Jump to content

Infection: w32.delf.scv?

Random987

By Random987
in Resolved Malware Removal Logs

 Share

Recommended Posts

Random987

Random987

Posted
Posted

When I started my notebook computer today (Sony Vaio VGN-S380p), running Windows XP Pro, SP 3 (build 2600), I noticed that all of my network connections were gone. In particular my wireless connection was gone, thus starting my panic. I ran the only spyware program that I had on my notebook, Spyware Terminator and it found the w32.delf.scv virus. I deleted it and then attempted to run a system restore.

When I ran the system restore I got the following message:

System Restore is not able to protect your computer. Please restart computer and then run System Restore again.

(restarting didn't help).

I think checked the Computer Management module under Services/System Restore. It was stopped. When I tried to start the service I got the following error:

Could not start the System Restore Service on Local Computer

Error 1083: The executable program that this service is configured to run in does not implement the service

(the path to executable was: C\windows\system32\svchost exe -k netsvcs).

I ran Hijackthis that lead to the following log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:37:01 PM, on 11/24/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\sYSTEM32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Spyware Terminator\SpywareTerminator.exe

C:\Documents and Settings\tbudd\Application Data\U3\0000188E567162E2\LaunchPad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [VAIO Update 3] "C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" /Stationary

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-21-1267076549-4102689964-1099705597-1231\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1267076549-4102689964-1099705597-1231\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - Global Startup: AutorunsDisabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211596890703

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = springelfink.com

O17 - HKLM\Software\..\Telephony: DomainName = springelfink.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = springelfink.com

O18 - Protocol: bw+0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw+0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwg0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: offline-8876480 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Network Connections Logs (Netlogs) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe

O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe

O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe

O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe

O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

O23 - Service: Windows Storage Service v2.0 - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)

O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe

--

End of file - 24054 bytes

THEN I ran Malwarebytes and got the following log:

Malwarebytes' Anti-Malware 1.30

Database version: 1306

Windows 5.1.2600 Service Pack 3

11/24/2008 3:15:18 PM

mbam-log-2008-11-24 (15-15-03).txt

Scan type: Quick Scan

Objects scanned: 61213

Time elapsed: 12 minute(s), 55 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 18

Memory Processes Infected:

C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netlogs (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\netlogs (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogs (Trojan.Downloader) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drmgs.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng1.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng2.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng3.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng4.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng5.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng6.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng7.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng8.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bng9.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bngA.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bngB.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bngC.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bngD.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bngE.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\tbudd\Local Settings\Temp\bngF.tmp (Trojan.Agent) -> No action taken.

Before I delete anything, I wanted to make sure I did it correctly.

Can anyone walk me through this? How can I restore the processes that were interrupted/deleted?

Thanks

Link to post
Share on other sites
Raid

Raid

Posted
Posted
When I started my notebook computer today (Sony Vaio VGN-S380p), running Windows XP Pro, SP 3 (build 2600), I noticed that all of my network connections were gone. In particular my wireless connection was gone, thus starting my panic. I ran the only spyware program that I had on my notebook, Spyware Terminator and it found the w32.delf.scv virus. I deleted it and then attempted to run a system restore.

When I ran the system restore I got the following message:

System Restore is not able to protect your computer. Please restart computer and then run System Restore again.

(restarting didn't help).

I think checked the Computer Management module under Services/System Restore. It was stopped. When I tried to start the service I got the following error:

Could not start the System Restore Service on Local Computer

Error 1083: The executable program that this service is configured to run in does not implement the service

(the path to executable was: C\windows\system32\svchost exe -k netsvcs).

I ran Hijackthis that lead to the following log:

First, lets have you do an update on MBAM and scan your computer again. Next please post freshHijackthis logs after updating MBAM and scanning. Go ahead and let it remove anything it finds, and reboot if asked to do so.

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

I can't connect to the internet on the notebook as it deleted all of my network settings (and I can't figure out how to do an end around to connect). Can I update through a file I can download to a thumb drive and then transfer?

First, lets have you do an update on MBAM and scan your computer again. Next please post freshHijackthis logs after updating MBAM and scanning. Go ahead and let it remove anything it finds, and reboot if asked to do so.
Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Ok, I figured it out and updated MBAM, ran another scan, deleted all of the malware and ran the scan again to insure that it was clean. Next, I ran a hijackthis scan to get the following log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:15:34 AM, on 11/25/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\sYSTEM32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [VAIO Update 3] "C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" /Stationary

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-21-1267076549-4102689964-1099705597-1231\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1267076549-4102689964-1099705597-1231\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - Global Startup: AutorunsDisabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211596890703

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = springelfink.com

O17 - HKLM\Software\..\Telephony: DomainName = springelfink.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = springelfink.com

O18 - Protocol: bw+0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw+0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwg0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0s - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: offline-8876480 - {1CCC79E8-2A1D-44D3-8662-B010BFFD210D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe

O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe

O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe

O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe

O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

O23 - Service: Windows Storage Service v2.0 - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)

O23 - Service: Ent58ComServer (WindowsEntServer2008) - Unknown owner - C:\WINDOWS\EntSver.exe

--

End of file - 23693 bytes

I still cannot do a system restore (still get the 1083 error if I try to start the service), I still have no network connections and I noticed last night that I can't control the volume on the notebook, it says there is "no audio device" in any sound and audio device properties.

(in the path to executable for the NLA properties it leads to windows/system32/svchost exe -k netsvcs, same with system restore)

I can't connect to the internet on the notebook as it deleted all of my network settings (and I can't figure out how to do an end around to connect). Can I update through a file I can download to a thumb drive and then transfer?
Link to post
Share on other sites
Raid

Raid

Posted
Posted
Ok, I figured it out and updated MBAM, ran another scan, deleted all of the malware and ran the scan again to insure that it was clean. Next, I ran a hijackthis scan to get the following log:

Okay, we have one file I'm not familiar with still lingering..

Unknown owner - C:\WINDOWS\EntSver.exe

Can you submit this file here please? uploads.malwarebytes.org

I still cannot do a system restore (still get the 1083 error if I try to start the service), I still have no network connections and I noticed last night that I can't control the volume on the notebook, it says there is "no audio device" in any sound and audio device properties.

Okay. Under device manager, is your soundcard disabled? When you say you don't have network connections. none of them show in the network connections window?

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Whoops. I already deleted the entsver.exe. I read in another thread that it was bad.

Under my device manager, the soundcard is "working properly".

I have nothing listed under network connections even though I had a Lan and a wireless connection earlier. It is like the entire menu was erased.

When trying to start any service, system restore, help and support etc. I get an error code. For example, I tried to troubleshoot the soundcard and I got the following error "Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named "Help and Support". When I try to start help and support from the Computer Management module, I get the following error:

"Could not start the Help and Support service on Local Computer. Error 1083: The executable program that this service is configured to run in does not implement the service."

(again the path to executable is Windows\system32\svchost.exe -k netsvcs

It seems that many of the services are stopped and can't be started: system restore, help and support, network connections service, task scheduler, windows audio properties, etc. It appears to be most services that run through svchost.

Okay, we have one file I'm not familiar with still lingering..

Unknown owner - C:\WINDOWS\EntSver.exe

Can you submit this file here please? uploads.malwarebytes.org

Okay. Under device manager, is your soundcard disabled? When you say you don't have network connections. none of them show in the network connections window?

Link to post
Share on other sites
Raid

Raid

Posted
Posted
Whoops. I already deleted the entsver.exe. I read in another thread that it was bad.

Under my device manager, the soundcard is "working properly".

I have nothing listed under network connections even though I had a Lan and a wireless connection earlier. It is like the entire menu was erased.

Okay... I would like for you to download dial a fix. http://wiki.lunarsoft.net/wiki/Dial-a-fix. First, do a policy scan. Next, hit the green checkmark, and then hit Go. Wait for it to finish. Either set the time on the clock or hit cancel if it's okay and don't open any other applications while it's working. When it finishes, restart your machine and post back your results.

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Ok, I just ran dial a fix. I got the following error:

Error -2147221165 was encountered trying to unregister C:Windows\system32\wups.dll. The error text is: Invalid value for registry. Dial-a-fix has not suggestions for this error code. Please email. . . "

I get the same error code with wups2.dll

I rebooted and ran it again, and didn't get those error codes......but got a different error code....An error occurred during registration of the file C:\windows\system32\shsvcs.dll (version 6.00.2900.5512).

Error 1878588368 was encountered when trying to register c:\windows\system32\shsvcs.dll. The error text is (this appears garbled, there is an "a" with an accent above it and a mishappened 0). Dial a fix currently has no suggestions......

I am still having the same problems and all of the services associated with svchost.exe are stopped and cannot be started.

Another thing I have notice since this whole thing started is I get a "Press Any Key to Boot..." prompt when starting up the computer.

Okay... I would like for you to download dial a fix. http://wiki.lunarsoft.net/wiki/Dial-a-fix. First, do a policy scan. Next, hit the green checkmark, and then hit Go. Wait for it to finish. Either set the time on the clock or hit cancel if it's okay and don't open any other applications while it's working. When it finishes, restart your machine and post back your results.
Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

I just ran sdfix and it gave me the following log:

SDFix: Version 1.240

Run by admin on Wed 11/26/2008 at 11:31 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-26 12:05:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00014a138967]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00014a2948a0]

"0007e082b55e"=hex:48,9b,0a,c6,47,85,4c,4f,a0,b4,68,06,b3,26,9a,7a

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00014a138967]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00014a2948a0]

"0007e082b55e"=hex:48,9b,0a,c6,47,85,4c,4f,a0,b4,68,06,b3,26,9a,7a

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00014a138967]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00014a2948a0]

"0007e082b55e"=hex:48,9b,0a,c6,47,85,4c,4f,a0,b4,68,06,b3,26,9a,7a

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Swarmcast\\swarmcast-MLB-TV-Mosaic.exe"="C:\\Program Files\\Swarmcast\\swarmcast-MLB-TV-Mosaic.exe:*:Enabled:swarmcast-MLB-TV-Mosaic"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\swarmcast-MLB-TV-Mosaic.exe"="C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\swarmcast-MLB-TV-Mosaic.exe:*:Enabled:swarmcast-MLB-TV-Mosaic"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Swarmcast\\swarmcast-MLB-TV-Mosaic.exe"="C:\\Program Files\\Swarmcast\\swarmcast-MLB-TV-Mosaic.exe:*:Enabled:swarmcast-MLB-TV-Mosaic"

Remaining Files :

Files with Hidden Attributes :

Sat 22 Nov 2008 114,688 ..SH. --- "C:\Program Files\Symantec AntiVirus\ttt.dll"

Sat 28 Apr 2007 0 A.SH. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc129.tmp"

Fri 11 Nov 2005 36,864 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc14.tmp"

Tue 29 Nov 2005 46,592 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc15.tmp"

Mon 14 May 2007 114,176 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc709.tmp"

Tue 25 Jul 2006 58,880 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc710.tmp"

Tue 25 Jul 2006 52,736 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc711.tmp"

Wed 14 Dec 2005 43,008 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc765.tmp"

Mon 10 Apr 2006 59,392 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc768.tmp"

Thu 13 Apr 2006 71,680 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc769.tmp"

Mon 27 Feb 2006 49,664 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc775.tmp"

Tue 14 Feb 2006 68,608 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc776.tmp"

Fri 3 Feb 2006 38,912 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc777.tmp"

Thu 2 Feb 2006 49,152 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc778.tmp"

Thu 2 Feb 2006 40,448 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc779.tmp"

Mon 27 Feb 2006 49,664 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc780.tmp"

Tue 14 Feb 2006 67,072 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc781.tmp"

Mon 27 Feb 2006 51,200 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc782.tmp"

Mon 6 Feb 2006 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc783.tmp"

Fri 31 Mar 2006 73,216 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc790.tmp"

Fri 31 Mar 2006 52,736 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc791.tmp"

Tue 21 Mar 2006 66,048 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc792.tmp"

Tue 14 Mar 2006 47,104 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc793.tmp"

Mon 22 Jan 2007 27,648 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc817.tmp"

Tue 7 Mar 2006 23,040 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc818.tmp"

Fri 2 Dec 2005 70,144 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc819.tmp"

Tue 25 Jul 2006 58,880 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc820.tmp"

Tue 7 Mar 2006 24,064 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc821.tmp"

Tue 8 Nov 2005 48,640 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc822.tmp"

Mon 13 Feb 2006 85,504 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc823.tmp"

Tue 6 Feb 2007 123,904 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc824.tmp"

Sun 5 Mar 2006 38,912 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc825.tmp"

Sat 26 May 2007 0 A..H. --- "C:\RECYCLER\S-1-5-21-1267076549-4102689964-1099705597-1231\Dc836.tmp"

Sat 22 Nov 2008 112,640 ..SH. --- "C:\WINDOWS\system32\bost.dll"

Sat 22 Nov 2008 114,688 ..SH. --- "C:\WINDOWS\system32\WinErp.dll"

Sat 3 Dec 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Thu 14 Jun 2007 95,744 ...H. --- "C:\Documents and Settings\tbudd\My Documents\~WRL2283.tmp"

Tue 17 Oct 2006 304,736 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"

Tue 17 Oct 2006 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"

Mon 13 Oct 2008 181,760 ...H. --- "C:\Documents and Settings\tbudd\My Documents\Trust Documents\~WRL0723.tmp"

Sun 15 Jun 2008 62,464 ...H. --- "C:\Documents and Settings\tbudd\My Documents\work\~WRL1321.tmp"

Thu 20 Jul 2006 89,600 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Templates\~WRL1081.tmp"

Thu 12 Jan 2006 51,200 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Templates\~WRL2387.tmp"

Thu 20 Oct 2005 32,256 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Templates\~WRL3936.tmp"

Wed 1 Feb 2006 54,272 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL0002.tmp"

Mon 21 Nov 2005 34,304 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL0003.tmp"

Fri 3 Feb 2006 55,296 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL0004.tmp"

Mon 30 Jan 2006 56,320 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL0405.tmp"

Thu 6 Apr 2006 115,712 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL1304.tmp"

Tue 31 Jan 2006 54,272 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL1311.tmp"

Tue 16 Sep 2008 238,592 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL1322.tmp"

Thu 6 Nov 2008 239,616 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL1737.tmp"

Tue 7 Mar 2006 64,000 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL2011.tmp"

Wed 1 Feb 2006 54,272 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL2069.tmp"

Mon 2 Apr 2007 133,120 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL3098.tmp"

Mon 22 Jan 2007 115,200 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL3125.tmp"

Thu 9 Nov 2006 102,400 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL3147.tmp"

Tue 4 Nov 2008 238,592 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL3817.tmp"

Thu 2 Feb 2006 55,296 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL3938.tmp"

Fri 27 Jun 2008 228,864 ...H. --- "C:\Documents and Settings\tbudd\Application Data\Microsoft\Word\~WRL4011.tmp"

Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\tbudd\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

I am a little worried about the files in bold. This was when I started experiencing the problems.....

Ok, I just ran dial a fix. I got the following error:

Error -2147221165 was encountered trying to unregister C:Windows\system32\wups.dll. The error text is: Invalid value for registry. Dial-a-fix has not suggestions for this error code. Please email. . . "

I get the same error code with wups2.dll

I rebooted and ran it again, and didn't get those error codes......but got a different error code....An error occurred during registration of the file C:\windows\system32\shsvcs.dll (version 6.00.2900.5512).

Error 1878588368 was encountered when trying to register c:\windows\system32\shsvcs.dll. The error text is (this appears garbled, there is an "a" with an accent above it and a mishappened 0). Dial a fix currently has no suggestions......

I am still having the same problems and all of the services associated with svchost.exe are stopped and cannot be started.

Another thing I have notice since this whole thing started is I get a "Press Any Key to Boot..." prompt when starting up the computer.

Link to post
Share on other sites
Raid

Raid

Posted
Posted

Hmm. Do you have your windows cd handy? The next step will require it.

Click on
START - RUN
and type in
SIGVERIF
and click OK
This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Yeah, that is the problem. I can't find the windows cd. It has been a while (and a number of moves).

Hmm. Do you have your windows cd handy? The next step will require it.
Click on
START - RUN
and type in
SIGVERIF
and click OK
This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

Link to post
Share on other sites
Raid

Raid

Posted
Posted

I see. Alright, which version of windows are you running?

In the meantime, I'd like for you to do this:

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine


Make sure you read this document to understand how to use the program.

Basically there are 3 parts that need to be downloaded from these links:


  • As an example on 2008-10-17 the files to download are:
    sysclean.com
    |
    lpt605.zip
    |
    ssapiptn697.zip
  • NOTE!
    These file names are examples and you must visit Trend Micro for the very latest files which may have different names.

  • Create a brand new folder to copy these files to.

  • As an example:
    C:\DCE

  • Then open each of the zipped archive files and copy their contents to
    C:\DCE

  • Copy the file
    sysclean.com
    to the new folder
    C:\DCE
    as well.

  • Double-click on the file
    sysclean.com
    that is in the
    C:\DCE
    folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file
    sysclean.log
    that will be left behind by sysclean.

  • This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template.

    This tool supports the following features:

    o Terminate all detected malware/spyware instances in memory

    o Remove malware/spyware registry entries

    o Remove malware/spyware entries from system files

    o Scan for and delete all detected malware/spyware copies in all local drives

http://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow">

Don't forget to let me know which version of Windows it is your using. And whether or not it's OEM vs retail. If you don't actually know that aspect, it's okay. Did it ship with the computer? If so, what brand computer?

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Its windows xp professional (SP3 (build 2600). It may or may not be OEM as it was a company computer that I was given when I left the firm. It is a Sony Vaio VGN-S380P (R4905126).

I see. Alright, which version of windows are you running?

In the meantime, I'd like for you to do this:

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine


Make sure you read this document to understand how to use the program.

Basically there are 3 parts that need to be downloaded from these links:


  • As an example on 2008-10-17 the files to download are:
    sysclean.com
    |
    lpt605.zip
    |
    ssapiptn697.zip
  • NOTE!
    These file names are examples and you must visit Trend Micro for the very latest files which may have different names.

  • Create a brand new folder to copy these files to.

  • As an example:
    C:\DCE

  • Then open each of the zipped archive files and copy their contents to
    C:\DCE

  • Copy the file
    sysclean.com
    to the new folder
    C:\DCE
    as well.

  • Double-click on the file
    sysclean.com
    that is in the
    C:\DCE
    folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file
    sysclean.log
    that will be left behind by sysclean.

  • This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template.

    This tool supports the following features:

    o Terminate all detected malware/spyware instances in memory

    o Remove malware/spyware registry entries

    o Remove malware/spyware entries from system files

    o Scan for and delete all detected malware/spyware copies in all local drives

http://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow">

Don't forget to let me know which version of Windows it is your using. And whether or not it's OEM vs retail. If you don't actually know that aspect, it's okay. Did it ship with the computer? If so, what brand computer?

Link to post
Share on other sites
Raid

Raid

Posted
Posted
Its windows xp professional (SP3 (build 2600). It may or may not be OEM as it was a company computer that I was given when I left the firm. It is a Sony Vaio VGN-S380P (R4905126).

Alright. In this case, I need for you to see my PM and let me know via PM what the answers are.

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Ok, just ran the sigverif. Attached is the log.

Hmm. Do you have your windows cd handy? The next step will require it.
Click on
START - RUN
and type in
SIGVERIF
and click OK
This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

SIGVERIF.TXT

SIGVERIF.TXT

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Same problems with starting services that run through svchost.exe -k netsvcs. I can't start Help, System Restore, Audio, Wireless Zero Performance, etc. I just fiddled around with some of the services and I was able to start wired autoconfig that has a path to executable of "windows\system32\svchost.exe -k dot3svc. So does this help narrow in on the problem as something involving the "netsvcs"? Attached are the mbam and hijack logs.

How is your computer doing now? Lets see a fresh mbam and hijackthislog please.

hijackthis.txt

mbam_log_2008_11_28__16_43_48_.txt

hijackthis.txt

mbam_log_2008_11_28__16_43_48_.txt

Link to post
Share on other sites
Raid

Raid

Posted
Posted

Sadly, the logs aren't showing me anything helpful at this point. Your issue isn't likely malware related... It could be a borked system policy setting someplace however causing this.. So lets try the following:

Please run these routines, and utility and we'll see if we can find something obvious or not.

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs

Try that, and let me know your results. If this does not work, My next recomendation at this point would most likely be a repair install of Windows.

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

That didn't work. Could the original malware have turned something on/off with respect to the netsvcs to cause all of the services to stop and not be able to start?

Sadly, the logs aren't showing me anything helpful at this point. Your issue isn't likely malware related... It could be a borked system policy setting someplace however causing this.. So lets try the following:

Please run these routines, and utility and we'll see if we can find something obvious or not.

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs

Try that, and let me know your results. If this does not work, My next recomendation at this point would most likely be a repair install of Windows.

Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

When looking at the netsvcs in the registry editor, I get the following:

FastUserSwitchingCompatibility

Themes

WMIS

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

BITS

ShellHWDetection

E

E

wuauserv

I can't seem to find any reference to winerp? Did the malware do this?

I checked this registry entry on my home desktop computer and it is very different from the above.

Does this help?

That didn't work. Could the original malware have turned something on/off with respect to the netsvcs to cause all of the services to stop and not be able to start?
Link to post
Share on other sites
Random987

Random987

Posted
  • Author
Posted

Well, I cut and pasted my netsvcs entries on my desktop to my laptop. This worked! It looks like the malware changed the values in my netsvcs.

Here is the big question, should I now do a system restore to an earlier date to make sure things are rolled back? Or should I just leave it as is?

When looking at the netsvcs in the registry editor, I get the following:

FastUserSwitchingCompatibility

Themes

WMIS

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

WinErp

BITS

ShellHWDetection

E

E

wuauserv

I can't seem to find any reference to winerp? Did the malware do this?

I checked this registry entry on my home desktop computer and it is very different from the above.

Does this help?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.