Jump to content

Antivirus 2010 removal


Recommended Posts

  • Replies 121
  • Created
  • Last Reply

Top Posters In This Topic

I'm sure it could be part of it.

Start => Run => Type netsh winsock reset then click ok. Restart your computer then check windows firewall again.

following are the services which should be started

Services Internet Connection Sharing (ICS) needs to function properly:

Base Filtering Engine

Remote Procedure Call (RPC)

DCOM Server Process Launcher

Network Connections

Network Store Interface Service

NSI proxy Service

Remote Procedure Call (RPC)

DCOM Server Process Launcher

Remote Access Connection Manager

Telephony

Plug and Play

Remote Procedure Call (RPC)

DCOM Server Process Launcher

Windows Management Instrumentation

Remote Procedure Call (RPC)

DCOM Server Process Launcher

Also check these out:

http://support.microsoft.com/kb/892199

Link to post
Share on other sites

I tried the netsh command and it didn't help. I also read the link you sent me. My error is a bit different from what's being described.

I typed sc query sharedaccess

TYPE: 20 WIN32_SHAREPROCESS

STATE: 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLEIGNORES_SHUTDOWN)

WIN32_EXIT_CODE: 2 (0X2)

SERVICE_EXIT_CODE: 0 (0X0)

CHECKPOINT: 0X0

WAIT_HINT: 0X0

after typing in "net start sharedaccess"

The windows Firewall/Internet connection sharting (ICS) service is starting.

The windows Firewall/Internet connection sharting (ICS) service could not be started.

A system error has occurred.

System erro 2 has occurred.

The system cannot find the file specified.

I also tried the help from the following link and it didn't work either. http://www.techsupportforum.com/microsoft-...-ics-error.html.

Please let me know what you think about the error message from query and start sharedaccess.

Link to post
Share on other sites

on the Microsoft forum, it displays the error:

Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.

Error 0x80004015: The class is configured to run as a security id different from the caller

I didn't get any error address notification. It's not the same signature or does it matter if it matches mine to apply the fixes?

Link to post
Share on other sites

Are you sure you have the wireless switch turned on, on the latop?

Dell laptops have a switch in the front while some others have a key combination.

Either way, you should have a wireless led on the laptop just above keyboard.

Print out these instructions to use while in the Recovery Environment or read off another computer:

1. Restart your computer in Safe Mode

2. After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.

3. Select Safe Mode with Command Prompt your computer' and press 'Enter'.

4. At the command promt type the following bolded entries one at a time, and press 'Enter'(note the spaces):

ren c:\windows\system32\drivers\tcpip.sys tcpip.sys.old

copy C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys c:\windows\system32\drivers\tcpip.sys

7. You should get the message '1 file<s> copied'. If you didn't, go to c:\windows\system32\drivers for the first one to rename

then to copy, go to: C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\

8. If you did not get the message '1 file<s> copied', try the last command again, making sure there are no typos.

9. If you still don't get the message '1 file<s> copied', stop now and let me know from another computer.

10. Type exit and press 'Enter', then click 'Restart'.

See if the internet works

If it still doesn't work:

http://www.bleepingcomputer.com/forums/topic84764.html

Post #4

hublerb

REALLY REINSTALLING TCP/IP

Link to post
Share on other sites

my dell 8100 didn't come with built-in wireless card. The wireless card that I am using is an external PCMICA card that you insert in on the right hand side of the computer. So the only way I will see the wireless icon on the lower right hand corner is when the PCMICA card is plugged in. There is no switches involved :D

I will try your step tomorrow. Thanks for the information again :D

Link to post
Share on other sites

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Double click on iexplore.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7 or you don't have a internet connection.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Here is the combofix scan result:

ComboFix 10-11-01.01 - Chien-lung Lee 11/01/2010 20:27:16.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.701 [GMT -4:00]

Running from: c:\documents and settings\Chien-lung Lee\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))

.

2010-11-01 01:50 . 2008-06-20 11:59 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-10-29 01:41 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-10-21 01:39 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-10-21 01:38 . 2010-10-21 01:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-10-21 00:10 . 2003-09-30 19:17 208896 ----a-w- c:\windows\system32\CSWGINA.DLL

2010-10-21 00:10 . 2003-09-30 13:00 491520 ----a-w- c:\windows\system32\ACrd10SM.dll

2010-10-21 00:10 . 2002-10-24 14:42 122880 ----a-w- c:\windows\system32\CiscoACU.cpl

2010-10-21 00:10 . 2010-10-21 00:10 -------- d-----w- c:\program files\Cisco Systems

2010-10-21 00:09 . 2010-10-21 00:09 -------- d-----w- c:\windows\Cisco

2010-10-20 00:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-20 00:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-18 23:47 . 2010-10-18 23:47 -------- d-----w- C:\TDSSKiller_Quarantine

2010-10-17 22:51 . 2009-09-07 18:02 27944 ----a-w- c:\windows\system32\sbbd.exe

2010-10-17 19:56 . 2010-10-17 19:56 -------- d-----w- c:\documents and settings\Chien-lung Lee\Application Data\SUPERAntiSpyware.com

2010-10-17 19:56 . 2010-10-17 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-10-17 18:00 . 2010-10-17 18:32 -------- d-----w- C:\Combo-Fix

2010-10-17 17:42 . 2010-10-17 17:42 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-10-17 17:42 . 2010-10-17 17:42 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-10-17 17:41 . 2010-10-17 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-10-17 13:08 . 2010-10-17 13:08 -------- d--h--w- c:\windows\PIF

2010-10-07 02:56 . 2010-10-07 02:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-10 09:15 . 2010-08-10 09:15 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-08-10 09:15 . 2010-08-10 09:15 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-02-10 4501504]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2001-11-06 131072]

"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-02-01 189476]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-01-21 679936]

"Motive SmartBridge"="c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 438359]

"nwiz"="nwiz.exe" [2003-02-10 323584]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-17 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]

"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-05-28 94208]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-28 122368]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-10-17 6238016]

"ACUMon"="c:\program files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" [2003-09-30 217088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-7-20 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/20/2010 9:39 PM 64288]

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [5/28/2003 7:01 PM 5632]

R1 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [7/10/2010 11:10 AM 93872]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 3:46 AM 1355928]

R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [1/13/2002 4:25 AM 65916]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\CHIEN-~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\CHIEN-~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\CHIEN-~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\CHIEN-~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 9:04 PM 135664]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys [10/17/2010 1:42 PM 16968]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 3:46 AM 15008]

S3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\SYSTEM32\DRIVERS\pcx500.sys [1/4/2010 9:10 PM 106496]

S3 PCX500MP;Cisco 350 Series Lower Device Filter;c:\windows\SYSTEM32\DRIVERS\pcx500mp.sys [1/4/2010 9:14 PM 4990]

S3 WrKPoET2000;WrKPoET2000;c:\program files\Verizon Online\WinPoET\WrKPoET2000.sys [8/3/2002 11:02 AM 52354]

S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\WUSB54GCv3.sys [12/22/2009 9:46 PM 627072]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

.

Contents of the 'Scheduled Tasks' folder

2010-11-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 07:46]

2010-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 01:03]

2010-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 01:03]

2010-10-29 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-03-01 17:24]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.sierraimaging.com/general/IE2000/dell/upgrade3-3.html

uCustomizeSearch = nov

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {{28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\Verizon Online\ControlPad\Misc\a_menu.exe

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {ADC16E87-FAFB-4A89-95BA-87C51DC42E66} - hxxp://d.sogou.com/tools/DownloadMusic.cab

FF - ProfilePath - c:\documents and settings\Chien-lung Lee\Application Data\Mozilla\Firefox\Profiles\74zjsqai.default\

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-01 20:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)

c:\windows\system32\cswGina.dll

c:\windows\system32\ACrd10SM.dll

c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3584)

c:\windows\system32\WININET.dll

c:\progra~1\Verizon\SMARTB~1\SBHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Dell\AccessDirect\DadTray.exe

c:\program files\Apoint\Apntex.exe

c:\progra~1\Symantec\NORTON~1\GHOSTS~2.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Verizon Online\WinPoET\WrOS.EXE

c:\windows\system32\ZuneBusEnum.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-11-01 20:41:48 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-02 00:41

ComboFix2.txt 2010-10-22 02:07

Pre-Run: 50,573,217,792 bytes free

Post-Run: 50,619,146,240 bytes free

- - End Of File - - A63ECA3CECAD57B52DDEE00573130D9C

Still no internet...

Link to post
Share on other sites

You might want to try this:

Lets restore everything and start over.

Navigate to and double click the following file: C:\WINDOWS\ERDNT\subs\erdnt.exe

Restart your computer.

In the event something goes awry with Windows after using CFScript or CF, first try using System Restore. If that is unavailable, utilize the erunt backups created by ComboFix.

There are 2 backups created. Please take note of the difference between the two:

1. Windows\ERDNT\hiv-backup\erdnt.exe - taken after user has agreed to the disclaimer. Good for recovering Hive branches accidentally deleted by helpers.

2. Windows\ERDNT\sUBs\Erdnt.exe - taken just before CF reboots a machine.

Double click on C:\WINDOWS\ERDNT\subs\erdnt.exe

or

Double click on C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe

Link to post
Share on other sites

I remember typing in ipconfig at the command window and saw the same error. Computer takes forever to boot up ever since the antivirus 2010 removal. Any idea why?

I was thinking of wiping out the current image with the older image from Norton Ghost. Would that do the trick? The image is 1 month old.

Link to post
Share on other sites

I remember typing in ipconfig at the command window and saw the same error. Computer takes forever to boot up ever since the antivirus 2010 removal. Any idea why?

I was thinking of wiping out the current image with the older image from Norton Ghost. Would that do the trick? The image is 1 month old.

I think that's your best option.
Link to post
Share on other sites

Glad we could help. :lol:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.