Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Search Engine ReDirect + Missing Desktop icons


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,330 posts
  • MVP
The lines in red indicate an infection but unfortunately the program doesnot know how to fix it.

TDSSKiller has been updated so let's try it again:

Delete your old version then

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

I have another possibility:

Create a folder on your desktop. Label that folder avz4. Download avz4.exe from HERE and save it in the avz4 folder. ( A zipped file is available here)
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

AVZ FIX

  • Double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

    Fix here

  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

Ron
  • 0

Advertisements


#17
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I went back and read through your posts and saw that you had mentioned early that Symantec must be disabled to run ComboFix. Well, I had forgotten all about ComboFix until I went back and re-read. I ran it and it went through all of its motions. My desktop background is still black and a lot of the programs in my start>all programs menu show they are empty. Fortunately, the search engine redirecting seems to have ended. I can now search and click returns without being redirected! Here is the ComboFix log. Tell me some good news haha:

ComboFix 11-05-14.01 - Angelo 05/14/2011 23:31:47.2.1 - x86
Running from: c:\documents and settings\Angelo\Desktop\ComboFix1.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\rdJHMdqWKMhawQ.exe
c:\documents and settings\Angelo\Application Data\Adobe\plugs\mmc11989609.txt
c:\documents and settings\Angelo\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\Angelo\Local Settings\Application Data\{2E38E898-B508-4F2C-8AB9-5F4E5FC6F278}\chrome.manifest
c:\documents and settings\Angelo\Local Settings\Application Data\{2E38E898-B508-4F2C-8AB9-5F4E5FC6F278}\chrome\content\_cfg.js
c:\documents and settings\Angelo\Local Settings\Application Data\{2E38E898-B508-4F2C-8AB9-5F4E5FC6F278}\chrome\content\overlay.xul
c:\documents and settings\Angelo\Local Settings\Application Data\{2E38E898-B508-4F2C-8AB9-5F4E5FC6F278}\install.rdf
c:\program files\Antispyware Soft Removal Tool\database.db
c:\program files\Antispyware Soft Removal Tool\Results\List-07-06-10-19-10-11.txt
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\mpaebbg.sys
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_qpmxi
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-15 03:11 . 2011-05-15 03:14 -------- d-----w- C:\32788R22FWJFW.0.tmp
2011-05-14 18:58 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-14 18:58 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-14 18:58 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-14 18:58 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-14 18:58 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-14 18:58 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-14 18:58 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-14 18:58 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-14 18:58 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-14 18:58 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-14 15:21 . 2011-05-14 18:57 -------- d-----w- c:\program files\AVAST Software
2011-05-14 14:33 . 2011-05-14 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-13 20:23 . 2011-05-13 20:23 -------- d-----w- C:\_OTL
2011-05-13 06:36 . 2011-05-13 06:36 -------- d-----w- c:\documents and settings\Angelo\Application Data\SUPERAntiSpyware.com
2011-05-13 06:36 . 2011-05-13 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-06 01:13 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-06 01:13 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-06 01:13 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-06 01:13 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-06 01:13 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-06 01:13 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-06 01:13 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-06 01:13 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-17 18:37 . 2011-05-08 18:04 290816 ----a-w- c:\program files\Microsoft Games\Age of Empires II\age2_x1\anticheat2.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-06 01:53 . 2007-04-24 22:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-07 05:33 . 2006-10-30 01:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 17:39 . 2011-03-05 17:39 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36 . 2010-12-29 23:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2010-12-29 23:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 20:22 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 06:19 . 2011-03-08 04:24 23608 ----a-w- c:\windows\system32\drivers\SndTAudio.sys
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2007-05-30 01:30 . 2007-05-30 01:30 774144 -c--a-w- c:\program files\RngInterstitial.dll
2011-04-14 16:26 . 2011-05-06 01:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/25/2009 11:36 AM 64288]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/14/2011 2:58 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/14/2011 2:58 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/14/2011 2:58 PM 19544]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Angelo\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Angelo\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Angelo\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Angelo\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1352832]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [3/8/2011 12:24 AM 23608]
S3 STSService;STSService;"c:\program files\SoundTaxi Media Suite\STSService.exe" --> c:\program files\SoundTaxi Media Suite\STSService.exe [?]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [3/8/2011 12:03 AM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [3/8/2011 12:04 AM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [3/8/2011 12:04 AM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [3/8/2011 12:04 AM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [3/8/2011 12:05 AM 25704]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2007-01-31 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8162269145.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
2011-05-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=16794S&l=dis
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
TCP: {345542A0-197C-41D3-B3E7-837E98628E58} = 4.2.2.2,4.2.2.1
FF - ProfilePath - c:\documents and settings\Angelo\Application Data\Mozilla\Firefox\Profiles\yymj6hgu.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
Notify-NavLogon - (no file)
AddRemove-SBC Self Support Tool - c:\progra~1\SBCSEL~1\CustomUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 00:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-15 00:31:02
ComboFix-quarantined-files.txt 2011-05-15 04:30
.
Pre-Run: 4,533,268,480 bytes free
Post-Run: 5,668,179,968 bytes free
.
- - End Of File - - E88D805C37B0362ED883FBA32E65E90D
  • 0

#18
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Sorry, I hadn't seen that you posted. I did not realize the topic rolled over to page 2 until i posted my last message. I am running the TDSSKiller currently (yep, it is working!) and will post the log come morning. Thanks!

EDIT: Nevermind, the TDSSKiller scan didn't take even a minute. I had it scan both options and quickly it returned that there is no infection! I guess that is good, right? Maybe the ComboFix fixed some of the problems?

Edited by Gui101do, 14 May 2011 - 10:58 PM.

  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,330 posts
  • MVP
Usually when Combofix finds an infected file and replaces it the battle is won. Run aswMBR again and see if things look different.

Ron
  • 0

#20
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
First of all, when I turned on my machine this morning, Avast! has a 'Suspicious Files Found' pop up. It said suspicioys files have been detected (using a heuristic method). File name is system32\drivers\klmd.sys

Actions to take is either ignore or delete?

Here is the aswMBR log. Nothing was highlighted red and 'Fix MBR' was a clickable option.

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-15 11:25:12
-----------------------------
11:25:12.484 OS Version: Windows 5.1.2600 Service Pack 3
11:25:12.484 Number of processors: 1 586 0x207
11:25:12.500 ComputerName: AGG4 UserName:
11:25:13.187 Initialize success
11:25:19.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:25:19.015 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 39205MB BusType: 3
11:25:21.031 Disk 0 MBR read successfully
11:25:21.031 Disk 0 MBR scan
11:25:21.031 Disk 0 Windows XP default MBR code
11:25:23.031 Disk 0 scanning sectors +80276805
11:25:23.062 Disk 0 scanning C:\WINDOWS\system32\drivers
11:25:31.140 Service scanning
11:25:32.187 Disk 0 trace - called modules:
11:25:32.218 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:25:32.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f8cab8]
11:25:32.218 3 CLASSPNP.SYS[f8736fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82f4cb00]
11:25:32.218 Scan finished successfully
11:25:41.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Angelo\Desktop\MBR.dat"
11:25:41.921 The log file has been saved successfully to "C:\Documents and Settings\Angelo\Desktop\aswMBR.txt"

Edited by Gui101do, 15 May 2011 - 09:29 AM.

  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,330 posts
  • MVP
klmd.sys is a file from TDSSKiller. It's OK for it to run. Not surprising that Avast doesn't trust it. Very low level driver. Has to be to get rid of TDSS.

You will note that we no longer have the line with UNKNOWN in the aswMBR log so the infection is gone.


Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\windows\system32\DRIVERS\ntcdrdrv.sys

Driver::
ntcdrdrv
SASDIFSV
SASKUTIL


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.


We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f



Run VEW again as before and let's see if we are still getting the driver errors.

Ron
  • 0

#22
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I'm sorry, drag it over to 'george'? I'm probably missing something, but what am I supposed to do with the .txt file? I have Avast! Shields set to be down until next restart.

I followed the guide and cleared out system restore.

Edited by Gui101do, 15 May 2011 - 10:30 AM.

  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,330 posts
  • MVP
I asked you to rename Combofix to george and save it to your desktop but I guess you weren't able to do that. So drag the CFScript.txt file over to Combofix and let go of it. This should cause Combofix to run again. When it finishes I want to see the log.


Ron
  • 0

#24
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I just found that as you replied. Sorry for the confusion.
  • 0

#25
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I dragged the CFScript.txt file to ComboFix. Newest ComboFix Log:

ComboFix 11-05-14.03 - Angelo 05/15/2011 13:43:34.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.233 [GMT -4:00]
Running from: c:\documents and settings\Angelo\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\Angelo\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\DRIVERS\ntcdrdrv.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SASDIFSV
-------\Legacy_SASKUTIL
-------\Service_ntcdrdrv
-------\Service_SASDIFSV
-------\Service_SASKUTIL
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-14 18:58 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-14 18:58 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-14 18:58 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-14 18:58 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-14 18:58 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-14 18:58 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-14 18:58 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-14 18:58 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-14 18:58 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-14 18:58 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-14 15:21 . 2011-05-14 18:57 -------- d-----w- c:\program files\AVAST Software
2011-05-14 14:33 . 2011-05-14 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-13 20:23 . 2011-05-13 20:23 -------- d-----w- C:\_OTL
2011-05-13 06:36 . 2011-05-13 06:36 -------- d-----w- c:\documents and settings\Angelo\Application Data\SUPERAntiSpyware.com
2011-05-13 06:36 . 2011-05-13 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-06 01:13 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-06 01:13 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-06 01:13 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-06 01:13 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-06 01:13 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-06 01:13 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-06 01:13 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-06 01:13 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-17 18:37 . 2011-05-08 18:04 290816 ----a-w- c:\program files\Microsoft Games\Age of Empires II\age2_x1\anticheat2.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-06 01:53 . 2007-04-24 22:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-07 05:33 . 2006-10-30 01:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-05 17:39 . 2011-03-05 17:39 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36 . 2010-12-29 23:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2010-12-29 23:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 20:22 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 06:19 . 2011-03-08 04:24 23608 ----a-w- c:\windows\system32\drivers\SndTAudio.sys
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2007-05-30 01:30 . 2007-05-30 01:30 774144 -c--a-w- c:\program files\RngInterstitial.dll
2011-04-14 16:26 . 2011-05-06 01:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/25/2009 11:36 AM 64288]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/14/2011 2:58 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/14/2011 2:58 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/14/2011 2:58 PM 19544]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1352832]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [3/8/2011 12:24 AM 23608]
S3 STSService;STSService;"c:\program files\SoundTaxi Media Suite\STSService.exe" --> c:\program files\SoundTaxi Media Suite\STSService.exe [?]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [3/8/2011 12:03 AM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [3/8/2011 12:04 AM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [3/8/2011 12:04 AM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [3/8/2011 12:04 AM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [3/8/2011 12:05 AM 25704]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2007-01-31 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8162269145.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
2011-05-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=16794S&l=dis
uInternet Settings,ProxyOverride = <local>;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
TCP: {345542A0-197C-41D3-B3E7-837E98628E58} = 4.2.2.2,4.2.2.1
FF - ProfilePath - c:\documents and settings\Angelo\Application Data\Mozilla\Firefox\Profiles\yymj6hgu.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 13:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2188)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\java.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-15 14:11:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 18:11
ComboFix2.txt 2011-05-15 04:31
.
Pre-Run: 6,940,536,832 bytes free
Post-Run: 6,933,176,320 bytes free
.
- - End Of File - - 8B88A384BC3C49468DF235928DD7D0AA

Edited by Gui101do, 15 May 2011 - 12:21 PM.

  • 0

Advertisements


#26
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
After running the Vino tool on both system then application:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 15/05/2011 2:24:05 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 13/05/2011 6:52:52 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:52 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:52 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:52 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:52 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

Log: 'System' Date/Time: 13/05/2011 6:52:51 PM
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk0\D.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 13/05/2011 6:52:50 PM
Type: warning Category: 0
Event: 50 Source: Ntfs
{Delayed Write Failed} Windows was unable to save all the data for the file . The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Log: 'System' Date/Time: 13/05/2011 6:52:38 PM
Type: warning Category: 0
Event: 50 Source: Ntfs
{Delayed Write Failed} Windows was unable to save all the data for the file . The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Log: 'System' Date/Time: 13/05/2011 6:52:28 PM
Type: warning Category: 0
Event: 50 Source: Ntfs
{Delayed Write Failed} Windows was unable to save all the data for the file . The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Log: 'System' Date/Time: 13/05/2011 6:52:18 PM
Type: warning Category: 0
Event: 50 Source: Ntfs
{Delayed Write Failed} Windows was unable to save all the data for the file . The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Log: 'System' Date/Time: 13/05/2011 6:52:12 PM
Type: warning Category: 0
Event: 50 Source: Ntfs
{Delayed Write Failed} Windows was unable to save all the data for the file . The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Vino's Event Viewer v01c run on Windows XP in English
Report run at 15/05/2011 2:30:18 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 14/05/2011 2:29:03 PM
Type: error Category: 0
Event: 51 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 2:27:32 PM
Type: error Category: 0
Event: 5 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 2:27:30 PM
Type: error Category: 0
Event: 46 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 2:25:19 PM
Type: error Category: 0
Event: 5 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 11:00:15 AM
Type: error Category: 0
Event: 11704 Source: MsiInstaller
Product: Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 -- Error 1704.An installation for Symantec AntiVirus is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Log: 'Application' Date/Time: 14/05/2011 10:36:31 AM
Type: error Category: 0
Event: 5 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 12:18:23 AM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application firefox.exe, version 2.0.1.4120, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 14/05/2011 12:16:29 AM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application firefox.exe, version 2.0.1.4120, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 13/05/2011 8:07:33 PM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application rundll32.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 15/05/2011 12:59:35 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user AGG4\Angelo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 14/05/2011 11:15:40 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 11:15:38 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 11:15:38 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 11:09:39 AM
Type: warning Category: 0
Event: 1524 Source: Userenv
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Log: 'Application' Date/Time: 14/05/2011 1:10:20 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 1:10:16 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 1:10:15 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 12:28:09 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 12:28:09 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Log: 'Application' Date/Time: 14/05/2011 12:28:09 AM
Type: warning Category: 0
Event: 42 Source: Symantec AntiVirus
The event description cannot be found.

Edited by Gui101do, 15 May 2011 - 12:31 PM.

  • 0

#27
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,330 posts
  • MVP
Combofix looks clean and there are no new driver warnings in the logs so I think we are done with the fixes unless you have some other problems.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"c:\documents and settings\Angelo\Desktop\ComboFix1.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java (Java™ 6 Update 25). Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it.

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 23
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7

Java™ 6 Update 23 is new enough that it should be removed automatically. If you use Firefox go into tools, Add-ons and make sure that CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA is not enabled. CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA is OK but 0023 should be disabled or uninstalled. Java seems to have a real problem removing the old consoles from Firefox. Having multiple Java consoles will make Firefox very sluggish and slow to start.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox (make sure you have the latest which is 4.0.1) then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.

The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#28
Gui101do

Gui101do

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thank you very much. I appreciate your help over these last few days.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP