DLL
    c:\windows\system32\TPwrReg.dll
    c:\windows\system32\TPSTrace.DLL
    .
    Completion time: 2009-11-12 4:40
    ComboFix-quarantined-files.txt 2009-11-12 04:40

    Pre-Run: 238,399,037,440 bytes free
    Post-Run: 238,367,846,400 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 57E60067C3A650C0506ED87F715B9D1A


  • Advertisement
  • Options
    #7
    patchrick
    Registered Users Posts: 26 patchrick


    Are you using DSL for your broadband? If so your mtu settings may be set too high. That will often result in some sites not being accessible.
    Follow the instructions in this Microsoft support article to test...
    http://support.microsoft.com/kb/283165

    Patrick


  • Options
    #8
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    looks ok

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.
    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
      [*]Click on My Computer under Scan.
      [*]Once the scan is complete, it will display the results. Click on View Scan Report.
      [*]You will see a list of infected items there. Click on Save Report As....
      [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    5. Options
      #9
      a96e
      Closed Accounts Posts: 15 a96e


      Patrick, no it's cable broadband.

      ASJ - indeed, mbam found conflicker.h trojan which it wasn't finding before. However when I ran it again after clicking remove and reboot and then running mbam again it found the same.

      I've heard conflicker propagates through usb keys, should I scan/wipe the usb keys used around the pcs?

      Can't get onto Kapersky on this machine, however can on the other, which is now connecting to microsoft.com etc though pings still either timeout or return "destination host unreachable"

      Anyway here is the mbam logfile from the last scan.

      Malwarebytes' Anti-Malware 1.41
      Database version: 2775
      Windows 5.1.2600 Service Pack 3

      13/11/2009 15:31:01
      mbam-log-2009-11-13 (15-31-01).txt

      Scan type: Quick Scan
      Objects scanned: 95992
      Time elapsed: 3 minute(s), 7 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 1
      Files Infected: 2

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      F:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 (Trojan.Conficker.H) -> Quarantined and deleted successfully.

      Files Infected:
      F:\autorun.inf (Trojan.Conficker.H) -> Quarantined and deleted successfully.
      F:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Trojan.Conficker.H) -> Quarantined and deleted successfully.


    6. Options
      #10
      ActorSeeksJob
      Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      open OTL click quick scan post that log


    7. Options
      #11
      patchrick
      Registered Users Posts: 26 patchrick


      a96e wrote: »
      Patrick, no it's cable broadband.

      I'd still go through the steps in the KB article above.

      Patrick


    8. Advertisement
    Advertisement