100 replies to this topic

[drmsucks]

I'm sorry - here's the log from the OTL fixes; I was trying to post it when I discovered no connection:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-227526022-1529045750-4239863398-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-227526022-1529045750-4239863398-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-227526022-1529045750-4239863398-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
C:\Documents and Settings\Patti Orchowski\Start Menu\Programs\Windows XP Recovery folder moved successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET6C.tmp deleted successfully.
C:\WINDOWS\System32\SET78.tmp deleted successfully.
C:\WINDOWS\System32\SET81.tmp deleted successfully.
C:\WINDOWS\System32\SET82.tmp deleted successfully.
C:\WINDOWS\System32\SET83.tmp deleted successfully.
C:\WINDOWS\System32\SET86.tmp deleted successfully.
C:\WINDOWS\002664_.tmp deleted successfully.
C:\Documents and Settings\All Users\Application Data\~19717924r moved successfully.
C:\Documents and Settings\All Users\Application Data\~19717924 moved successfully.
C:\Documents and Settings\All Users\Application Data\19717924 moved successfully.
C:\Documents and Settings\All Users\Application Data\Avg7 folder moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes
->Flash cache emptied: 41 bytes

User: Joseph Orchowski
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 452719 bytes
->Java cache emptied: 91219364 bytes
->FireFox cache emptied: 85101492 bytes
->Flash cache emptied: 33868 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Flash cache emptied: 11111 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 0 bytes

User: Patti Orchowski
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1188234 bytes
->Java cache emptied: 109949548 bytes
->FireFox cache emptied: 59278560 bytes
->Flash cache emptied: 93466 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 59136 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 331.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Joseph Orchowski
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: Owner

User: Patti Orchowski
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.2.23.0 log created on 05232011_212928

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Broni]

OK, system restore, most likely rebuilt those entries, so I want you to run OTL fix again, but as I said before, remove three O10 entries from my script.

[drmsucks]

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-227526022-1529045750-4239863398-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk moved successfully.
Registry key HKEY_USERS\S-1-5-21-227526022-1529045750-4239863398-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ not found.
Registry key HKEY_USERS\S-1-5-21-227526022-1529045750-4239863398-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD not found.
C:\Documents and Settings\Patti Orchowski\Start Menu\Programs\Windows XP Recovery folder moved successfully.
File/Folder C:\WINDOWS\System32\*.tmp not found.
File/Folder C:\WINDOWS\*.tmp not found.
File C:\Documents and Settings\All Users\Application Data\~19717924r not found.
File C:\Documents and Settings\All Users\Application Data\~19717924 not found.
File C:\Documents and Settings\All Users\Application Data\19717924 not found.
C:\Documents and Settings\All Users\Application Data\Avg7 folder moved successfully.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 .
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Joseph Orchowski
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 11881472 bytes
->FireFox cache emptied: 1511706 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes

User: Patti Orchowski
->Temp folder emptied: 13932 bytes
->Temporary Internet Files folder emptied: 805012 bytes
->Java cache emptied: 11881472 bytes
->FireFox cache emptied: 4970187 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 30.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Joseph Orchowski
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: Owner

User: Patti Orchowski
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 05232011_223050

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Broni]

OK, continue with other steps from my reply #32.

Also, give me an exact error message regarding Windows firewall.

[drmsucks]

All done except for ESET. Security Check log after picture...

Here is the error when I try to start the Firewall service manually:



Log

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 25
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 9.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.19) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````

[Broni]

I assume, this computer is behind a router, correct?

First, give me this log....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  ipnathlp.dll 
  ipnat.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Then....

Update Firefox to the latest 4.0 version.

Uninstall Java™ 6 Update 7

Update Adobe Reader

You can download it from http://www.adobe.com.../readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

[drmsucks]

I'll get FF and Reader updated.

Ran Java Ra twice and looked manually for Java 6 Rel 7 in Add/Remove and I can't find it...

SystemLook 04.09.10 by jpshortstuff
Log created at 23:20 on 23/05/2011 by Patti Orchowski
Administrator - Elevation successful

========== filefind ==========

Searching for "ipnathlp.dll "
C:\i386\ipnathlp.dll --a---- 331264 bytes [01:59 10/06/2007] [10:00 04/08/2004] 36CC8C01B5E50163037BEF56CB96DEFF
C:\WINDOWS\$NtServicePackUninstall$\ipnathlp.dll -----c- 331264 bytes [12:37 02/09/2008] [10:00 04/08/2004] 36CC8C01B5E50163037BEF56CB96DEFF
C:\WINDOWS\ServicePackFiles\i386\ipnathlp.dll ------- 331264 bytes [20:34 27/08/2008] [00:11 14/04/2008] 83F41D0D89645D7235C051AB1D9523AC
C:\WINDOWS\system32\ipnathlp.dll --a---- 331264 bytes [17:51 10/08/2004] [00:11 14/04/2008] 83F41D0D89645D7235C051AB1D9523AC

Searching for "ipnat.sys"
C:\i386\ipnat.sys --a---- 134912 bytes [01:59 10/06/2007] [22:28 29/09/2004] E2168CBC7098FFE963C6F23F472A3593
C:\WINDOWS\$hf_mig$\KB886185\SP2QFE\ipnat.sys --a--c- 134912 bytes [18:51 09/06/2007] [22:31 29/09/2004] 5191673215C91FF13CEAA83EF8E9653F
C:\WINDOWS\$NtServicePackUninstall$\ipnat.sys -----c- 134912 bytes [12:36 02/09/2008] [22:28 29/09/2004] E2168CBC7098FFE963C6F23F472A3593
C:\WINDOWS\$NtUninstallKB886185$\ipnat.sys -----c- 134912 bytes [22:21 09/06/2007] [10:00 04/08/2004] B5A8E215AC29D24D60B4D1250EF05ACE
C:\WINDOWS\ServicePackFiles\i386\ipnat.sys ------- 152832 bytes [20:34 27/08/2008] [18:57 13/04/2008] CC748EA12C6EFFDE940EE98098BF96BB
C:\WINDOWS\system32\drivers\ipnat.sys --a---- 152832 bytes [17:51 10/08/2004] [18:57 13/04/2008] 030E7CE8D1053F15A8C04F0B8D0CD4CB

-= EOF =-

[Broni]

Those files are present and in correct locations, unless they're corrupted.
We'll check it in a moment, but I want to search little bit more.

You do your things in a meantime.

Leave that Java entry alone.

[drmsucks]

Updating Reader and FF now - then, I'll head to ESET.

[drmsucks]

Perhaps the rootkit or one of the viruses borked Windows Firewall?

[Broni]

Download, install, and run WinSockFix: http://www.softpedia...inSockFix.shtml (doesn't work in Vista and 7)
Restart computer, and check again.

If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista and 7):
http://wiki.lunarsof...2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.

[Broni]

Quote

Perhaps the rootkit or one of the viruses borked Windows Firewall?

Possible.

[Broni]

Don't run Eset yet.

[drmsucks]

Broni, on 24 May 2011 - 04:39 AM, said:

Don't run Eset yet.

Okay - running WinSockFix now...

[Broni]

OK :)

[drmsucks]

No joy with WinSockFix - trying DAF next.

[Broni]

OK...

[Broni]

Going to bed, so if DAF won't help, set Eset to run and we'll deal with the firewall tomorrow.
I may be home earlier.

[drmsucks]

No joy with DAF - still get the same error when trying to start the Firewall service.

During the DAF run, it gave the following errors: Error 127: C:\Windows\System32\iesetup.dll is not registerable or the file is corrupted. Your version of iesetup.dll is: 8.00.6001.18702. Please contact so that an exception can be made for your version of this file. Also the same error for: imgutil.dll, inseng.dll, mshtml.dll, msrating.dll, oocache.dll, pngfilt.dll and webcheck.dll.

Everything else seems to be working fine.

P.S. Just tried IE - opens and surfs fine.

[drmsucks]

Thanks - Good Night!