Jump to content

Please help...All programs are missing (emptied) after Window Xp Restore virus.


Recommended Posts

  • Replies 70
  • Created
  • Last Reply

Top Posters In This Topic

There are no pop up messages. For example, when i go on amazon.com (or any websites) and try to print something, the screen goes blank with this message:

We were unable to return you to amazon.com.

Internet Explorer has stopped trying to restore this website. It appears that the website continues to have a problem.

What you can do:

Go to your home page

Try to return to amazon.com

More information

When a website causes a failure or crash, Internet Explorer attempts to restore the site. It stops after two tries to avoid an endless loop.

Link to post
Share on other sites

Let's try this:

Download the latest version of Kaspersky Virus Removal Tool

  • Close all other applications and double-click and run the installer.
  • When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.
  • In the window that opens (Autoscan), in the Scope tab place a checkmark to the left of Parse email formats.
  • Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK.
  • Select all the scanable items except for CD-ROM drives and click the Start scan button.
    6zvqld.gif
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply.

Link to post
Share on other sites

Autoscan: completed 7 minutes ago (events: 18, objects: 314907, time: 03:00:21)

7/6/2011 4:37:31 PM Task completed

7/6/2011 4:35:37 PM Detected: http://www.viruslist.com/en/advisories/44964 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

7/6/2011 4:03:28 PM Detected: http://www.viruslist.com/en/advisories/38917 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe.bak

7/6/2011 4:02:13 PM Detected: http://www.viruslist.com/en/advisories/40937 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

7/6/2011 4:02:11 PM Detected: http://www.viruslist.com/en/advisories/31744 C:\Program Files\Microsoft Office\Office12\INFOPATH.EXE

7/6/2011 3:38:54 PM Detected: http://www.viruslist.com/en/advisories/31744 C:\program files\microsoft office\Office12\INFOPATH.EXE

7/6/2011 3:38:39 PM Detected: http://www.viruslist.com/en/advisories/40937 C:\program files\microsoft office\Office12\WINWORD.EXE

7/6/2011 3:31:04 PM Detected: http://www.viruslist.com/en/advisories/40937 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

7/6/2011 3:30:59 PM Detected: http://www.viruslist.com/en/advisories/31744 C:\Program Files\Microsoft Office\Office12\INFOPATH.EXE

7/6/2011 3:28:08 PM Detected: http://www.viruslist.com/en/advisories/44964 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

7/6/2011 2:27:46 PM Detected: http://www.viruslist.com/en/advisories/38917 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe.bak

7/6/2011 2:22:16 PM Detected: http://www.viruslist.com/en/advisories/40937 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

7/6/2011 2:22:03 PM Detected: http://www.viruslist.com/en/advisories/31744 C:\Program Files\Microsoft Office\Office12\INFOPATH.EXE

7/6/2011 2:12:46 PM Detected: http://www.viruslist.com/en/advisories/41340 C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

7/6/2011 2:12:46 PM Detected: http://www.viruslist.com/en/advisories/41340 C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

7/6/2011 1:48:40 PM Deleted: Trojan-Downloader.Java.Small.o C:\Documents and Settings\ACP Pharmacy\Application Data\Sun\Java\Deployment\cache\6.0\12\1187ad0c-7117d3f4

7/6/2011 1:41:27 PM Detected: Trojan-Downloader.Java.Small.o C:\Documents and Settings\ACP Pharmacy\Application Data\Sun\Java\Deployment\cache\6.0\12\1187ad0c-7117d3f4

7/6/2011 1:37:10 PM Task started

Link to post
Share on other sites

Now let's try this:

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore.

  • Download The Avira AntiVir Rescue System from here.
  • Just double-click on the rescue system package to burn it to a CD/DVD.
  • Then please use that CD/DVD with Avira Rescue System to boot your computer.

At the boot option please press the number 1 on your keyboard to 1 Boot AntiVir Rescue System (default) and press Enter or just wait.

You will then see the graphical interface of Rescue CD loading modules and mounting devices. The default language is German, but you can change it to English anytime by clicking on the English flag on the lower-left side of the screen.

2cnti8i.gif

Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.

Then please go back to Virus scanner and click Start scanneren.

The Avira AntiVir Rescue System wil now

  • repair a damaged system,
  • rescue data,
  • scan the system for virus infections.

---------

Let me know if you still get the odd browsing behavior after running Avira.

Link to post
Share on other sites

It works fine for me.

Try again- if it doesn't work, use one of these ;):

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.

Link to post
Share on other sites

Try this ;)

Please do the following:

  • Download GMER from here. Save it to your Desktop. Take note of the filename, as it is a randomly named .exe file.
  • Disconnect from the Internet and close all running programs while scan is running.
  • Make sure all antivirus and other real-time security programs are disabled. See here for directions.
  • Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and Run as an Administrator)
  • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click on NO, then use the following settings for a more complete scan:
    gmer_screen2-1.gif
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Click the Scan button to begin. (Please be patient: this can take some time.[*]When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.

Note!: These types of scans can produce false positives. Do not take any action until a trained helper has seen the log.

Link to post
Share on other sites

Hi, Sorry for the delay. Can you let me know if my PC is still infected? Thanks

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-07-13 15:38:09

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6L080M0 rev.BACE1G10

Running: 5bl12phc.exe; Driver: C:\DOCUME~1\ACPPHA~1\LOCALS~1\Temp\pxtdrpob.sys

---- System - GMER 1.0.15 ----

SSDT 8A1C7C90 ZwAssignProcessToJobObject

SSDT 8A1C8200 ZwDebugActiveProcess

SSDT 8A1C82F0 ZwDuplicateObject

SSDT 8A1C7590 ZwOpenProcess

SSDT 8A1C7800 ZwOpenThread

SSDT 8A1C7FD0 ZwProtectVirtualMemory

SSDT 8A1C80E0 ZwQueueApcThread

SSDT 8A1C7EC0 ZwSetContextThread

SSDT 8A1C7D90 ZwSetInformationThread

SSDT 8A1C4DA0 ZwSetSecurityObject

SSDT 8A1C7B90 ZwSuspendProcess

SSDT 8A1C7A80 ZwSuspendThread

SSDT 8A1C76E0 ZwTerminateProcess

SSDT 8A1C7A50 ZwTerminateThread

SSDT 8A1C86D0 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1064] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2332] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3280] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \FileSystem\Fastfat \Fat A7170D20

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Please do this ;):

Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

Link to post
Share on other sites

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 133):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E5000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA5AC000 intelide.sys

0xBA0B8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AE000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0C8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xBA0D8000 disk.sys

0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9EEB000 fltmgr.sys

0xB9ED9000 sr.sys

0xBA338000 PxHelp20.sys

0xB9EC2000 KSecDD.sys

0xB9E35000 Ntfs.sys

0xB9E08000 NDIS.sys

0xBA340000 ppa.sys

0xB9DEE000 Mup.sys

0xBA258000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xB9C94000 \SystemRoot\system32\DRIVERS\ialmnt5.sys

0xB9C80000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB9C58000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xBA3D8000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB9C34000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA3E0000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xBA288000 \SystemRoot\system32\DRIVERS\mf.sys

0xB9A6D000 \SystemRoot\system32\DRIVERS\IntelS51.sys

0xB9A4A000 \SystemRoot\system32\DRIVERS\ks.sys

0xBA3F0000 \SystemRoot\System32\Drivers\Modem.SYS

0xB9A24000 \SystemRoot\system32\DRIVERS\e100b325.sys

0xBA298000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA2A8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xBA2C8000 \SystemRoot\system32\DRIVERS\Epfwndis.sys

0xBA6E7000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA2D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA584000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB9A0D000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA2E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA2F8000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA3F8000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB99FC000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA308000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA400000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA408000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB99CC000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA318000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA418000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB9946000 \SystemRoot\system32\DRIVERS\update.sys

0xBA59C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA108000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xB9D9D000 \SystemRoot\system32\drivers\MODEMCSA.sys

0xA935B000 \SystemRoot\system32\drivers\sthda.sys

0xA9337000 \SystemRoot\system32\drivers\portcls.sys

0xBA128000 \SystemRoot\system32\drivers\drmk.sys

0xA92A7000 \SystemRoot\system32\DRIVERS\parport.sys

0xBA138000 \SystemRoot\system32\DRIVERS\serial.sys

0xB9D95000 \SystemRoot\system32\DRIVERS\serenum.sys

0xBA148000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA5D4000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xBA560000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xBA5D8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA79C000 \SystemRoot\System32\Drivers\Null.SYS

0xBA5DA000 \SystemRoot\System32\Drivers\Beep.SYS

0xA91C2000 \SystemRoot\system32\DRIVERS\ehdrv.sys

0xBA438000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA440000 \SystemRoot\System32\drivers\vga.sys

0xBA5DC000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA5DE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA448000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA450000 \SystemRoot\System32\Drivers\Npfs.SYS

0xBA570000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA918F000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA9136000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA9110000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA90FD000 \SystemRoot\system32\DRIVERS\epfwtdi.sys

0xBA188000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xA90D5000 \SystemRoot\system32\DRIVERS\netbt.sys

0xB99C0000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xA908B000 \SystemRoot\System32\drivers\afd.sys

0xBA198000 \SystemRoot\system32\DRIVERS\netbios.sys

0xA9060000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA8FF0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xBA1A8000 \SystemRoot\System32\Drivers\Fips.SYS

0xBA458000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xB99B0000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xBA1B8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xA82F4000 \SystemRoot\system32\DRIVERS\rt2500usb.sys

0xB99A8000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xB99A4000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xBA218000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xA82DC000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xBA5E4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xA9203000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA478000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA705000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF020000 \SystemRoot\System32\ialmdnt5.dll

0xBF012000 \SystemRoot\System32\ialmrnt5.dll

0xBF041000 \SystemRoot\System32\ialmdev5.DLL

0xBF075000 \SystemRoot\System32\ialmdd5.DLL

0xBF157000 \SystemRoot\System32\ATMFD.DLL

0xA80D0000 \SystemRoot\system32\DRIVERS\eamon.sys

0xA8085000 \SystemRoot\system32\DRIVERS\epfw.sys

0xBA378000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xA8047000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys

0xA8234000 \SystemRoot\system32\DRIVERS\nwlnknb.sys

0xA80BC000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA7D8A000 \SystemRoot\system32\drivers\wdmaud.sys

0xA9247000 \SystemRoot\system32\drivers\sysaudio.sys

0xA7B4F000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xBA61A000 \SystemRoot\system32\DRIVERS\dsunidrv.sys

0xA7AE6000 \SystemRoot\System32\Drivers\HTTP.sys

0xA7F6B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xA7BC4000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys

0xA799E000 \SystemRoot\system32\DRIVERS\srv.sys

0xA718D000 \??\C:\DOCUME~1\ACPPHA~1\LOCALS~1\Temp\pxtdrpob.sys

0xA7169000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xA713E000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 32):

0 System Idle Process

4 System

1236 C:\WINDOWS\system32\smss.exe

1284 csrss.exe

1312 C:\WINDOWS\system32\winlogon.exe

1356 C:\WINDOWS\system32\services.exe

1368 C:\WINDOWS\system32\lsass.exe

1564 C:\WINDOWS\system32\svchost.exe

1612 svchost.exe

2036 C:\WINDOWS\system32\svchost.exe

196 svchost.exe

384 svchost.exe

984 C:\WINDOWS\system32\spoolsv.exe

1596 C:\WINDOWS\explorer.exe

336 C:\Program Files\Common Files\Java\Java Update\jusched.exe

332 C:\WINDOWS\system32\ctfmon.exe

852 svchost.exe

908 C:\WINDOWS\ehome\ehrecvr.exe

1048 C:\WINDOWS\ehome\ehSched.exe

1064 C:\Program Files\ESET\ESET Smart Security\ekrn.exe

1436 C:\Program Files\Java\jre6\bin\jqs.exe

704 svchost.exe

1112 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

1844 C:\WINDOWS\system32\fxssvc.exe

560 mcrdsvc.exe

952 C:\WINDOWS\system32\dllhost.exe

2180 alg.exe

3168 C:\WINDOWS\system32\svchost.exe

3996 C:\tony\stsys.exe

548 C:\WINDOWS\system32\wuauclt.exe

3964 C:\Program Files\ESET\ESET Smart Security\egui.exe

1940 C:\Documents and Settings\ACP Pharmacy\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)

PhysicalDrive0 Model Number: Maxtor6L080M0, Rev: BACE1G10

Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Dell MBR code detected

SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E

Done!

Link to post
Share on other sites

Looking good ;)

Before we do anything else, let's run some online scans to see if there's anything else that needs taking care of :):

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

----------

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=f9a85aacd823bf4a938fa06da25a6e3d

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-07-14 01:12:49

# local_time=2011-07-13 06:12:49 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8201 39157157 100 100 2341254 57002391 0 0

# scanned=85536

# found=0

# cleaned=0

# scan_time=3353

# nod_component=V3 Build:0x30000000

Link to post
Share on other sites

QuickScan Beta 32-bit v0.9.9.96

-------------------------------

Scan date: Thu Jul 14 11:19:32 2011

Machine ID: 9440FE1F

No infection found.

-------------------

Processes

---------

(verified) ESET Smart Security 1208 C:\Program Files\ESET\ESET Smart Security\ekrn.exe

(verified) Java Platform SE 6 U26 1592 C:\Program Files\Java\jre6\bin\jqs.exe

(verified) Java Platform SE Auto Updater 2 0 580 C:\Program Files\Common Files\Java\Java Update\jusched.exe

(verified) Microsoft® Windows® Operating System 1188 C:\WINDOWS\ehome\ehrecvr.exe

(verified) Microsoft® Windows® Operating System 1204 C:\WINDOWS\ehome\ehSched.exe

(verified) Microsoft® Windows® Operating System 120 C:\WINDOWS\ehome\mcrdsvc.exe

(verified) Microsoft® Windows® Operating System 1768 C:\WINDOWS\explorer.exe

(verified) Microsoft® Windows® Operating System 2972 C:\WINDOWS\system32\alg.exe

(verified) Microsoft® Windows® Operating System 1284 C:\WINDOWS\system32\csrss.exe

(verified) Microsoft® Windows® Operating System 588 C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System 2304 C:\WINDOWS\system32\dllhost.exe

(verified) Microsoft® Windows® Operating System 3240 C:\WINDOWS\system32\fxsclnt.exe

(verified) Microsoft® Windows® Operating System 1792 C:\WINDOWS\system32\fxssvc.exe

(verified) Microsoft® Windows® Operating System 1368 C:\WINDOWS\system32\lsass.exe

(verified) Microsoft® Windows® Operating System 240 C:\WINDOWS\system32\ntvdm.exe

(verified) Microsoft® Windows® Operating System 2716 C:\WINDOWS\system32\ntvdm.exe

(verified) Microsoft® Windows® Operating System 3920 C:\WINDOWS\system32\ntvdm.exe

(verified) Microsoft® Windows® Operating System 1356 C:\WINDOWS\system32\services.exe

(verified) Microsoft® Windows® Operating System 1236 C:\WINDOWS\system32\smss.exe

(verified) Microsoft® Windows® Operating System 1040 C:\WINDOWS\system32\spoolsv.exe

(verified) Microsoft® Windows® Operating System 128 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 304 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 528 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1560 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1616 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1796 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 744 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 3800 C:\WINDOWS\system32\svchost.exe

(verified) Microsoft® Windows® Operating System 1312 C:\WINDOWS\system32\winlogon.exe

(verified) SecureTrans 424 C:\tony\stsys.exe

(verified) Windows® Internet Explorer 400 C:\Program Files\Internet Explorer\iexplore.exe

(verified) Windows® Internet Explorer 2900 C:\Program Files\Internet Explorer\iexplore.exe

(verified) Yahoo! AutoUpdater 668 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

Network activity

----------------

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 74.125.224.165

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.31.113.91

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 64.136.44.25

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 23.11.93.95

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.31.112.88

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.31.113.91

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 66.235.143.118

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.31.112.130

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 74.125.224.187

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 66.235.143.118

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.2.103.13

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.174.247.164

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.171.224.12

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.2.103.13

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.31.113.91

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.2.103.13

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 193.149.47.99

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.22.151.88

Process ekrn.exe (1208) connected on port 80 (HTTP) --> 69.22.151.81

Process svchost.exe (744) listens on ports: 2869 (SSDP event notification, UPNP)

Process svchost.exe (1616) listens on ports: 135 (RPC)

Process fxsclnt.exe (3240) listens on ports: 1024

Autoruns and critical files

---------------------------

(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll

(verified) Java Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\BROWSEUI.dll

(verified) Microsoft® Windows® Operating System c:\windows\system32\CRYPT32.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\CSCDLL.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\SHELL32.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll

(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WlNotify.dll

(verified) QuickTime C:\Program Files\QuickTime\qttask.exe

(verified) Windows® Internet Explorer C:\WINDOWS\system32\msfeedssync.exe

(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

Browser plugins

---------------

(unsigned) Java Platform SE 6 U26 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

(verified) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll

(verified) Adobe® Flash® Player ActiveX C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe

(verified) BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll

(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll

(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe

(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll

(verified) Java Deployment Toolkit 6.0.260.3 C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

(verified) Java Platform SE 6 U26 c:\program files\java\jre6\bin\jp2ssv.dll

(verified) Java Platform SE 6 U26 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

(verified) Messenger C:\Program Files\Messenger\msmsgs.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\nwprovau.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll

(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll

(verified) NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll

(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll

(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll

(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll

(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll

(verified) QuickTime Plug-in 6.5 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll

(verified) TODO: <Product name> C:\Documents and Settings\ACP Pharmacy\Application Data\Mozilla\Firefox\Profiles\yq8yojk3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll

(verified) Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

(verified) Windows® Internet Explorer C:\WINDOWS\system32\IEFRAME.dll

Scan

----

MD5: 1040bd9bf3ddab7cda2346f8375480a2 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

MD5: b5292adb263c61d6de5dc40d21066e72 C:\tony\FileControl.DLL

No file uploaded.

Scan finished - communication took 1 sec

Total traffic - 0.00 MB sent, 0.04 KB recvd

Scanned 580 files and modules - 3 seconds

==============================================================================

Link to post
Share on other sites

Looking good :)

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.17

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

ESET Smart Security

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 26

Java 2 Runtime Environment, SE v1.4.2_03

Flash Player Out of Date!

Adobe Flash Player 10.0.42.34

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

My apologies for the delay,

Before we move on, please take the time to install the following updates, as using outdated applications leaves you vulnerable to getting infected again ;):

Your Flash Player is out of date!

To make sure you have the latest version of Adobe Flash Player installed:

1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe

2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).

3. Double-click on the file you've downloaded to uninstall Flash.

4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).

Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

--------

Please let me know how the updates went, as failed updates may indicate additional malware :)

Link to post
Share on other sites

Let's try this:

Please navigate to Start -> Run. In the Run box, type CMD.

The Windows Command Prompt will open (a black box).

In the Command Prompt, please type the following (in bold):

SFC.EXE /SCANNOW

Then, press Enter. The Windows System File Checker will open and begin scanning for and repairing corrupted system files.

Please let me know if that resolves the issue ;)

Link to post
Share on other sites

Hi, That command requires me to insert the original window xp disk in the cd drive. My OS is window xp Media Center Edition which i dont have the disk anymore. I only have a window xp professional and home edition disk. I really dont want to reformat and start over. :angry:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.