I have a Killer Virus!!!

G

gaz_dodd

New Member
I've had a virus for about a week now and it's slowly killing my laptop. I'm hoping someone on her can give me a few ideas.

I bought an external hard drive off ebay, plugged it in and had a bit of a look before formatting it, BIG MISTAKE. It put a virus on my laptop.

I'll start with my specs: I have a fujitsu siemens amilo pro V3515, 60gb HD, 2gb RAM, XP home, SP3 with MSE anti virus.


Here are the symptoms:-

Freezing
Blue screen of death
Crashing (when the laptop is moved, even in safemode)
An attempt to download a file
Disabling of antivirus
Deleting of antivirus database
Messing with network adapter drivers (can't load them, so no internet)
Laptop struggles to start (Have to keep turning it on and off untill it will start)


I've already tried a few tried a few things. Here's what I've done:-

Scan with MSE (10 adware + Trojun: Vundo)
Scan with Super anti-virus (14 adware)
Scan with Malware bytes (Trojun: Agent)
Scan with Clamwin (Trojun: Agent)
Created new user account and deleted mine
Reinstalled all damaged drivers

None of my antivirus are picking up anything anymore, but the laptop is still cutting out, My network drivers still wont work properly and very occasionally I will get a blue screen of death but no cause will be stated, it just say's a problem occured and it had to shut down to protect the hard drive.

The laptop's performance is as good as always.

I hope someone can help my and thanks in advance to anyone who does.

EDIT: I should mention, my operating system disk is damaged so reformatting has to be a last option because i'm cheap and don't want to buy a new one:D
 
Last edited:
johnb35

johnb35

Administrator
Staff member
Please post the latest malwarebytes log along with a hijack this log. Follow the instructions in the sticky called "please read before posting" at the top of the security forum. I would give you links but I'm on my phone at the moment.
 
G

gaz_dodd

New Member
Thanks for the reply

I have already done a Malware bytes scan but I can't get online with the infected laptop anymore to upload it or to download hijack this. I've downloaded the setup to a clean laptop and i'll burn it to a cd tomorrow so i can install it on the infected laptop

The latest malware bytes are coming up clean though
 
johnb35

johnb35

Administrator
Staff member
You will need to download the following file to a flash drive and transfer it to the infected computer.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
G

gaz_dodd

New Member
I cant get onto the internet to download microsoft recovery console, so I went ahead and did the scan anyway.

Here are the combofix results:-

ComboFix 11-08-16.05 - Gareth 2 17/08/2011 12:02:32.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1590 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-07-17 to 2011-08-17 )))))))))))))))))))))))))))))))
.
.
2051-08-02 00:10 . 2051-08-02 00:10 -------- d-----w- c:\program files\Microsoft Reader
2051-08-02 00:08 . 2051-08-02 00:08 -------- d-----w- c:\program files\Common Files\OverDrive Shared
2051-08-02 00:07 . 2051-08-02 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\iMesh
2051-08-02 00:06 . 2051-08-02 00:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\{DE0AF019-D61B-423F-9C3B-D49ECD51D8A1}
2051-08-02 00:02 . 2051-08-02 00:02 -------- d-----w- c:\program files\MySQL
2051-08-02 00:02 . 2051-08-02 00:02 -------- d-----w- c:\program files\Microsoft ActiveSync
2051-08-02 00:00 . 2051-08-02 00:02 -------- d-----w- c:\program files\Microsoft SQL Server
2051-08-02 00:00 . 2051-08-02 00:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-08-17 10:49 . 2011-08-17 10:50 -------- d-----w- c:\documents and settings\Administrator
2011-08-17 09:29 . 2011-08-17 09:29 -------- d-----w- c:\program files\Trend Micro
2011-08-16 17:13 . 2011-08-16 17:13 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl25c11be3.sys
2011-08-13 17:47 . 2011-08-13 17:47 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl0c9959cb.sys
2011-08-13 17:45 . 2011-08-13 17:45 -------- d-----w- C:\found.000
2011-08-13 17:34 . 2011-08-13 17:34 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKslce4a1626.sys
2011-08-13 17:32 . 2011-08-13 17:32 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl8ed0158a.sys
2011-08-13 16:46 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\mpengine.dll
2011-08-09 09:36 . 2011-08-16 20:53 -------- d-----w- c:\documents and settings\Gareth 2
2011-08-09 09:19 . 2011-08-09 09:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-05 13:33 . 2011-08-05 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-05 13:33 . 2011-08-09 09:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-05 13:33 . 2011-08-05 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-27 20:11 . 2051-08-02 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-07-27 20:11 . 2051-08-02 00:00 -------- d-----w- c:\program files\Security Task Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 12:17 . 2009-06-14 14:05 90112 ----a-w- c:\windows\DUMP4584.tmp
2011-07-13 03:39 . 2011-05-14 22:29 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-18 19:25 . 2011-06-07 12:02 2026304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-06-17 18:53 . 2011-06-16 02:24 586176 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-06-16 07:28 . 2011-06-07 12:02 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2005-10-06 00:06 1858944 ----a-w- c:\windows\system32\win32k(2).sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-04-16 16:08 172032 -c--a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
2005-02-02 04:00 98304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIADE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Epson Stylus Office BX320FW(Network)]
2009-09-14 07:00 200704 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIGIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FuncKey]
2006-07-27 14:06 122880 -c--a-w- c:\program files\Hotkey 1.0.4\FuncKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2010-11-30 12:20 997408 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
2006-07-11 01:33 176128 ----a-w- c:\windows\system32\S3Trayp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 12:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-05-09 12:33 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-05-10 20:52 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2006-08-03 13:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"xmlprov"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Netlogon"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"BthServ"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
.
S1 MpKsl0c9959cb;MpKsl0c9959cb;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl0c9959cb.sys [13/08/2011 18:47 28752]
S1 MpKsl1b7e8dd0;MpKsl1b7e8dd0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl1b7e8dd0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl1b7e8dd0.sys [?]
S1 MpKsl28969d54;MpKsl28969d54;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl28969d54.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl28969d54.sys [?]
S1 MpKsl2bea2fc8;MpKsl2bea2fc8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A4E1387-8055-4D23-B661-7264E855A9C0}\MpKsl2bea2fc8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A4E1387-8055-4D23-B661-7264E855A9C0}\MpKsl2bea2fc8.sys [?]
S1 MpKsl3170ad88;MpKsl3170ad88;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl3170ad88.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl3170ad88.sys [?]
S1 MpKsl42ac3af1;MpKsl42ac3af1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl42ac3af1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl42ac3af1.sys [?]
S1 MpKsl49099c9f;MpKsl49099c9f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl49099c9f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl49099c9f.sys [?]
S1 MpKsl88d9f859;MpKsl88d9f859;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl88d9f859.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl88d9f859.sys [?]
S1 MpKsl8e6d9c34;MpKsl8e6d9c34;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl8e6d9c34.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl8e6d9c34.sys [?]
S1 MpKsl8ed0158a;MpKsl8ed0158a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl8ed0158a.sys [13/08/2011 18:32 28752]
S1 MpKsl922c3c74;MpKsl922c3c74;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl922c3c74.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl922c3c74.sys [?]
S1 MpKsl98941da7;MpKsl98941da7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl98941da7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl98941da7.sys [?]
S1 MpKsl9c7df659;MpKsl9c7df659;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl9c7df659.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl9c7df659.sys [?]
S1 MpKsla14d02ba;MpKsla14d02ba;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsla14d02ba.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsla14d02ba.sys [?]
S1 MpKslc8bb23b1;MpKslc8bb23b1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKslc8bb23b1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKslc8bb23b1.sys [?]
S1 MpKslce4a1626;MpKslce4a1626;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKslce4a1626.sys [13/08/2011 18:34 28752]
S1 MpKsle4860c9d;MpKsle4860c9d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsle4860c9d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsle4860c9d.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [09/05/2011 13:32 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [09/05/2011 13:32 136176]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 03:09 239336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-19 12:33]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-09 12:32]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-09 12:32]
.
2011-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 11:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-17 12:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-17 12:09:03
ComboFix-quarantined-files.txt 2011-08-17 11:09
ComboFix2.txt 2011-08-17 09:50
.
Pre-Run: 31,665,119,232 bytes free
Post-Run: 31,652,577,280 bytes free
.
- - End Of File - - 2F85649248CD648A311608681C586329
 
G

gaz_dodd

New Member
Here is the most recent Hijackthis bytes log:-

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:40:00, on 17/08/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4725 bytes
 
johnb35

johnb35

Administrator
Staff member
I don't see any issues that would be causing you to not have internet. Are you only using Internet Explorer to surf the web? If so, then its possible that there has been a proxy enabled.

Open internet options, click on the connections tab, click on the lan settings button, uncheck the boxes under proxy settings if they are checked.

Are you using wireless on the machine that can't get online or a wired connection?
 
G

gaz_dodd

New Member
I am using wireless, my ethernet port is broken so wired isn't an option. It's not that I can't use the internet, I can't even connect to the network. If I go onto the device manager I get a "code 37" on the following:-

-Atheros AR5005G Wireless Network Adapter - Packet Scheduler Miniport
-VIA RhineII Fast Ethernet Adapter - Packet Scheduler Miniport
-WAN Miniport (IP)
-WAN Miniport (IP) - Packet Scheduler Miniport
-WAN Miniport (L2TP)
-WAN Miniport (PPPOE)
-WAN Miniport (PPTP)

The actual wireless adapter is working fine, it just not able to load these drivers
 
Last edited:
johnb35

johnb35

Administrator
Staff member
Do me a favor, go back into device manager and click on the view menu and uncheck "show hidden devices" Then you should only see 2 entries under network adapter, the via and atheros devices. Can you give me a screen shot of device manager at this point?
 
G

gaz_dodd

New Member
sorry it took so long to get back to you, I'm having a bit of trouble getting the laptop to turn on.

When I press the power button the powerlight and the wireless light comes on, so does the fan, but apart from that it doesn't do anything.

I'll keep trying and post back when I get it on.
 
G

gaz_dodd

New Member
Hi, Thanks for being so patient, I got it started yesterday and I got the screen shots, I'll post them up tomorrow when I have the memory stick if you still want them.

A bit of an update,

The laptop will start every 30th try or so

I borrowed an XP disk from my dad but when I try to reformat it just crashes, I've managed to get it on about 5 times, It loads the cd and it will go for a couple of minutes but then I get the blue screen.

I've also got a few phone calls claiming to be from microsoft saying that they have detected malicious software on my computer. I already know that microsoft don't ever contact you about that sort of thing, could this be a scam? (not that it matters if I can't even turn the thing on ;) )

Thanks
 
johnb35

johnb35

Administrator
Staff member
They are not from microsoft and its a scam to allow them access into your system and actually infect it, so they can access it anytime they want. Just hang up the phone if they call back again or tell them they will be reported if they call back again. Microsoft will not know if your machine is infected or not.
 
G

gaz_dodd

New Member
Thanks for the quick response,

thats exactly what I thought, I just told them that I would fix it myself and asked them not to call back, didn't stop them doing it anyway but next time I'll try to take a contact detail and report them to microsoft.

Next post will be the screen shots
 
G

gaz_dodd

New Member
Picture1.jpg Here is the device manager screen shot, all of the code 37 drivers are new, they came up when the wireless went off, if I try to uninstall them it says i can because they may be bootable devices.

Sorry the pic isn't too good, I seem to have lost a lot of the quality when I uploaded it
 
G

gaz_dodd

New Member
johnb35 said:
What is the model number of laptop you have? Should get the driver from the laptop manufacturer but try downloading this driver and install it.

http://www.atheros.cz/atheros-wireless-download.php?chipset=9&system=1

When the page loads, click on the green box that says click for download in the first section you come to.
Click to expand...

I tried reinstalling the driver using the disc that came with the laptop but it made no difference, I then tried restoring the laptop to a previous state and that made no difference either. It's a Amilo pro v3515 by the way
 
G

gaz_dodd

New Member
This is really wierd, I've turned off the wireless and uninstalled the drivers that will allow me to and disabled the rest of the code 37 devices now it starts fine, It will still cut out randomly though.

I now have 2 network connections in my control panel and my wireless network connection has been renamed to "network connection 6"

I also have a new icon in control panel, I'm pretty sure it wasn't there before it's called "Data Sources (ODBC)"

Sorry to bombard you with posts, i'm trying to get as much info in as I can
 
Last edited:
johnb35

johnb35

Administrator
Staff member
Everytime you create a new connection it adds to the previous. You can rename it and delete the 6 out. If it cuts out then its either a failing wireless card or something with your router.
 
You must log in or register to reply here.
Top