Rootkit and Device Manager Problems

I have a Dell computer with Windows XP Home SP2 installed. I have done an online BitDefender scan and a TrendMicro Spyware Scan and they removed alot of spyware and viruses and Trojans but I have no logs. I installed Spysweeper and Ewido.I have a Spysweeper log from normal mode and a Ewido log from safe mode. I have a Rootkit Revealer 1.6 log done in normal mode. Device Manager is empty and I cannot connect to the internet using the modem but I can connect to the internet with the NIC Card. I need to connect with the modem card. I also downloaded Microsoft Antispyware and installed and scanned but it will only run on one of the three users and they are all administrators. Thank You for Your Time. wrj

 

You can't conect in Safe Mode with a modem.

If you have completed all the instructions below, please post a HijackTHis log.

Welcome to MajorGeeks.com, please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

 

Shadow_Puter_Dude The computer will not connect with the modem in user mode either. The only two online scans that I could do with all the users was Bitdefender and XCleaner. One user I could do a online scan was the Trendmicro Spyware Scan. I also download and ran Sysclean and Stinger,Avast. Norton Corp. Edition is installed but will not run(errors).I also downloaded Spybot and ran and installed free Zone Alarm. I need help on how to attach a log. I tried to click on the attachment icon but nothing happened. Do I copy and paste or browse for the attachment log. Thanks for Your Time. wrj

 

I think I have it figured out now. I hope wrj

 

Scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.


Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Here is the WinPFind log that was requested and I also included my first Spysweeper log also. Thanks for your time. wrj

 

Follow the direction to
AproposMedia Fix.

In safe Mode delete the following files/folders:

Run Spy Sweeper again.

Post the Spy Sweeper log along with a fresh HijackThis log.

 

Here are the logs and Spyweeper was clean and Device Manager is showing info now. If you see anymore problems or if I run into any more problems I will post them in this thread.Thank You Very Much Shadow_Puter_Dude for your time. wrj

 

Your HijackThis log is clean.

Please post a fresh Spy Sweeper log.

 

Here is the log that was requested.Device Manager is there and dial-up works on all users. I still get this error from TrendMicro online Spyware Scanner with either normal mode or safe mode.This product does not appear to be installed correctly.[SPYSUB] unable to use ss engine ProductConfig. HRESULT = 800401f3 Error #: 0x6d also on the same two users Microsoft Antispyware will not load at startup or run a scan. One user you can do both on in normal mode and safe mode. All three users are administrators. Thank You for Your Time. wrj

 

Please don't run any scans, we don't ask you to run.

Did you reboot before running Spy Sweeper? The Apropos infection is still present.

Please run Panda Online Scan. After the scan attach the log to your next post.

 

Sorry for the doing the other scans. Yes there was a reboot between the last two Spysweeper scans. Here is the Panda Scan. Thanks for your time. wrj

 

Please follow the directions for Running Hoster.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK

Download FixAprop to your Desktop.

Reboot to Safe Mode.

Run FixAprop.

Reboot to Safe Mode.

Run Microsoft AntiSpyware and let it fix what it finds.

Reboot to Normal Mode.

This should remove Apropos

Next Open ExplorerXP and delete the following:

REBOOT

Run Spy Sweeper and Panda. Post both logs when finished.

 

Here are the requested logs. I did everything in order as requested. Microsoft Antispyware and FixAprop did not find any problems. I found every file that was listed and deleted them. Thanks for more of your time. wrj

 

Open ExplorerXP and delete the following:

REBOOT

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Here is the requested log. I did not fined the host as a directory, only the host file inside the etc folder. All the other files were deleted. Thank you wrj

 

Open ExplorerXP and delete the following:

The lsasss.exe is from Sasser.

Download and Run the Microsoft Windows Malicious Software Removal Tool.

REBOOT

Run WinPFind again.

Post the WinPFind log and a fresh HijackThis log.

 

Here are the two logs. lsasss was found and deleted. Microsoft Windows removal tool was run and nothing was found. Thank You wrj

 

Your logs are fine.

How is your sytem running?

 

Shadow, The computer runs pretty good for the amount of viruses and spyware that was on the computer. I am going to run some more scans on the different users. If I find some more problems I will reply back in this thread. Thank You Very Much for your time. I learned alot. wrj

 

I was able to run the Kaspersky virus scan last night on three users. I combined the three scans results into one attachment so some of the files are the same. lf anybody could look at these sometime I would be very grateful. Thank you for your time. wrj

 

Empty the Quarantine folder for Norton Antivirus.

C:\Program Files\Comerica\npf.sys <<---- This may be a valid file. Do you recognize Comerica?

Run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

 

Shadow I have no idea what Comerica is. Did you want me to delete that item too? wrj

 

Take a look inside the folder and tell me what all is there. Filename and such.

 

Shadow The only file showing is npf.sys. It is listed as a systerm file and the size of the file is 12KB

 

Shadow All the files listed in the quote box were found and deleted. wrj

 

Delete the entire folder.

 

Shadow I deleted the folder and if I find anything else I will post it. Thanks for your time. wrj

 

You're welcome.