Jump to content


[Inactive] Friends pc will not get on the internet

Started By vossy, Jun 16 2011 02:16 AM

  • You cannot start a new topic
  • You cannot reply to this topic
114 replies to this topic

#41 vossy

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 20 June 2011 - 02:44 AM

The RJ Unhooker tells me it will not run in safe mode. I cannot boot to windows as all I get is a light blue screen

#42 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 20 June 2011 - 02:46 AM

My bad. It won't run in Safe Mode.

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Posted Image Posted Image


#43 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 20 June 2011 - 02:54 AM

Broni, I will again have to wait until Monday. I have to get up for work early in the morning. I will be back with results Monday. THANKS AGAIN. Vossy

#44 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 20 June 2011 - 02:55 AM

No problem :)

At least, we're getting somewhere...
Posted Image Posted Image


#45 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 20 June 2011 - 09:02 PM

I download it and when I click to run the program nothing happens. I have the program extracted to the desktop but it will not run. Any suggestions on how to make it run?

#46 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 20 June 2011 - 10:46 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Posted Image Posted Image


#47 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 21 June 2011 - 01:00 AM

ComboFix 11-06-17.04 - Administrator 06/20/2011 20:45:49.2.1 - x86 NETWORK
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2048.1582 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: ZoneAlarm Extreme Security Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: avast! Antivirus *Enabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Extreme Security Anti-Spyware *Disabled/Outdated* {52279396-A3A0-FED7-C02E-6E9598AA3098}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ttys4saxdo.dll
c:\windows\system32\xdsaxdotty.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))
.
.
2011-06-21 01:52 . 2011-06-21 01:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-06-21 01:52 . 2011-06-21 01:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-20 03:50 . 2011-06-20 03:50 0 ---ha-w- c:\users\Administrator\AppData\Local\BIT3CD7.tmp
2011-06-20 03:41 . 2011-06-20 03:44 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-06-12 01:48 . 2011-06-12 01:48 0 ---ha-w- c:\users\Administrator\AppData\Local\BIT268A.tmp
2011-06-12 01:15 . 2011-06-12 01:15 -------- d-----w- c:\users\Administrator\AppData\Local\{73B501C8-94B5-439A-8B87-E7B70C2AD2BC}
2011-06-08 01:37 . 2011-06-08 01:37 -------- d-----w- c:\users\Administrator\AppData\Local\{732C03EA-E97A-4864-8F1C-DDEBC352D079}
2011-06-07 01:41 . 2011-06-07 01:41 -------- d-----w- c:\users\Administrator\AppData\Local\{FE2AC577-9A0F-4210-9FD9-A00ECD21D36B}
2011-06-04 01:34 . 2011-06-04 01:34 -------- d-----w- c:\users\Administrator\AppData\Local\{9E34AF50-455A-4A4E-96FA-2C0BE3F11418}
2011-06-03 01:30 . 2011-06-03 01:30 -------- d-----w- c:\users\Administrator\AppData\Local\{ECC3EA3B-37D1-497C-81C1-5E9EB477F564}
2011-06-02 01:12 . 2011-06-18 23:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 00:39 . 2011-06-02 00:39 -------- d-----w- c:\users\Administrator\AppData\Local\{23617050-411B-490D-BE54-8751D1ADD7B0}
2011-06-02 00:29 . 2011-06-02 00:29 -------- d-----w- c:\users\Administrator\AppData\Roaming\Blitware
2011-05-31 00:09 . 2011-05-31 00:09 -------- d-----w- c:\users\Administrator\AppData\Local\{9780543A-4396-445E-87F5-BAFFDD1BCDE8}
2011-05-30 00:29 . 2011-05-30 00:30 -------- d-----w- c:\users\Administrator\AppData\Local\{054998F7-3184-4CB1-B9A1-124C214DBFF7}
2011-05-28 00:17 . 2011-05-28 00:17 -------- d-----w- c:\users\Administrator\AppData\Local\{0281FC78-4B03-4985-B757-536424DA5DF4}
2011-05-27 00:30 . 2011-05-27 00:30 -------- d-----w- c:\users\Administrator\AppData\Local\{9E7A6AB3-4060-4F5C-9F56-F390489D1DB4}
2011-05-26 01:05 . 2011-05-26 01:05 -------- d-----w- c:\users\Administrator\AppData\Local\{62A67B44-8DCE-40FE-9E6D-DCCC75B04800}
2011-05-25 00:23 . 2011-05-25 00:23 -------- d-----w- c:\users\Administrator\AppData\Local\{9FB2F8EA-0DEE-42D1-89D8-7C5C9554EB7D}
2011-05-24 00:39 . 2011-05-24 00:39 -------- d-----w- c:\users\Administrator\AppData\Local\{E84D3AD4-AA80-47B2-A306-AF36B75145ED}
2011-05-23 00:24 . 2011-05-23 00:24 -------- d-----w- c:\users\Administrator\AppData\Local\{82F10169-4113-440C-90D5-C6FAA3175B67}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 01:16 . 2011-04-11 22:23 742884 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-05-29 14:11 . 2011-04-13 01:31 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-03 08:15 . 2011-05-03 08:16 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-12 20:55 . 2011-04-12 20:55 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-04-12 20:54 . 2011-04-12 20:54 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-04-01 00:54 . 2011-04-01 00:54 737072 ---ha-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-7\Microsoft.MediaCenter.Sports.UI.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-12-09 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 03:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\zone labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"USB Security"="c:\usb disk security\USBGuard.exe" [2011-01-29 623520]
"UnlockerAssistant"="c:\unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"Driver Fetch"="c:\program files\Driver Fetch\Driver Fetch.lnk" [2011-05-12 1062]
"USB Antivirus"="c:\usb disk security\USBGuard.exe" [2011-01-29 623520]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 136176]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-08-27 26352]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 136176]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2010-08-27 35568]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-09 1343400]
R4 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-08-27 493032]
S0 BlackBox;BlackBox SR2; [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\Driver Fetch.job
- c:\program files\Driver Fetch\Driver Fetch.lnk [2011-05-12 01:53]
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc085f5836d76.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 02:05]
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc085f6363dd4.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 02:05]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1616981083-1480137869-1766554341-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-19 00:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,6d,5b,a1,70,95,f9,40,bf,ff,bb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6e,a1,9d,f5,c5,30,2d,4d,ad,14,06,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,f2,8e,3b,c9,a9,e2,47,8a,75,f8,\
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\UserChoice]
@Denied: (2) (Administrator)
"Progid"="txtfile"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MOV"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,f2,8e,3b,c9,a9,e2,47,8a,75,f8,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,f2,8e,3b,c9,a9,e2,47,8a,75,f8,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-20 20:59:18
ComboFix-quarantined-files.txt 2011-06-21 01:59
.
Pre-Run: 58,115,919,872 bytes free
Post-Run: 61,126,004,736 bytes free
.
- - End Of File - - D335EDA7F0F3784EE6E2AFD5B8CA7434

#48 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 21 June 2011 - 01:01 AM

I also removed Avast from the add-remove but I see in combofix it is still there???

#49 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 21 June 2011 - 01:08 AM

Quote

I also removed Avast from the add-remove but I see in combofix it is still there???
Most likely, some leftovers. We'll take care of them.

Uninstall Ask Toolbar, known foistware.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SecCenter::
{2B2D1395-420B-D5C9-657E-930FE358FC3C}
{904CF271-6431-DA47-5FCE-A87D98DFB681}


File::
c:\users\Administrator\AppData\Local\BIT3CD7.tmp
c:\users\Administrator\AppData\Local\BIT268A.tmp

FCopy::
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll|c:\windows\System32\user32.dll

Driver::
BlackBox

RegLock::
[HKEY_USERS\S-1-5-21-1616981083-1480137869-1766554341-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Posted Image Posted Image


#50 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 21 June 2011 - 02:36 AM

Broni, I run the script you showed and it rebooted. It showed that the copy of windows is not a valid copy. I think from seeing that I will have to tell him we are through with it. I really appreciate your help and I am sorry I wasted so much of your time. There was no way I could have known but I refuse to help anyone that has not told me all the truth. I will just wipe the drive clean and let him pick up the PC. Thanks again for your great help. I at least learned a lot about removing all the bad things. vossy

#51 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 21 June 2011 - 02:40 AM

Sometimes, that's the fastest way to solve the issue.
Especially, if he didn't have any important data there.

Unless, you want us to continue....
Posted Image Posted Image


#52 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 21 June 2011 - 02:47 AM

If we continue will the computer work if the windows 7 is not valid? Maybe the Trojan messed up something and it is valid?? Not very likely I suppose? Anyway we can keep trying if you want. I will leave it up to you. I am willing if you want to help me. He did tell me he bought the software and downloaded it on line for the Zone Alarm. That is about all that would be an issue for him , I know his money is tight as his wife has all sorts of health problems. Thats why I was helping him because I know for a fact he needs help. THANKS again.

#53 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 21 June 2011 - 03:00 AM

When exactly does the message pop-up, what is the exact wording of the error and.....does the computer boot all the way to Windows?
Can you operate Windows normally?
Does the message give you an option to validate Windows?
Posted Image Posted Image


#54 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 21 June 2011 - 11:16 PM

It now boots to the desktop fine. At the bottom right of screen it show this

!!Windows 7
Build 7600
This copy of windows is not genuine!!
I get no option to validate. Windows seems to work great now but I am betting this copy of windows will not update. vossy

#55 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 21 June 2011 - 11:30 PM

Not sure if this will do us any good but I got the rkunhooker to run
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #1
==============================================
>Drivers
==============================================
0x8F001000 C:\Windows\system32\DRIVERS\kl1.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x82819000 C:\Windows\system32\ntoskrnl.exe 4198400 bytes (Microsoft Corporation, NT Kernel & System)
0x82819000 PnpManager 4198400 bytes
0x82819000 RAW 4198400 bytes
0x82819000 WMIxWDM 4198400 bytes
0x90002000 C:\Windows\system32\drivers\RTKVAC.SYS 4169728 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0x92900000 Win32k 2404352 bytes
0x92900000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x89819000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8940C000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x895ED000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x8346B000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0x9121D000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8F5AD000 C:\Windows\system32\DRIVERS\vsdatant.sys 565248 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0x910ED000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x83516000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8F709000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x89579000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x8F521000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x9133B000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x912EC000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x89AF2000 C:\Windows\system32\DRIVERS\klif.sys 319488 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wlh_x86])
0x89707000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x83644000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x83595000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9100A000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x83429000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x8F6A8000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8999C000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x896A4000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x911C0000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x82C1A000 ACPI_HAL 225280 bytes
0x82C1A000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x836F0000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x89781000 C:\Windows\system32\drivers\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x89A39000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8F57B000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x89962000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x89752000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x899F4000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x8F7D2000 C:\Windows\system32\DRIVERS\1394ohci.sys 180224 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
0x8953B000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x835EE000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x89A7C000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x896E2000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x836C4000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x9119D000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x8377E000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x912BE000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x8F793000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x89B5A000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x9138C000 C:\Windows\system32\DRIVERS\WUDFRd.sys 135168 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x89AD3000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8F63E000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x9108D000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x911FB000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8F66B000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x910A8000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x91172000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x89800000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x8F76D000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x897D7000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x897BF000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x83766000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x837A0000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x92B50000 C:\Windows\System32\drivers\dxg.sys 94208 bytes (Microsoft Corporation, DirectX Graphics Driver)
0x837B8000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x837CF000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x89BB9000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x91074000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x913AD000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x836A5000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x89566000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x910D2000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8F685000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x83754000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x9118B000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8F7B4000 C:\Windows\system32\DRIVERS\amdppm.sys 69632 bytes (Microsoft Corporation, Processor Device Driver)
0x89A6B000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x913E4000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x83724000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x9104E000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x83623000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x83410000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x899DB000 C:\Windows\system32\DRIVERS\uagp35.sys 69632 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0x910C2000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x89A21000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x8F698000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x83634000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x89BE6000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8F785000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x8F65D000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x89BAB000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x83697000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x895D6000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x837F0000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x83587000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x83747000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x913C3000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8373A000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x897EF000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x912DF000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8F7C5000 C:\Windows\system32\DRIVERS\vgapnp.sys 53248 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x89B7B000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8F6FD000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x89B4E000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x913D0000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x89BF5000 C:\Windows\system32\DRIVERS\fetn62.sys 45056 bytes (VIA Technologies, Inc. , NDIS 6.2 miniport driver)
0x83405000 C:\Windows\system32\mcupdate_AuthenticAMD.dll 45056 bytes (Microsoft Corporation, AMD Microcode Update Library)
0x91069000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x89BA0000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x89400000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x89BD0000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x89BDB000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x83618000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x9105F000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8F6F3000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8F6E9000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x837E6000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0x912B4000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x897B5000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x836E7000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x836BB000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x913F5000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x913DB000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
0x895E4000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x92B80000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x89993000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x835DD000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x83421000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x92800000 C:\Windows\System32\framebuf.dll 32768 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x89A31000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x910E5000 C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 32768 bytes (Check Point Software Technologies, ZoneAlarm ForceField)
0x80BB0000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x835E6000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x89B88000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x89B90000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x89B98000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x899EC000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8368F000 C:\Windows\system32\DRIVERS\viaide.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0x89B47000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x89B40000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x91216000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x8F637000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x83735000 C:\Windows\system32\DRIVERS\PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x903FC000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x9108B000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x85AAAA9B Unknown page with executable code, 1381 bytes
0x85AAD86A Unknown page with executable code, 1942 bytes
0x85AAF794 Unknown page with executable code, 2156 bytes
0x85AAD78B Unknown page with executable code, 2165 bytes
0x85AAF62D Unknown page with executable code, 2515 bytes
0x85AA9288 Unknown page with executable code, 3448 bytes
0x85AAB19B Unknown page with executable code, 3685 bytes
0x85AADE84 Unknown thread object [ ETHREAD 0x85BA9020 ] TID: 204, 600 bytes
0x85AB0084 Unknown thread object [ ETHREAD 0x85A1D5F0 ] TID: 208, 600 bytes
0x85AAFD58 Unknown page with executable code, 680 bytes

#56 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 22 June 2011 - 12:02 AM

Let's see, if we can validate your Windows.
See HERE
Posted Image Posted Image


#57 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 22 June 2011 - 12:29 AM

When I try to do what all the posts show to activate I get the annoying ASK toolbar popup. I tried to uninstall ASK and it will not remove. Any tips on how to rid this thing. vossy

#58 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 22 June 2011 - 12:34 AM

I should have been more specific.
I'm talking about reply by Afzal Taher (half-way down):
It is possible that Windows 7's Licensing Store may be corrupt or unreadable. Try the below steps to recreate the Store.

1) Open an Internet Browser
2) Type: %windir%\system32 into the browser address bar.
3) Find the file CMD.exe
4) Right-Click on CMD.exe and select 'Run as Administrator'
5) Type: net stop sppsvc (It may ask you if you are sure, select yes)
Note: the Software Protection service may not be running, this is ok.
6) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
7) Type: rename tokens.dat tokens.bar
8) Type: cd %windir%\system32
9) Type: net start sppsvc
10) Type: slui.exe
11) After a couple of seconds Windows Activation dialog will appear. You may be asked to re-activate and/or re-enter your product key or Activation may
occur automatically.

If you have a product key, then you can reactivate Windows 7.

1. Click the Start button
2. Type: slui.exe 3 and hit the Enter key
3. Type in the Product key from the sticker on your computer
4. Click the Next button.
5. You will be asked if want to Activate, click ok

You can also activate by phone by following these steps:

1. Click the Start button
2. Type: slui.exe 4 and hit the Enter key
3. Select your location in the drop down menu and click the Next button
4. The next screen provides the number to call to Activate by Phone

How to contact a Microsoft Product Activation Center:

http://support.micro...kb/950929/en=us
Posted Image Posted Image


#59 vossy Re: [Inactive] Friends pc will not get on the internet

    Member

  • 135 posts
  • Joined: December 29, 2010
  • 5 topics
  • Skin: IP.Board
  • Local time: 06:22 PM
  • Zodiac:Aquarius
  • OS:Windows XP
  • Country:
Offline
  • Time Online: 4h 31m 9s

Posted 22 June 2011 - 02:02 AM

Broni, I could not get any of the validation thing to work correct. I thought there was a way to do this online but no success yet. When I was typing all the things that you showed me I got to last one and I got access denied. I am able to get windows updates, would that not tell me this copy is legit?. I talked to my frind tonight and he tells me he has never seen that notice about windows not being genuine. He said he paid for windows 7 as far as he knows. He also said he has lots of data that he needs saving so I may need to continue fixing this version of windows. The computer boots fine but it does take a few minutes to get off the light blue screen and to the windows desktop. The computer does run great once it gets to the desktop. I think I like 7 now and may buy a copy for my PC. You think we need to see if we can make this thing better. thanks again. vossy

#60 Broni Re: [Inactive] Friends pc will not get on the internet

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:22 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 27s

Posted 22 June 2011 - 02:08 AM

No problem. We can deal with validation later.

Now....

I need you to run Combofix fix from my reply #49.

When done, post fresh log from RKUnhooker and see if TDSSKiller will run.
Posted Image Posted Image


Back to Virus, Spyware and Malware Removal · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


This topic has been visited by 2 user(s)

  1. Smartest Computing
  2. > Security
  3. > Virus, Spyware and Malware Removal
  4. SmartestComputing rules