Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanDownloader:win32/Unruy.H


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Combofix found an active ZeroAccess infection and removed it.

Did you install LogMeIn?

MSSE is not working right.


Download and Save the free Avast installer.
http://www.avast.com...ivirus-download

Uninstall Microsoft Security Essentials

Reboot

Install Avast. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
  • 0

Advertisements


#17
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ron,
I ran avast and it found no viruses. I do however have a problem. I can only get online if I go to the command prompt and use net start dhcp, ipconfig /release and ipconfig /renew.
Steve
  • 0

#18
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Yes, awhile ago I installed logmein.
Thank you,
Steven
  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Start, Run, services.msc, OK then find DHCP and right click on it and select Properties. It should be set to Startup Type: Automatic. If not then change it and Apply.



Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.
  • 0

#20
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Morning Ron,
Here are the logs you requested.
Thank you,
Steven

Vino's Event Viewer v01c run on Windows XP in English
Report run at 06/03/2012 9:46:48 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 06/03/2012 9:43:51 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AFD

Log: 'System' Date/Time: 06/03/2012 9:43:51 AM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Net.Tcp Port Sharing Service service hung on starting.

Log: 'System' Date/Time: 06/03/2012 9:42:29 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The SMART Display Controller service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 06/03/2012 9:42:29 AM
Type: error Category: 0
Event: 7024 Source: Service Control Manager
The SQL Active Directory Helper Service service terminated with service-specific error 3221225572 (0xC0000064).

Log: 'System' Date/Time: 06/03/2012 9:42:29 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.

Log: 'System' Date/Time: 06/03/2012 9:42:29 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Human Interface Device Access service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 06/03/2012 9:42:29 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 06/03/2012 9:42:29 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 06/03/2012 9:42:29 AM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The TuneUp Theme Extension service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 06/03/2012 9:40:29 AM
Type: error Category: 0
Event: 23 Source: Print
Printer HP Officejet 4500 G510a-f fax failed to initialize because a suitable HP Officejet 4500 G510a-f fax driver could not be found.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 06/03/2012 9:37:59 AM
Type: warning Category: 0
Event: 20 Source: i8042prt
Could not set the keyboard indicator lights.

Log: 'System' Date/Time: 06/03/2012 9:37:59 AM
Type: warning Category: 0
Event: 19 Source: i8042prt
Could not set the keyboard typematic rate and delay.




Vino's Event Viewer v01c run on Windows XP in English
Report run at 06/03/2012 9:48:29 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 06/03/2012 9:42:30 AM
Type: error Category: 2
Event: 103 Source: SQLAgent$ADCENTERDESKTOP
SQLServerAgent could not be started (reason: This installation of SQL Server Agent is disabled. The edition of SQL Server that installed this service does not support SQL Server Agent.).

Log: 'Application' Date/Time: 06/03/2012 9:42:12 AM
Type: error Category: 0
Event: 100 Source: MSSQLServerADHelper100
'0' is an invalid number of start up parameters. This service takes two start up parameters.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Our friend AFD seems to be having problems starting. Not sure why that is.

First go back into msconfig and turn on everything you have turned off

(Start, Run, msconfig, OK) then select normal boot. Apply and reboot.)

Also if you have used Autoruns or any other program to disable stuff please renable then reboot.

First let's turn off Spybot's teatimer since it can interfere:

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Now let's uninstall things we don't need or that look broken or might interfere:

SUPERAntiSpyware
LogMeIn
SMART Board Software
Spybot - Search & Destroy
FrostWire 5
Malwarebytes' Anti-Malware



Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

AtJob::

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\windows\system32\LMIinit.dll
c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
c:\windows\pss\SMART Board Tools.lnkCommon Startup
c:\windows\Tasks\MP Scheduled Scan.job
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

Firefox::
FF - user.js: extensions.BabylonToolbar_i.id - 4c71f074000000000000f80f410b5e1e
FF - user.js: extensions.BabylonToolbar_i.hardId - 4c71f074000000000000f80f410b5e1e
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15320
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:43
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=18474
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.ovrDmn - isearch.babylon.com
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

Driver::
SASDIFSV
SASKUTIL
LMIInfo
SMART Display Controller
STI2303X

Folder::
c:\program files\SUPERAntiSpyware
c:\program files\Spybot - Search & Destroy
c:\program files\Microsoft Security Client

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Start, Run, cmd, ok

reg  query  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd  /s  >  \junk.txt

notepad  \junk.txt

Copy and paste the text from notepad.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.


2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.




Ron
  • 0

#22
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ron,
How do I disable Spybot's TeaTimer?
  • 0

#23
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
In msconfig?
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
  • 0

#25
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I copied reg query [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd /s > \junk.txt into command prompt (with and with out double spacing)and got error invalid key name.
  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Try:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd /s > \junk.txt
  • 0

#27
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
ComboFix 12-03-06.01 - Math On DVDs 03/06/2012 14:50:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1062 [GMT -5:00]
Running from: c:\documents and settings\Math On DVDs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Math On DVDs\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk"
"c:\windows\pss\SMART Board Tools.lnkCommon Startup"
"c:\windows\system32\LMIinit.dll"
"c:\windows\system32\LMIRfsClientNP.dll"
"c:\windows\Tasks\MP Scheduled Scan.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy\advcheck.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\windows\pss\SMART Board Tools.lnkCommon Startup
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LMIINFO
-------\Legacy_SASDIFSV
-------\Legacy_SASKUTIL
-------\Legacy_SMART_DISPLAY_CONTROLLER
-------\Service_LMIInfo
-------\Service_SASDIFSV
-------\Service_SASKUTIL
-------\Service_SMART Display Controller
-------\Service_STI2303X
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-09-15 05:22 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-12 16:53 . 2001-08-23 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2011-09-15 03:03 385024 ------w- c:\windows\system32\html.iec
2012-02-18 03:34 . 2011-09-15 02:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoomMonitor.exe"="c:\program files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-10-23 801304]
"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 53248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"RTHDCPL"="RTHDCPL.EXE" [2011-08-17 20064872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Math On DVDs\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Seagate Product Registration.lnk - c:\documents and settings\Math On DVDs\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2012-3-2 1731736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
[BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\09803623.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\15006098.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2010-10-08 11:26 3366200 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2006-05-14 21:12 155648 ----a-r- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPHClean"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
"SMART Mirror Driver Monitor Service"="c:\documents and settings\Math On DVDs\Application Data\SMART Technologies\Bridgit\4.2.146.0\monitorservice.exe"
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
.
R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [10/31/2011 5:51 PM 36976]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/5/2012 11:15 PM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2012 11:15 PM 337112]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2012 11:15 PM 20696]
R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [9/13/2010 5:31 AM 95568]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 12:22 PM 1085440]
R2 MSSQL$ADCENTERDESKTOP;SQL Server (ADCENTERDESKTOP);c:\program files\Microsoft SQL Server\MSSQL10_50.ADCENTERDESKTOP\MSSQL\Binn\sqlservr.exe [4/3/2010 1:56 PM 42884448]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [9/18/2011 10:00 AM 2255464]
R2 VService;VService;c:\program files\Zoom\Zoom Phone Adaptor\VServ.exe [10/23/2008 9:58 AM 104984]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [9/13/2010 5:31 AM 18120]
R3 scusbvip;VL1800 USB Driver;c:\windows\system32\drivers\scusbvip.sys [10/31/2011 5:51 PM 609936]
R3 SLVAD_simple;Zoom Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [10/31/2011 5:51 PM 84912]
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [9/15/2011 2:00 PM 8432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 1:56 PM 44896]
S2 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\documents and settings\Math On DVDs\Application Data\SMART Technologies\Bridgit\4.2.146.0\monitorservice.exe [9/15/2011 2:00 PM 224624]
S2 SQLAgent$ADCENTERDESKTOP;SQL Server Agent (ADCENTERDESKTOP);c:\program files\Microsoft SQL Server\MSSQL10_50.ADCENTERDESKTOP\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 1:56 PM 367456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/20/2011 10:58 AM 1691480]
S3 glancedrv;glancedrv;c:\windows\system32\drivers\glancedrv.sys [11/26/2011 2:35 PM 34080]
S3 HidBoard;SMART Board Hidmini Driver;c:\windows\system32\drivers\HidBoard.sys [1/25/2011 5:13 PM 19696]
S3 PAC207;PC [email protected];c:\windows\system32\drivers\PFC027.SYS [4/12/2007 3:50 PM 507264]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;\??\c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys --> c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mathondvds.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\documents and settings\Math On DVDs\Application Data\Mozilla\Firefox\Profiles\mxttmc59.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mathondvds.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: extensions.BabylonToolbar_i.id - 4c71f074000000000000f80f410b5e1e
FF - user.js: extensions.BabylonToolbar_i.hardId - 4c71f074000000000000f80f410b5e1e
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15320
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:43
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=18474
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.ovrDmn - isearch.babylon.com
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
Notify-AutorunsDisabled - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3BD812E3-EBBA-851A-0313-069F8C08A264}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gadldkddocnndl"=hex:61,63,65,66,67,6d,62,6a,61,66,6b,64,66,6e,6f,6f,6e,66,6f,
6c,6f,63,65,6c,65,62,6b,62,6b,6e,6c,69,65,65,63,6b,64,63,6a,68,6e,69,6d,6b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(2036)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-06 15:25:34 - machine was rebooted
.
Pre-Run: 138,309,771,264 bytes free
Post-Run: 138,349,297,664 bytes free
.







! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd
DisplayName REG_SZ AFD
Description REG_SZ AFD Networking Support Environment
Group REG_SZ TDI
ImagePath REG_SZ \SystemRoot\System32\drivers\afd.sys
Start REG_DWORD 0x1
Type REG_DWORD 0x1
ErrorControl REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd\Enum
0 REG_SZ Root\LEGACY_AFD\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1
INITSTARTFAILED REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd\Security
Security REG_BINARY 01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000




Vino's Event Viewer v01c run on Windows XP in English
Report run at 06/03/2012 8:03:39 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 06/03/2012 8:01:15 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AFD

Log: 'System' Date/Time: 06/03/2012 8:01:15 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Net.Tcp Port Sharing Service service hung on starting.

Log: 'System' Date/Time: 06/03/2012 7:59:52 PM
Type: error Category: 0
Event: 7024 Source: Service Control Manager
The SQL Active Directory Helper Service service terminated with service-specific error 3221225572 (0xC0000064).

Log: 'System' Date/Time: 06/03/2012 7:59:52 PM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Human Interface Device Access service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 06/03/2012 7:59:52 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 06/03/2012 7:59:52 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 06/03/2012 7:59:52 PM
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The TuneUp Theme Extension service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 06/03/2012 7:57:46 PM
Type: error Category: 0
Event: 23 Source: Print
Printer HP Officejet 4500 G510a-f fax failed to initialize because a suitable HP Officejet 4500 G510a-f fax driver could not be found.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 06/03/2012 8:01:46 PM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address F80F410B5E1E. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 06/03/2012 7:57:42 PM
Type: warning Category: 0
Event: 19 Source: i8042prt
Could not set the keyboard typematic rate and delay.




Vino's Event Viewer v01c run on Windows XP in English
Report run at 06/03/2012 8:05:59 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 06/03/2012 7:59:52 PM
Type: error Category: 2
Event: 103 Source: SQLAgent$ADCENTERDESKTOP
SQLServerAgent could not be started (reason: This installation of SQL Server Agent is disabled. The edition of SQL Server that installed this service does not support SQL Server Agent.).

Log: 'Application' Date/Time: 06/03/2012 7:59:33 PM
Type: error Category: 0
Event: 100 Source: MSSQLServerADHelper100
'0' is an invalid number of start up parameters. This service takes two start up parameters.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Copy the next line:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD /s > \junk.txt

Start, Run, cmd, OK. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

notepad \junk.txt

copy and paste the text from Notepad.

Combofix is showing some odd things that didn't show up before. Let's try a CFScript again:

uninstall 'TuneUp Utilities'

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

AtJob::

File::
c:\windows\system32\drivers\09803623.sys
c:\windows\system32\drivers\15006098.sys

Driver::
TuneUpUtilitiesDrv
09803623
15006098

Folder::
c:\program files\Microsoft Security Client
c:\program files\TuneUp Utilities 2011


RegNull::
[HKEY_USERS\S-1-5-21-484763869-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3BD812E3-EBBA-851A-0313-069F8C08A264}*]

RegLock::
[HKEY_USERS\S-1-5-21-484763869-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3BD812E3-EBBA-851A-0313-069F8C08A264}*]
[HKEY_USERS\S-1-5-21-484763869-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3BD812E3-EBBA-851A-0313-069F8C08A264}]

Registry::
[-HKEY_USERS\S-1-5-21-484763869-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3BD812E3-EBBA-851A-0313-069F8C08A264}*]
[-HKEY_USERS\S-1-5-21-484763869-1078145449-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3BD812E3-EBBA-851A-0313-069F8C08A264}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\09803623.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\15006098.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

******************************************


Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

You have a service called Net.Tcp Port Sharing Service

Start, Run, services.msc, OK and see if you can find the Net.Tcp Port Sharing Service service. If so see if you can Start it. Do you get an error?

What does it say?

Ron
  • 0

#29
Steven Gottlieb

Steven Gottlieb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ron,
Net.Tcp Port Sharing Service is hanging up in starting status.
Thank you,
Steven


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD
NextInstance REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000
Service REG_SZ AFD
Legacy REG_DWORD 0x1
ConfigFlags REG_DWORD 0x20
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc REG_SZ AFD
Capabilities REG_DWORD 0x0
Driver REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\LogConf

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\Control
ActiveService REG_SZ AFD










ComboFix 12-03-06.01 - Math On DVDs 03/07/2012 10:22:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1129 [GMT -5:00]
Running from: c:\documents and settings\Math On DVDs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Math On DVDs\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\drivers\09803623.sys"
"c:\windows\system32\drivers\15006098.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_09803623
-------\Legacy_15006098
-------\Legacy_TUNEUPUTILITIESDRV
-------\Service_TuneUpUtilitiesDrv
.
.
((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-09-15 05:22 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-12 16:53 . 2001-08-23 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2011-09-15 03:03 385024 ------w- c:\windows\system32\html.iec
2012-02-18 03:34 . 2011-09-15 02:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoomMonitor.exe"="c:\program files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-10-23 801304]
"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 53248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"RTHDCPL"="RTHDCPL.EXE" [2011-08-17 20064872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Math On DVDs\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Seagate Product Registration.lnk - c:\documents and settings\Math On DVDs\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2012-3-2 1731736]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2010-10-08 11:26 3366200 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2006-05-14 21:12 155648 ----a-r- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPHClean"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
"SMART Mirror Driver Monitor Service"="c:\documents and settings\Math On DVDs\Application Data\SMART Technologies\Bridgit\4.2.146.0\monitorservice.exe"
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
.
R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [10/31/2011 5:51 PM 36976]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/5/2012 11:15 PM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2012 11:15 PM 337112]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2012 11:15 PM 20696]
R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [9/13/2010 5:31 AM 95568]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 12:22 PM 1085440]
R2 MSSQL$ADCENTERDESKTOP;SQL Server (ADCENTERDESKTOP);c:\program files\Microsoft SQL Server\MSSQL10_50.ADCENTERDESKTOP\MSSQL\Binn\sqlservr.exe [4/3/2010 1:56 PM 42884448]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [9/18/2011 10:00 AM 2255464]
R2 VService;VService;c:\program files\Zoom\Zoom Phone Adaptor\VServ.exe [10/23/2008 9:58 AM 104984]
R3 scusbvip;VL1800 USB Driver;c:\windows\system32\drivers\scusbvip.sys [10/31/2011 5:51 PM 609936]
R3 SLVAD_simple;Zoom Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [10/31/2011 5:51 PM 84912]
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [9/15/2011 2:00 PM 8432]
S?2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S?2 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 1:56 PM 44896]
S?2 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\documents and settings\Math On DVDs\Application Data\SMART Technologies\Bridgit\4.2.146.0\monitorservice.exe [9/15/2011 2:00 PM 224624]
S?2 SQLAgent$ADCENTERDESKTOP;SQL Server Agent (ADCENTERDESKTOP);c:\program files\Microsoft SQL Server\MSSQL10_50.ADCENTERDESKTOP\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 1:56 PM 367456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/20/2011 10:58 AM 1691480]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [9/13/2010 5:31 AM 18120]
S3 glancedrv;glancedrv;c:\windows\system32\drivers\glancedrv.sys [11/26/2011 2:35 PM 34080]
S3 HidBoard;SMART Board Hidmini Driver;c:\windows\system32\drivers\HidBoard.sys [1/25/2011 5:13 PM 19696]
S3 PAC207;PC [email protected];c:\windows\system32\drivers\PFC027.SYS [4/12/2007 3:50 PM 507264]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mathondvds.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\documents and settings\Math On DVDs\Application Data\Mozilla\Firefox\Profiles\mxttmc59.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mathondvds.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: extensions.BabylonToolbar_i.id - 4c71f074000000000000f80f410b5e1e
FF - user.js: extensions.BabylonToolbar_i.hardId - 4c71f074000000000000f80f410b5e1e
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15320
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:43
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=18474
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.ovrDmn - isearch.babylon.com
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\netdde.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\program files\Super_DVD_Creator_9.5\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\Zoom\Zoom Phone Adaptor\ZoomAgent.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-07 10:33:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-07 15:32
ComboFix2.txt 2012-03-06 02:00
.
Pre-Run: 145,898,119,168 bytes free
Post-Run: 145,885,605,888 bytes free
.
- - End Of File - - E2C494C06E6586CD150DCAA692DEE178
  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Go into regedit as before and navigate down to

HKEY_LOCAL_MACHINE

SYSTEM

CurrentControlSet

Enum

Root

LEGACY_AFD

0000

Find the Driver entry below 0000 and right click on it and delete.

It should look something like this:

Driver {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000


Close regedit.

Start, All Programs, Accessories, Command Prompt. Type with an Enter after each line:



netsh  winsock  reset  catalog


netsh  int  ip  reset  \reset.log


Reboot

Start, All Programs, Accessories, Command Prompt.

notepad  \reset.log

Copy the text from notepad and paste it into a reply.

The Net.Tcp Port Sharing Service seems to be related to .net. On mine it has Startup Type: Disabled. I assume because you are using magic jack or something like that they needed to turn it on. We could change it to Disabled and Apply and then reboot and see if AFD works. If not (change it back to whatever it currently is set at), if you look at its properties it will tell you what it uses under Path to Executable.
Mine says \v3.0. I would uninstall Microsoft.Net Framework 3.0 (uninstall any newer versions first) then reinstall it and the newer versions.

http://www.microsoft...arlier-versions
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP