[dowsp]

Hi Fenz


I Posted the DSS files to you.. I hope its ok ..

thk you

dowsp

[Advertisements]

I don't find anything nasty from your DDS log.. So, lets do a rootkit scan just to rule out rootkit from the computer...


Delete GMER from your computer if any.. And do below..

Please download GMER and unzip it to your Desktop. <<mirror>>

• Open the program and click on the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
• Click on Scan.
• When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output result

[fenzodahl512]

I don't find anything nasty from your DDS log.. So, lets do a rootkit scan just to rule out rootkit from the computer...


Delete GMER from your computer if any.. And do below..

Please download GMER and unzip it to your Desktop. <<mirror>>

• Open the program and click on the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
• Click on Scan.
• When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output result

[dowsp]

Hi Fenz,

I ran the scan, but the notepad copy does not seem to show much information.

Hope that its ok..

One thing that I have noticed...

As much as Avira has been inactive or the fact that I cannot open it to run a scan..
I was getting a popup showing saying that I it had not been updated for so many days.

When I clicked on the popup to see if it would update...It would NOT..

The last 2 days for some reason, when the popup opens and I click to try and update things..
It does give a message saying it has been updated...

SO something has changed... but unfortunately I am still unable to open it to run a scan.

Heres the GMER notepad details.

---------------------------------------------


GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-22 03:22:58
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT F8BAA506 ZwCreateKey
SSDT F8BAA4FC ZwCreateThread
SSDT F8BAA50B ZwDeleteKey
SSDT F8BAA515 ZwDeleteValueKey
SSDT F8BAA51A ZwLoadKey
SSDT F8BAA4E8 ZwOpenProcess
SSDT F8BAA4ED ZwOpenThread
SSDT F8BAA524 ZwReplaceKey
SSDT F8BAA51F ZwRestoreKey
SSDT F8BAA510 ZwSetValueKey
SSDT F8BAA4F7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 234 804E2890 4 Bytes CALL 4246E339

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat EE0A5C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

[fenzodahl512]

From the logs, I think its more to your computer issue rather than malware at this point.. See the DDS attach.txt

==== Event Viewer Messages From Past Week ========

13/03/2009 22:28:18, error: Service Control Manager [7000] - The KService service failed to start due to the following error: The system cannot find the path specified.
13/03/2009 22:28:18, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ICF service to connect.
13/03/2009 22:28:18, error: Service Control Manager [7000] - The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: The system cannot find the file specified.
13/03/2009 22:27:04, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13/03/2009 22:25:26, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
13/03/2009 22:19:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
13/03/2009 18:20:46, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Avg7Core Avg7RsW Avg7RsXP Fips intelppm
13/03/2009 11:14:48, error: System Error [1003] - Error code 1000000a, parameter1 00000000, parameter2 00000002, parameter3 00000001, parameter4 804dc11d.
13/03/2009 07:02:23, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
13/03/2009 07:00:36, error: Dhcp [1008] - Your computer was unable to initialize a Network Interface attached to the system. The error code is: Access is denied. .
13/03/2009 06:56:03, error: Service Control Manager [7028] - The BITS Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
13/03/2009 02:01:01, error: System Error [1003] - Error code 00000024, parameter1 001902fe, parameter2 f8992718, parameter3 f8992414, parameter4 804eb569.
13/03/2009 01:52:01, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000098' while processing the file 'amsbfahg.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
13/03/2009 22:28:32, error: System Error [1003] - Error code 1000000a, parameter1 080080bb, parameter2 00000002, parameter3 00000000, parameter4 80516a0b.
13/03/2009 23:48:27, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
14/03/2009 21:09:41, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
14/03/2009 22:30:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McUpdMgr.Exe with arguments "/Embedding" in order to run the server: {C3A036FA-DA7D-45E2-AE16-6CADAAE5D75E}
14/03/2009 22:43:24, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm
14/03/2009 22:59:20, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV avgio avipbb Fips intelppm
14/03/2009 23:26:32, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
17/03/2009 23:59:45, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Avira AntiVir Personal - Free Antivirus Guard service to connect.
17/03/2009 23:59:45, error: Service Control Manager [7000] - The Avira AntiVir Personal - Free Antivirus Guard service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
18/03/2009 23:56:31, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV avgio avipbb Fips intelppm ssmdrv

Those are errors from many of your Services.. Now, do you have Windows CD?

[dowsp]

Hi Fenz

Yes I Think that I do have a windows CD...

I await any instructions..

thank you

dowsp

[fenzodahl512]

Insert your Windows CD (SP2 or SP3) to the computer and do below..

• Click Start >> Run >> copy/paste sfc /scannow >> Enter.
• Note the space between the c and the /
• Allow the scan to run and when completed, reboot the system.

To learn more about sfc /scannow, please visit below webpage..

http://www.updatexp....cannow-sfc.html


Reboot your computer and observe whether the Avira Antivir can load or not..


============================


As I mentioned before.. about your website, its best if you contact the webmaster/programmer/developer and also web provider regarding the hacking issue.. We can't offer any help regarding website issue in Malware forum.. The reason for it, is the hacked system is on the server that located with your web provider, not in your computer.. If your website been hacked, its likely other account in the same server may have been compromised too..

You may however seek further assistance at our Web Development forum below..

http://www.geekstogo...opment-f28.html

[dowsp]

Hi Fenz

I thought that when I bought my Laptop from Dell that they included a copy of 'windows XP'..

But I have found out that they do not include a copy on CD, and that it is only on the Laptop.

SO, IT seems I may continue to have problems unless I can either get a copy from Dell or obtain one somehow.

Unless you have any other suggestions..

Thanks Dowsp

[dowsp]

Hi Fenz

I dont know if this may work !

My Brothers PC computer has windows XP..
but he also did not get a copy of windows when he bought his computer from HP..
He also has a laptop that I think also has a copy of windows XP on it..

Would it be possible for me to network or link to one of his computers and use his windows software while connected some how to resolve my problem ?

thk you

[fenzodahl512]

I'm not sure about that.. Can you find any Windows CD?.. You can borrow it from your friends too..

[dowsp]

Hi Fenz

At the moment I cannot get hold of a Windows XP Cd...

I will enquire with DELL if they can supply me with one..

I dont understand why they only supplied me with a copy on my Laptop and not on the CD.

My Brother has Two computers from other companies and they did not supply a windows XP cd either.

BUT he says he has a copy in a "D drive" partition part of his hard drive on one of them.

I didnt think my Laptop had a partition drive as my "D drive" is a CD drive.


I looked on Dells support page... and it does mention some options..

I dont know if I could use system restore IF it is an option on my Computer..

it says that it wont effect documents and files..

I Think that I will have to call them to find out for certain..


--------------------------------------

http://support.dell....o...;l=en&s=gen

System Restore

System Restore is a Microsoft® Windows® tool, built into the operating system, designed to protect and repair the OS. When an install failure or data corruption occurs, System Restore can return a system to working condition without a full reinstallation.


PC Restore

Available on many Dell™ Dimension™ and Inspiron™ computers, Dell™ PC Restore by Symantec™ is a hidden partition on your hard drive that contains an exact copy of your computer's original factory software. With PC Restore, you can restore your computer to the original state it was shipped in to you from Dell and in a fraction of the time a manual reinstallation would require.
Time to Complete: 30 - 60 Minutes.



Manual reinstallation.

Manual reinstallation is the most time consuming and difficult method of those available. The user is responsible for installing the operating system directly from the CD or DVD, installing the drivers, configuring the OS, installing critical and recommended updates, installing their applications and restoring backed up data files.
Time to Complete: 120+ Minutes.

[dowsp]

Actually I have found that my computer does have a system restore facility..

At the moment however I am not totally sure How to use it or if this will be Ok to do what you need it to do to
solve the windows problems...


Without either me knowing exactly what I would have to do OR without you being able to see what it can do
still makes things difficult unless it is something that may be easy to do. such as IF I were able to restore it back to the date before I had my problem, if this would be OK and just resolve the windows problem.

[dowsp]

I called Dell, and they say that that should have supplied me with a windows Xp CD,
BUT I am unable to find it... I dont think it was sent.

I asked about the system restore.... and unfortunately it will only allow it to go back a few days. to Mar 15th... I thought that I would have been able to go back to
at least Mid February.. or ideally before I obtained the Initial virus.

I NOTE However that I mentioned the more recent Avira detected Virus was on
Mar 16th... So I MAY be lucky to be able to go back before then IF I act on it today or with in the next day !...


I May have to just chance doing it if you have not replied in time.
As I think I can realter it back if I need to..

Edited by dowsp, 25 March 2009 - 04:07 AM.

[dowsp]

I did try the system restore to see if it would go back to Mar 15th and unfortunately it would not do it,

I have noted however that my calendar is ONE day forward.. Ie showing the 26th instead of the 25th Mar.

I dont know whether it will work if I put my calendar back to the correct date.. and IF I do if that in turn will allow me to go back to the 14th instead of the 15th.


Looking at the recent past posts, It seems that I wrote to say that I caught that Avira detected Virus early on Mar 16th... of which I am not sure which time zone...

so IF am will be able to alter or restore the computer back, I will have to do it in the next day I would say...

[fenzodahl512]

Hello.. I got some tips from the experts.. Lets do this....

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click the SystemLook and copy/paste the following into the box
  

  :filefind
  crypts.dll

• Hit the Look button. Let it finish the scan
• A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

---EDIT----

Another thing.. I read your other topic below..

http://www.geekstogo...23#entry1490423


Now, my only suggestion is for you to take down that website permanently..

1. as stated by Metallica, the website contains something similar like Pyramid system which is not supported here..
2. your website indeed contains malware.. That's the reason you keep getting infected after we clean the computer up before..

If you need a website for business purpose, it is better for you to start again from scratch.. And be sure your site contains legitimate business..

Edited by fenzodahl512, 26 March 2009 - 06:24 AM.

[dowsp]

Hi Fenz

System look did not find the file.....not sure if this was expected or if I need to replace them.

I will take down / remove the html of the infected webpages...

thk you

-----------------------------------------------------


SystemLook v1.0 by jpshortstuff (02.03.09)
Log created at 20:11 on 27/03/2009 by P........ (Administrator - Elevation successful)

========== filefind ==========

Searching for "crypts.dll"
No files found.

-=End Of File=-