Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Can't connect to microsoft.com, symantec.com etc - possible infection?
Options
-
10-11-2009 9:33pmHi people,
Need a little help on this one - can't connect to certain sites, or ping them, on either of 2 computers. Microsoft.com, symantec.com, malewarebytes.org, so seems suspicious though no other evidence of malware.
Have checked my hosts file and there are only references put in by spybot. I'm running ClamWin antivirus, and have run spybot, which finds no immediate threats. On the other computer, I'm running spybot and mbam, which can't update but returns "error 730 (0,0)".
Have run the Comdian, TFC and Rooter as advised here. System is Windows XP pro on both computers.
Have also tried flushing dns cache, and resetting the dns servers to "automatic" as I'd switched them to freedns from my isp's default. ISP is UPC.
Thanks for any suggestions.0
Comments
-
hi
Download OTL to your Desktop- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5 - Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time
0 -
ok
thank asj
will try that and report back
ae0 -
Here are the files generated.0
-
you can post the logs rather than attach them
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O33 - MountPoints2\{40c7c194-9ebf-11de-9414-0024d2eacfe4}\Shell - "" = AutoRun O33 - MountPoints2\{40c7c194-9ebf-11de-9414-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{43686375-c1e4-11de-943b-0024d2eacfe4}\Shell - "" = AutoRun O33 - MountPoints2\{43686375-c1e4-11de-943b-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{9293244a-c6b7-11de-9448-0024d2eacfe4}\Shell - "" = AutoRun O33 - MountPoints2\{9293244a-c6b7-11de-9448-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{a97aa65a-b478-11de-9430-0024d2eacfe4}\Shell - "" = AutoRun O33 - MountPoints2\{a97aa65a-b478-11de-9430-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{e0816dc9-9e66-11de-940c-0024d2eacfe4}\Shell - "" = AutoRun O33 - MountPoints2\{e0816dc9-9e66-11de-940c-0024d2eacfe4}\Shell\AutoRun - "" = Auto&Play NetSvcs: wyjomdl - C:\WINDOWS\system32\daafg.dll () [2001/03/14 04:22:21 | 00,000,080 | --S- | C] () -- C:\WINDOWS\System32\argtmp39.dll [2008/08/05 04:38:33 | 00,167,765 | RHS- | C] () -- C:\WINDOWS\System32\daafg.dll [2003/10/06 08:21:31 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\sdpsenv.dat @Alternate Data Stream - 160 bytes -> C:\Documents and Settings\All Users\Application Data\sdpsenv.dat:naughtypirates :Services :Reg :Files :Commands [purity] [emptytemp] [Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.0 - Under the Custom Scans/Fixes box at the bottom, paste in the following
-
Ok, here's the ComboFix log:
ComboFix 09-11-11.02 - Æ 12/11/2009 4:36.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2497 [GMT 0:00]
Running from: c:\documents and settings\Æ\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.
2009-11-10 20:57 . 2009-11-10 20:57
d
w- c:\program files\ERUNT
2009-11-09 22:50 . 2009-11-09 22:50 3638 ----a-r- c:\documents and settings\Æ\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-11-09 22:50 . 2009-11-09 22:50
d
w- c:\program files\Alex Feinman
2009-11-05 23:08 . 2009-11-05 23:57
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-05 23:08 . 2009-11-05 23:09
d
w- c:\program files\Spybot - Search & Destroy
2009-10-29 13:52 . 2009-10-29 13:52
d
w- c:\documents and settings\Æ\Application Data\.clamwin
2009-10-29 13:52 . 2009-10-29 13:52
d
w- c:\program files\ClamWin
2009-10-29 13:52 . 2009-10-29 13:52
d
w- c:\documents and settings\All Users\.clamwin
2009-10-26 19:24 . 2009-10-26 19:32
d
w- c:\documents and settings\Æ\Application Data\Intel
2009-10-26 19:24 . 2009-10-26 19:32
d
w- c:\documents and settings\All Users\Application Data\Intel
2009-10-25 03:53 . 2009-10-25 03:53
d
w- c:\windows\system32\LogFiles
2009-10-13 18:16 . 2009-10-13 18:16
d
w- c:\program files\Lame for Audacity
2009-10-13 18:15 . 2009-10-13 18:15
d
w- c:\program files\Audacity
2009-10-13 18:13 . 2009-10-15 19:04
d
w- C:\Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 20:58 . 2009-11-10 20:58
d
w- c:\program files\Trend Micro
2009-11-09 22:41 . 2009-09-11 10:38
d
w- c:\program files\Opera
2009-10-28 15:25 . 2009-10-11 20:02 1 ----a-w- c:\documents and settings\Æ\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-27 00:55 . 2009-09-23 21:00
d
w- c:\documents and settings\Æ\Application Data\vlc
2009-10-26 19:24 . 2008-08-05 12:13
d
w- c:\program files\Intel
2009-10-19 23:52 . 2009-09-21 20:56
d
w- c:\documents and settings\Æ\Application Data\Winamp
2009-10-13 23:34 . 2009-10-09 13:28
d
w- c:\documents and settings\Æ\Application Data\dvdcss
2009-10-12 00:01 . 2009-10-12 00:01
d
w- c:\documents and settings\Æ\Application Data\Malwarebytes
2009-10-11 23:57 . 2009-10-11 20:34
d
w- c:\documents and settings\Æ\Application Data\Notepad++
2009-10-11 20:34 . 2009-10-11 20:34
d
w- c:\program files\Notepad++
2009-10-11 20:02 . 2009-10-11 20:02
d
w- c:\documents and settings\Æ\Application Data\OpenOffice.org
2009-10-11 19:50 . 2009-10-11 19:50
d
w- c:\program files\TaskSwitchXP
2009-10-09 12:07 . 2009-10-09 12:07
d
w- c:\documents and settings\All Users\Application Data\Storm
2009-10-02 00:02 . 2009-10-02 00:01
d
w- c:\program files\Exact Audio Copy
2009-10-01 23:59 . 2009-10-01 23:59
d
w- c:\program files\lame3.98.2
2009-09-23 22:39 . 2009-09-21 22:43
d
w- c:\documents and settings\Æ\Application Data\Skype
2009-09-23 20:59 . 2009-09-23 20:59
d
w- c:\program files\VLC
2009-09-21 20:57 . 2009-09-21 20:56
d
w- c:\program files\Winamp
2009-09-21 16:38 . 2009-09-21 16:38
d
w- c:\program files\CubicExplorer
2009-09-18 22:12 . 2009-09-18 22:12
d
w- c:\documents and settings\Æ\Application Data\Media Player Classic
2009-09-13 14:06 . 2008-08-05 12:21
d--h--w- c:\program files\InstallShield Installation Information
2009-09-11 10:02 . 2008-08-05 04:38 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-09-05 08:55 . 2008-08-05 11:52 87568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-03 12:35 . 2008-08-05 11:46 86995 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-03 12:35 . 2009-09-03 12:35 315392 ----a-w- c:\windows\HideWin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-03 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-03 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-03 141848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-05-27 360448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2008-07-30 266240]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-07 16860672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9075:TCP"= 9075:TCP:apwzxl
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 11:22 AM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 11:15 AM 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/5/2008 12:23 PM 5888]
S2 ccosm;Contrl Center of Storm Media;e:\chinese media player\stormliv.exe /asservice --> e:\chinese media player\stormliv.exe [?]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/5/2008 12:15 PM 110080]
S3 NMRKUSBA;Numark USB2 WDM;c:\windows\system32\drivers\nmrkusba.sys [9/11/2009 2:13 PM 31232]
S3 NMRKUSBU;Numark USB2 driver;c:\windows\system32\drivers\nmrkusbu.sys [9/11/2009 2:13 PM 348160]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/5/2008 12:21 PM 154624]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
Supplementary Scan
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: {77BECB9C-12F9-4228-8096-1ED7B5826AC3} = 193.1.100.130,208.67.222.222
FF - ProfilePath - c:\documents and settings\Æ\Application Data\Mozilla\Firefox\Profiles\dll5r6c7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
---- FIREFOX POLICIES ----
// Whether or not the application should check at startup each time if it
// is the default browser.
FF - user.js: browser.shell.checkDefaultBrowser - true
// Homepage default
FF - user.js: browser.startup.homepage - hxxp://www.google.ie
// First run and update pages that load
user_pref(startup.homepage_override_url,);
user_pref(startup.homepage_welcome_url,);
//Don't show addon window when load
FF - user.js: extensions.getAddons.showPane - falsec:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("browser.startup.homepage", "http://www.google.ie");
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_override_url","");
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_welcome_url","");
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("extensions.getAddons.showPane", false);.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 04:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(1828)
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-11-12 4:40
ComboFix-quarantined-files.txt 2009-11-12 04:40
Pre-Run: 238,399,037,440 bytes free
Post-Run: 238,367,846,400 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 57E60067C3A650C0506ED87F715B9D1A
ComboFix 09-11-11.02 - Æ 12/11/2009 4:36.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2497 [GMT 0:00]
Running from: c:\documents and settings\Æ\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.
2009-11-10 20:57 . 2009-11-10 20:57
d
w- c:\program files\ERUNT
2009-11-09 22:50 . 2009-11-09 22:50 3638 ----a-r- c:\documents and settings\Æ\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-11-09 22:50 . 2009-11-09 22:50
d
w- c:\program files\Alex Feinman
2009-11-05 23:08 . 2009-11-05 23:57
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-05 23:08 . 2009-11-05 23:09
d
w- c:\program files\Spybot - Search & Destroy
2009-10-29 13:52 . 2009-10-29 13:52
d
w- c:\documents and settings\Æ\Application Data\.clamwin
2009-10-29 13:52 . 2009-10-29 13:52
d
w- c:\program files\ClamWin
2009-10-29 13:52 . 2009-10-29 13:52
d
w- c:\documents and settings\All Users\.clamwin
2009-10-26 19:24 . 2009-10-26 19:32
d
w- c:\documents and settings\Æ\Application Data\Intel
2009-10-26 19:24 . 2009-10-26 19:32
d
w- c:\documents and settings\All Users\Application Data\Intel
2009-10-25 03:53 . 2009-10-25 03:53
d
w- c:\windows\system32\LogFiles
2009-10-13 18:16 . 2009-10-13 18:16
d
w- c:\program files\Lame for Audacity
2009-10-13 18:15 . 2009-10-13 18:15
d
w- c:\program files\Audacity
2009-10-13 18:13 . 2009-10-15 19:04
d
w- C:\Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 20:58 . 2009-11-10 20:58
d
w- c:\program files\Trend Micro
2009-11-09 22:41 . 2009-09-11 10:38
d
w- c:\program files\Opera
2009-10-28 15:25 . 2009-10-11 20:02 1 ----a-w- c:\documents and settings\Æ\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-27 00:55 . 2009-09-23 21:00
d
w- c:\documents and settings\Æ\Application Data\vlc
2009-10-26 19:24 . 2008-08-05 12:13
d
w- c:\program files\Intel
2009-10-19 23:52 . 2009-09-21 20:56
d
w- c:\documents and settings\Æ\Application Data\Winamp
2009-10-13 23:34 . 2009-10-09 13:28
d
w- c:\documents and settings\Æ\Application Data\dvdcss
2009-10-12 00:01 . 2009-10-12 00:01
d
w- c:\documents and settings\Æ\Application Data\Malwarebytes
2009-10-11 23:57 . 2009-10-11 20:34
d
w- c:\documents and settings\Æ\Application Data\Notepad++
2009-10-11 20:34 . 2009-10-11 20:34
d
w- c:\program files\Notepad++
2009-10-11 20:02 . 2009-10-11 20:02
d
w- c:\documents and settings\Æ\Application Data\OpenOffice.org
2009-10-11 19:50 . 2009-10-11 19:50
d
w- c:\program files\TaskSwitchXP
2009-10-09 12:07 . 2009-10-09 12:07
d
w- c:\documents and settings\All Users\Application Data\Storm
2009-10-02 00:02 . 2009-10-02 00:01
d
w- c:\program files\Exact Audio Copy
2009-10-01 23:59 . 2009-10-01 23:59
d
w- c:\program files\lame3.98.2
2009-09-23 22:39 . 2009-09-21 22:43
d
w- c:\documents and settings\Æ\Application Data\Skype
2009-09-23 20:59 . 2009-09-23 20:59
d
w- c:\program files\VLC
2009-09-21 20:57 . 2009-09-21 20:56
d
w- c:\program files\Winamp
2009-09-21 16:38 . 2009-09-21 16:38
d
w- c:\program files\CubicExplorer
2009-09-18 22:12 . 2009-09-18 22:12
d
w- c:\documents and settings\Æ\Application Data\Media Player Classic
2009-09-13 14:06 . 2008-08-05 12:21
d--h--w- c:\program files\InstallShield Installation Information
2009-09-11 10:02 . 2008-08-05 04:38 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-09-05 08:55 . 2008-08-05 11:52 87568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-03 12:35 . 2008-08-05 11:46 86995 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-03 12:35 . 2009-09-03 12:35 315392 ----a-w- c:\windows\HideWin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-03 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-03 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-03 141848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-05-27 360448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2008-07-30 266240]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-07 16860672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9075:TCP"= 9075:TCP:apwzxl
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 11:22 AM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 11:15 AM 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [8/5/2008 12:23 PM 5888]
S2 ccosm;Contrl Center of Storm Media;e:\chinese media player\stormliv.exe /asservice --> e:\chinese media player\stormliv.exe [?]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/5/2008 12:15 PM 110080]
S3 NMRKUSBA;Numark USB2 WDM;c:\windows\system32\drivers\nmrkusba.sys [9/11/2009 2:13 PM 31232]
S3 NMRKUSBU;Numark USB2 driver;c:\windows\system32\drivers\nmrkusbu.sys [9/11/2009 2:13 PM 348160]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/5/2008 12:21 PM 154624]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
Supplementary Scan
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: {77BECB9C-12F9-4228-8096-1ED7B5826AC3} = 193.1.100.130,208.67.222.222
FF - ProfilePath - c:\documents and settings\Æ\Application Data\Mozilla\Firefox\Profiles\dll5r6c7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
---- FIREFOX POLICIES ----
// Whether or not the application should check at startup each time if it
// is the default browser.
FF - user.js: browser.shell.checkDefaultBrowser - true
// Homepage default
FF - user.js: browser.startup.homepage - hxxp://www.google.ie
// First run and update pages that load
user_pref(startup.homepage_override_url,);
user_pref(startup.homepage_welcome_url,);
//Don't show addon window when load
FF - user.js: extensions.getAddons.showPane - falsec:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("browser.startup.homepage", "http://www.google.ie");
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_override_url","");
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("startup.homepage_welcome_url","");
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("extensions.getAddons.showPane", false);.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 04:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(1828)
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-11-12 4:40
ComboFix-quarantined-files.txt 2009-11-12 04:40
Pre-Run: 238,399,037,440 bytes free
Post-Run: 238,367,846,400 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 57E60067C3A650C0506ED87F715B9D1A0 -
Advertisement
-
Are you using DSL for your broadband? If so your mtu settings may be set too high. That will often result in some sites not being accessible.
Follow the instructions in this Microsoft support article to test...
http://support.microsoft.com/kb/283165
Patrick0 -
looks ok
Download TFC to your desktop- Open the file and close any other windows.
- It will close all programs itself when run, make sure to let it run uninterrupted.
- Click the Start button to begin the process. The program should not take long to finish its job
- Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Archives
Mail databases
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.0 -
Patrick, no it's cable broadband.
ASJ - indeed, mbam found conflicker.h trojan which it wasn't finding before. However when I ran it again after clicking remove and reboot and then running mbam again it found the same.
I've heard conflicker propagates through usb keys, should I scan/wipe the usb keys used around the pcs?
Can't get onto Kapersky on this machine, however can on the other, which is now connecting to microsoft.com etc though pings still either timeout or return "destination host unreachable"
Anyway here is the mbam logfile from the last scan.
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
13/11/2009 15:31:01
mbam-log-2009-11-13 (15-31-01).txt
Scan type: Quick Scan
Objects scanned: 95992
Time elapsed: 3 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
F:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 (Trojan.Conficker.H) -> Quarantined and deleted successfully.
Files Infected:
F:\autorun.inf (Trojan.Conficker.H) -> Quarantined and deleted successfully.
F:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Trojan.Conficker.H) -> Quarantined and deleted successfully.0 -
open OTL click quick scan post that log0
-
-
Advertisement
Advertisement