pongboy

Kevin, Everything looks good. Sorry I didn't reply earlier but I wanted to see it run because it has been awhile. I do appreciate your help and persistence with this one. I now see how little I know about virus/malware removal and more importantly the log analysis. I like doing this kind of stuff. Unfortunately, I have a friend whose two daughters keeps me very busy. They go surfing and clicking and I go cleaning. They have given me alot of experience over the past several years. I am the neighborhood geek too so I see alot of slow computers that come back to life with just the basics. But after this experience, I now know I need to learn alot more. Do the files that were uploaded need to be dealt with? I have used 3.06mb of my 20mb global upload quota. I have an offline question if that is permissable. If not, no worries. Thanks

Here is the log. ComboFix.txt

Here is the Combofix log. I then ran ESET and it found 3 threats and successfully removed them. - probably a variant of Win32/Adware.Softomate.AD application

The program ran and finished. I glanced through the log and accidentally closed it before I could save it. However, before closed it I did see that the sistemanet registry entry was successfully deleted. Then I rebooted the computer and logged in like usual. I checked the registry through regedit and confirmed that the key was deleted. It "feels" much better. I have been around enough sick ones to be able to tell something is not quite right just by clicking around a bit checking standard settings and things like that. It's snappy, the windows pop right up. So, at the end you asked me to post a new OTL log. Did you mean the one I accidentally closed or am I going to run it again? Is it too early to say how good it feels to take another virus out of commission?

Here is the log. I just realized that when I booted up with the cd that there was no internet connection. OTL.txt

It did not ask me if I wish to load the remote registry. It didn't ask for the location of the windows folder. Is that ok? I have not run yet until will wait until I hear from you.

Came up clean. When using the Kaspersky registry editor, it does not show the HKCU hive. If I am in any other user, the sistemanet key is not present. It only shows when I am logged in as LMAdmin username in normal windows or in safe mode. There is a backup account and an administrator account. This does not show up there. I think we have done everything we can try plus a few things. I am ready to wipe the hard drive and reinstall everything unless you have something else.

GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-03 20:41:12 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b SAMSUNG_SP1604N/R rev.TM100-24 Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxldapob.sys ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[1756] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ubohci \Device\UBOHCI0 UB1394.SYS (FireAPI® 1394 Class Driver (XP)/Unibrain S.A.) Device \Driver\ubohci \Device\C1394 UB1394.SYS (FireAPI® 1394 Class Driver (XP)/Unibrain S.A.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----

Ok, I found out what the line thing is. There is an editing toolbar that has Bold Italics Underline and Stike Through (an S with a line thing going through it) Somehow when I get ready to reply, it turns on. My mouse isn't near it so not sure how I am doing it but it started on this reply and I looked around the screen. Anyway, I ran a quick scan with Windows Defender Offline and it came up clean. I am now running a Full Scan so that will probably take an hour or three. So I am going to call it a day. It has been a long one. I will update you with those results when the scan is finished running.

nothing available before yesterday for some reason. i've dealt with some bad ones before but have always been able to figure them out.

blue screen. i can look but cannot touch. ha

came up clean also. Here is the regsitry key in a zip. abc.zip

here is the registry key Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\software\sistemanet]

this copy/pastedidnt come through right. it didnt find anything.

one item to note there is another file called ntdll(2)(2).dll in system32 Less details Analysis Comments Votes Additional information Antivirus Result Update Agnitum - 20121202 AhnLab-V3 - 20121202 AntiVir - 20121202 Antiy-AVL - 20121202 Avast - 20121202 AVG - 20121202 BitDefender - 20121202 ByteHero - 20121130 CAT-QuickHeal - 20121201 ClamAV - 20121202 Commtouch - 20121202 Comodo - 20121202 DrWeb - 20121202 Emsisoft - 20121202 eSafe - 20121202 ESET-NOD32 - 20121202 F-Prot - 20121202 F-Secure - 20121202 Fortinet - 20121202 GData - 20121202 Ikarus - 20121202 Jiangmin - 20121202 K7AntiVirus - 20121130 Kaspersky - 20121202 Kingsoft - 20121119 Malwarebytes - 20121202 McAfee - 20121202 McAfee-GW-Edition - 20121202 Microsoft - 20121202 MicroWorld-eScan - 20121202 NANO-Antivirus - 20121202 Norman - 20121202 nProtect - 20121202 Panda - 20121202 PCTools - 20121202 Rising - 20121130 Sophos - 20121202 SUPERAntiSpyware - 20121202 Symantec - 20121202 TheHacker - 20121202 TotalDefense - 20121202 TrendMicro - 20121202 TrendMicro-HouseCall - 20121202 VBA32 - 20121130 VIPRE - 20121202 ViRobot - 20121202

it flashed scheduling cleanup then bsod attached are the log files mbar-log-2012-12-02 (15-58-34).txt system-log.txt

BSOD as soon as I clicked MoveIt!. No log file.

sorry disregard the post today 02:16PM.

Do I need to scan and BSOD through all 12 of the tabs? I have run #1 and #2. The program goes through the motions like normal (the program opens, updates, and scans like it is supposed to) but it bombs when trying to clean as usual. The only thing it doesn't do is remove the protection driver because it blue screens before the steps to generate the log file and the step to remove the protection driver and any other steps that take place after the scan is complete. The only way I can get a log is to Save Log on the Remove Selected screen. If I remove selected, then boom. Side note for later - Is there a step to manually remove the protection driver after we are finished if none of the 12 work?

I have run #1 & #2 with a BSOD as a result of trying to remove selected. Up to that point, the program appears to be running like normal. It updates and runs the scan no problem. Because of the BSOD the scan process is not being completed which includes generating the log files. When I ran #3, instead of Remove Selected, I clicked on Save Log. Here it is. Not sure if it will help because it is not complete. Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.12.02.03 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 :: LYNDA [administrator] 12/2/2012 1:49:03 PM mbam-log-2012-12-02 (13-57-41).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 267229 Time elapsed: 8 minute(s), 18 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\Software\sistemanet (Malware.Trace) -> No action taken. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Sorry, I must have sent the wrong log. RogueKiller V8.3.1 [Dec 2 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : HP_Administrator [Admin rights] Mode : Remove -- Date : 12/02/2012 12:55:48 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: SAMSUNG SP1604N/R +++++ --- User --- [MBR] 8d628688acddc84d5a0445b5dc91ff27 [bSP] 8a7884da59e414827f91c43dcf324e78 : Toshiba tatooed MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 8205 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 16803990 | Size: 144420 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3]_D_12022012_02d1255.txt >> RKreport[1]_S_12022012_02d1224.txt ; RKreport[2]_S_12022012_02d1255.txt ; RKreport[3]_D_12022012_02d1255.txt

yes, i hit delete.

malwarebytes detects the malware trace and bsod when trying to remove. it does not generate a log because of the bsod.

RogueKiller V8.3.1 [Dec 2 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : HP_Administrator [Admin rights] Mode : Scan -- Date : 12/02/2012 12:24:27 ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] ALCXMNTR.EXE -- C:\WINDOWS\ALCXMNTR.EXE -> KILLED [TermProc] ¤¤¤ Registry Entries : 2 ¤¤¤ [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: SAMSUNG SP1604N/R +++++ --- User --- [MBR] 8d628688acddc84d5a0445b5dc91ff27 [bSP] 8a7884da59e414827f91c43dcf324e78 : Toshiba tatooed MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 8205 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 16803990 | Size: 144420 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_12022012_02d1224.txt >> RKreport[1]_S_12022012_02d1224.txt

not sure why the lines? is that ok? can you still read?