kamry2009

Weird DISCOVER!

Recommended Posts

Please follow the instructions at this link and attach your logs to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

The only Image File Execution Options oddities that OTL showed in the log were the following:

O27 - HKLM IFEO\asc.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
O27 - HKLM IFEO\suc12_uninstal.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
O27 - HKLM IFEO\toolbox.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
O27 - HKLM IFEO\turboboost.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
O27 - HKLM IFEO\unins000.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)

As you can see, they are all related to TuneUp Utilities 2012, which is a legitimate utility.

Lets get a registry export of the keys from your screenshot:

For 32-bit Windows, please download MiniRegTool.zip and unzip it.

For 64-bit Windows, please download MiniRegTool64.zip and unzip it.

  1. Run the MiniRegTool download.
  2. Copy and paste the following into the rectangular white box in MiniRegTool:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]


  3. Check Export keys radio button.
  4. Press Go button and post the result.

Share this post


Link to post
Share on other sites

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

__________________________________________________________________

Share this post


Link to post
Share on other sites

I don't see any evidence of those entries in that log either. I assume that the detections listed in your screenshot in your first post have already been deleted?

I'm also not seeing any signs of infection, so lets get a third-party opinion with an online virus scan. Please run an online virus scan through ESET by following the steps below:

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the ESET Online Scanner button.
  4. Put a check in the box that says YES, I accept the Terms of Use.
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says Remove found threats (this is very important).
  7. Click on Advanced settings.
  8. Put a check in the box that says Scan for potentially unsafe applications.
  9. Verify that Scan for potentially unwanted applications is also checked.
  10. Verify that Enable Anti-Stealth technology is also checked.
  11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
  13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Share this post


Link to post
Share on other sites
The system error log ====== ======
Computer Name: ORO
Event Code: 10005
Message: DCOM got error "% 1058" attempting to start the service SENS with arguments ""
in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
Record Number: 23153
Source Name: DCOM
Time Written: 20120214042620.000000 +120
Event Type: error
User: NT AUTHORITY \ SYSTEM
Computer Name: ORO
Event Code: 10005
Message: DCOM got error "% 1058" attempting to start the service SENS with arguments ""
in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
Record Number: 23152
Source Name: DCOM
Time Written: 20120214042620.000000 +120
Event Type: error
User: NT AUTHORITY \ SYSTEM
Computer Name: ORO
Event Code: 10005
Message: DCOM got error "% 1058" attempting to start the service SENS with arguments ""
in order to run the server:
{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
Record Number: 23151
Source Name: DCOM
Time Written: 20120214042620.000000 +120
Event Type: error
User: NT AUTHORITY \ SYSTEM
Computer Name: ORO
Event Code: 7001
Message: The Computer Browser service depends on the Server service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Record Number: 23146
Source Name: Service Control Manager
Time Written: 20120214042616.000000 +120
Event Type: error
User:
Computer Name: ORO
Event Code: 14103
Message: QoS [Adapter {E255FD21-46B6-4963-9EA9-18E320EFD851}]:
The netcard driver failed the query for OID_GEN_LINK_SPEED.
Record Number: 23061
Source Name: PSched
Time Written: 20120213212040.000000 +120
Event Type: error
User:

Software error log ===== =====
Computer Name: ORO
Event Code: 4132
Message: 2 inconsistencies were detected in PropertyStore during recovery of catalog d: \ system volume information \ catalog.wci.
Record Number: 1918
Source Name: Ci
Time Written: 20120101151347.000000 +120
Event Type: warning
User:
Computer Name: ORO
Event Code: 1000
Message: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Record Number: 1905
Source Name: Application Error
Time Written: 20120101033215.000000 +120
Event Type: error
User:
Computer Name: ORO
Event Code: 1000
Message: Faulting application, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x03d899f8.
Record Number: 1904
Source Name: Application Error
Time Written: 20120101032854.000000 +120
Event Type: error
User:
Computer Name: ORO
Event Code: 1517
Message: Windows saved user ORO \ llllllllllllllllllll registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Record Number: 1896
Source Name: Userenv
Time Written: 20120101030153.000000 +120
Event Type: warning
User: NT AUTHORITY \ SYSTEM
Computer Name: ORO
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0
Record Number: 1893
Source Name: MsiInstaller
Time Written: 20120101025945.000000 +120
Event Type: warning
User: ORO \ llllllllllllllllllll
The collapse of the programs report ===== =====

Report of Blue Screen ===== =====
==================================================
Dump File: Mini030112-01.dmp
Crash Time: 01/03/2012 16:20:49
Bug Check String: KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code: 0x1000008e
Parameter 1: 0xc0000005
Parameter 2: 0x804ea4b1
Parameter 3: 0x9d673c94
Parameter 4: 0x00000000
Caused By Driver: AntiLog32.sys
Caused By Address: AntiLog32.sys +3 ed8
File Description:
Product Name:
Company:
File Version:
Processor: 32-bit
Computer Name:
Full Path: C: \ WINDOWS \ Minidump \ Mini030112-01.dmp
Processors Count: 2
Major Version: 15
Minor Version: 2600
Dump File Size: 106,496
==================================================
==================================================
Dump File: Mini030212-01.dmp
Crash Time: 02/03/2012 17:45:34
Bug Check String: IRQL_NOT_LESS_OR_EQUAL
Bug Check Code: 0x1000000a
Parameter 1: 0x00000000
Parameter 2: 0x0000001c
Parameter 3: 0x00000000
Parameter 4: 0x805218d7
Caused By Driver: PCTCore.sys
Caused By Address: PCTCore.sys + d765
File Description: PC Tools KDS Core Driver
Product Name: Kernel Driver Suite
Company: PC Tools
File Version: 2.1.0.228 built by: WinDDK
Processor: 32-bit
Computer Name:
Full Path: C: \ WINDOWS \ Minidump \ Mini030212-01.dmp
Processors Count: 2
Major Version: 15
Minor Version: 2600
Dump File Size: 106,496
==================================================
==================================================
Dump File: Mini030212-02.dmp
Crash Time: 02/03/2012 17:46:26
Bug Check String: DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
Bug Check Code: 0x100000ce
Parameter 1: 0xb8cc7550
Parameter 2: 0x00000000
Parameter 3: 0xb8cc7550
Parameter 4: 0x00000000
Caused By Driver: fltmgr.sys
Caused By Address: fltmgr.sys +1888
File Description: Microsoft Filesystem Filter Manager
Product Name: Microsoft ® Windows ® Operating System
Company: Microsoft Corporation
File Version: 5.1.2600.5512 (xpsp.080413-2111)
Processor: 32-bit
Computer Name:
Full Path: C: \ WINDOWS \ Minidump \ Mini030212-02.dmp
Processors Count: 2
Major Version: 15
Minor Version: 2600
Dump File Size: 106,496
==================================================
==================================================
Dump File: Mini030212-03.dmp
Crash Time: 02/03/2012 17:47:26
Bug Check String: DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
Bug Check Code: 0x100000ce
Parameter 1: 0xb8cbd550
Parameter 2: 0x00000000
Parameter 3: 0xb8cbd550
Parameter 4: 0x00000000
Caused By Driver: fltmgr.sys
Caused By Address: fltmgr.sys +1888
File Description: Microsoft Filesystem Filter Manager
Product Name: Microsoft ® Windows ® Operating System
Company: Microsoft Corporation
File Version: 5.1.2600.5512 (xpsp.080413-2111)
Processor: 32-bit
Computer Name:
Full Path: C: \ WINDOWS \ Minidump \ Mini030212-03.dmp
Processors Count: 2
Major Version: 15
Minor Version: 2600
Dump File Size: 106,496
==================================================

Share this post


Link to post
Share on other sites
Dump File: Mini030212-03.dmp
Crash Time: 02/03/2012 17:47:26
Bug Check String: DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
Bug Check Code: 0x100000ce
Parameter 1: 0xb8cbd550
Parameter 2: 0x00000000
Parameter 3: 0xb8cbd550
Parameter 4: 0x00000000
Caused By Driver: fltmgr.sys
Caused By Address: fltmgr.sys +1888
File Description: Microsoft Filesystem Filter Manager
Product Name: Microsoft ® Windows ® Operating System
Company: Microsoft Corporation
File Version: 5.1.2600.5512 (xpsp.080413-2111)
Processor: 32-bit
Computer Name:
Full Path: C: \ WINDOWS \ Minidump \ Mini030212-03.dmp
Processors Count: 2
Major Version: 15
Minor Version: 2600
Dump File Size: 106,496
==================================================

this is happen today
blue screen?
who can i get out this problem?

Share this post


Link to post
Share on other sites
Runscanner logfile http://www.runscanner.net
* = signed file
- = file not found
General info
------------
Computer name : ORO
Creation time : 02/03/2012 06:14:42 م
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.13
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 3
RunScanner Version : 2.0.0.50
User Language : Arabic (Jordan)
User rights : Administrator
Windows folder : C:\WINDOWS
Running processes
-----------------
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
 C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\Program Files\Adobe\Internet Download Manager\IDMan.exe (Tonec Inc.)
* C:\Program Files\Adobe\Internet Download Manager\IEMonitor.exe (Tonec Inc.)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
 C:\Program Files\Mada\WiMAX WUSB35E-32\WiMAXCM.exe (Mada Communications)
* C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe (PC Tools)
* C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe (PC Tools)
* C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe (PC Tools)
* C:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
 C:\Program Files\Mada\WiMAX WUSB35E-32\WiMAXCMAgent.exe
* C:\WINDOWS\explorer.exe (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* C:\WINDOWS\system32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
 C:\Zyzoom_Forum_Tools\zyzoom.exe
Unrated items
-------------
002   C:\Program Files\Alfa Programs\Alfa Autorun Killer 3.0\Alfa Autorun Killer 3.exe (Alfa Programs ®)
002 * C:\Program Files\AntiLogger\AntiLogger.exe (Zemana Ltd.)
003 * C:\Program Files\DU Meter\DUMeter.exe (Hagel Technologies Ltd.)
004 * C:\Program Files\AdFender\AdFender.exe (AdFender, Inc.)
010   C:\Program Files\Mada\WiMAX WUSB35E-32\Services\MadaWiMAXSvc.exe (BcmDeviceDetectionSvc)
010 * C:\Program Files\DU Meter\DUMeterSvc.exe (DU Meter Service)
010 * C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Anti-Malware)
010   C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SAS Core Service)
010   C:\Program Files\Clarus\Samsung SecretZone\SZAssistSVC.exe (SecretZone Assist Service)
010 * C:\WINDOWS\UnsignedThemesSvc.exe (Unsigned Themes)
010   C:\WINDOWS\system32\DRIVERS\xaudio.exe (XAudioService)
011 * C:\Program Files\AntiLogger\AntiLog32.sys (AntiLog32)
011 * C:\WINDOWS\system32\drivers\rsdrv.sys (ElRawDisk)
011 * C:\Program Files\DU Meter\DUM_XP32.SYS (Hagel Technologies DU Meter traffic accounting driver)
011 * C:\WINDOWS\system32\drivers\SRS_HDAL_i386.sys (HD Audio Lab)
011   C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys (HpqKbFilter Driver)
011   C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys (HSF_DPV)
011   C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys (HSXHWAZL)
011 * C:\WINDOWS\System32\drivers\keyscrambler.sys (KeyScrambler)
011   C:\WINDOWS\system32\drivers\mbam.sys (MBAMProtector)
011   C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (mdmxsdk)
011 * C:\WINDOWS\system32\DRIVERS\yk51x86.sys (NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller)
011   C:\WINDOWS\system32\drivers\SAFDSKNT.SYS (SafeHouse)
011 * C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SASDIFSV)
011 * C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL)
011   C:\WINDOWS\system32\DRIVERS\SonyNC.sys (Sony Notebook Control Device)
011   C:\WINDOWS\system32\DRIVERS\5U875.sys (Sony Visual Communication Camera)
011 * C:\WINDOWS\system32\drivers\srs_sscfilter_i386.sys (SRS Labs Audio Sandbox (WDM))
011 * C:\WINDOWS\system32\drivers\tpsec.sys (TrustPort Security Filter)
011 * C:\WINDOWS\system32\drivers\uxpatch.sys (uxpatch)
011   C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys (winachsf)
011   C:\WINDOWS\system32\WinFPdrv.sys (WinFPdrv)
011   C:\WINDOWS\system32\DRIVERS\xaudio.sys (XAudio)
050   C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
052 * C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC) {326E768D-4182-46FD-9C16-1449A49795F4}
061   C:\Program Files\7-Zip\7-zip.dll (Igor Pavlov) {23170F69-40C1-278A-1000-000100020000}
061   C:\WINDOWS\system32\btncopy.dll (Broadcom Corporation.) {7842554E-6BED-11D2-8CDB-B05550C10000}
061   C:\WINDOWS\system32\BTNEIG~1.DLL (Broadcom Corporation.) {6af09ec9-b429-11d4-a1fb-0090960218cb}
061   C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
067   C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
069   C:\WINDOWS\system32\bthcrp.dll (Broadcom Corporation.)
100   ProxyOverride HKCU : local
100   SearchAssistant HKLM : http://torrentsearcher.filesharingplace.com/ie/
104 * C:\WINDOWS\DOWNLO~1\qsax.dll (BitDefender LLC) {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A}
105   Download all links with IDM : C:\Program Files\Adobe\Internet Download Manager\IEGetAll.htm
105   Download with IDM : C:\Program Files\Adobe\Internet Download Manager\IEExt.htm
120   NameServer {E255FD21-46B6-4963-9EA9-18E320EFD851} : 208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4
145 * C:\WINDOWS\system32\drivers\keyscrambler.sys (QFX Software Corporation)
173   C:\Program Files\7-Zip\7-zip.dll (Igor Pavlov) {23170F69-40C1-278A-1000-000100020000}
173   C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu
221   C:\Program Files\7-Zip\7-zip.dll (Igor Pavlov) {23170F69-40C1-278A-1000-000100020000}
221   C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu
225   C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225   C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227   C:\Program Files\7-Zip\7-zip.dll (Igor Pavlov) {23170F69-40C1-278A-1000-000100020000}
227   C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu
251   C:\Program Files\7-Zip\7-zip.dll (Igor Pavlov) {23170F69-40C1-278A-1000-000100020000}
251   C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
254   C:\WINDOWS\system32\btncopy.dll (Broadcom Corporation.) {7842554E-6BED-11D2-8CDB-B05550C10000}
Missing files
-------------
011 c:\windows\system32\DRIVERS\NETwNx32.sys
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\driverhardwarev2.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 c:\windows\system32\DRIVERS\NETw5x32.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 c:\windows\system32\DRIVERS\pccsmcfd.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PCIIde.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys

Share this post


Link to post
Share on other sites

Did these issues start after attempting to run the ESET online scan?

Share this post


Link to post
Share on other sites

Let just run ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I'm ignoring the RunScanner log for now. Please stick to the utilities I specifically ask you to run, as extra logs will just make this take longer, and may not actually help. ;)

That ComboFix log looks good. I don't think your computer is still infected. My understanding is that the only issue remaining is this BSOD on startup, correct? I'm waiting for our developers to take a look at that one, however I did notice in your ComboFix log that you have a lot of security software installed. Could you give me a list of everything that is running protection on startup?

Share this post


Link to post
Share on other sites

I'm sorry, I forgot to ask you for a copy of the memory dump from the blue screen error.

Here is a link to an article from Microsoft on memory dumps in Windows XP. You may need to upload it to a service such as RapidShare due to the large size of memory dump files. Note that you can send me the link to download the dump file via a private message on our forums if you do not want to post it publicly.

Share this post


Link to post
Share on other sites
Alfa Autorun Killer 3 version 3.0.7
Malwarebytes Anti-Malware version 1.60.1.1000
SUPERAntiSpyware

Emsisoft Anti-Malware
Kaspersky Internet Security 2012
i use  Emsisoft Anti-Malware
Kaspersky Internet Security 2012
PC Tools Spyware Doctor 9.0						  
start up
the other i use them just when i need to scan my pc
PC Tools Spyware Doctor 9.0 >>>Kaspersky Internet Security 2012>>>>They  interfer with each other put i use it  just for scan

Share this post


Link to post
Share on other sites

OK, I've forwarded the dump on to one of our developers. Hopefully they can give me an idea of what might be going on. ;)

Share this post


Link to post
Share on other sites

tank you

120 NameServer {E255FD21-46B6-4963-9EA9-18E320EFD851} : 208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4?

!!!!! can you explain to me what this line mean

Share this post


Link to post
Share on other sites

O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - REDC - (no file)

O4 - Startup: AdFender.lnk = C:\Program Files\AdFender\AdFender.exe

could you plz chick this files if it safe or not

https://www.virustotal.com/file/b4f6326218f058898009ad005ccf5d6ff45ca171c35e6583915c2b4de11f57d4/analysis/

Share this post


Link to post
Share on other sites

120 NameServer {E255FD21-46B6-4963-9EA9-18E320EFD851} : 208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4?

!!!!! can you explain to me what this line mean

That is a list of the DNS servers that your computer will ask for a list of what domain names map to what IP addresses. For more information, here's a link to an article on DNS.

O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - REDC - (no file)

O4 - Startup: AdFender.lnk = C:\Program Files\AdFender\AdFender.exe

Did you run HijackThis, or were those in your OTL log?

That file appears to be a legitimate part of AdFender.

I assume you are still not able to start your computer normally? If so, then let me know if you are able to uninstall your software from PCTools while Windows is running in Safe Mode. One of their drivers is one of the ones failing on startup, and it is possible that one of their drivers was corrupted.

Share this post


Link to post
Share on other sites

i solved the problem

Caused By Driver: fltmgr.sys? what this

You'll find file information here. Essential it is a Windows system file. May have gotten damage/corrupted by the infection. Do you have your Windows disk? Running the System File Checker may be a good idea, just in case, however it will require a Windows disk for your version of Windows. ComboFix didn't show any system files failing a signature check, so theoretically your system files are OK, however it may be a good idea to run it just in case.

Another alternative is simply to reinstall the last Service Pack, which for Windows XP would be Service Pack 3.

How did you fix the Blue Screen error? Did you run the System Restore?

Share this post


Link to post
Share on other sites

no i didnt run system restore

i had use advanced system care deep scan + ccleaner scan+ ant old timer temp file cleaner after i did this i restart my computer but the safe mode didnt work!!!!

so i had choose last good Settings that work ! windows work!

after that i did panda active scan cleaner >>> this program did found 4 Suspicious files panda remove them

also i did use tuneup

after that system work

Unfortunately i didnt save panda log ! :wacko:

O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - REDC - (no file)

O4 - Startup: AdFender.lnk = C:\Program Files\AdFender\AdFender.exe

hiijack

Share this post


Link to post
Share on other sites

hiijack

OK, I thought those looked like entries from a HijackThis log. Due to the fact that it hasn't been updated in a very long time, I recommend avoiding HijackThis. It was a great utility back in the day, unfortunately that day came and went a long time ago.

Good alternatives to HijackThis include Emsisoft HijackFree (which comes with Emsisoft Anti-Malware), Autoruns from Microsoft, RunAlyzer from Safer Network. There are a few other good ones as well, however I don't have a list of them. Also, please note that I don't actually need logs from any of these utilities, and that if you don't know what the various entries listed in these programs do then I highly recommend not using them to make any changes to your system configuration.

Don't worry about not saving the Panda log. Go ahead and get me a fresh ComboFix log (download a fresh copy of ComboFix from one of these links: Link 1 / Link 2 and always make sure to disable your anti-virus software before running it) and let me know if your computer is still having any troubles (such as not being able to start in Safe Mode, weird popups or error messages, etc).

Share this post


Link to post
Share on other sites

That log looks petty good. Lets get a online virus scan just to verify. Please run an online virus scan through ESET by following the steps below:

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the ESET Online Scanner button.
  4. Put a check in the box that says YES, I accept the Terms of Use.
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says Remove found threats (this is very important).
  7. Click on Advanced settings.
  8. Put a check in the box that says Scan for potentially unsafe applications.
  9. Verify that Scan for potentially unwanted applications is also checked.
  10. Verify that Enable Anti-Stealth technology is also checked.
  11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
  13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.