Rootkit and Device Manager Problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by wrj, Dec 10, 2005.

  1. wrj

    wrj Private E-2

    I have a Dell computer with Windows XP Home SP2 installed. I have done an online BitDefender scan and a TrendMicro Spyware Scan and they removed alot of spyware and viruses and Trojans but I have no logs. I installed Spysweeper and Ewido.I have a Spysweeper log from normal mode and a Ewido log from safe mode. I have a Rootkit Revealer 1.6 log done in normal mode. Device Manager is empty and I cannot connect to the internet using the modem but I can connect to the internet with the NIC Card. I need to connect with the modem card. I also downloaded Microsoft Antispyware and installed and scanned but it will only run on one of the three users and they are all administrators. Thank You for Your Time. wrj
     
  2. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    You can't conect in Safe Mode with a modem.

    If you have completed all the instructions below, please post a HijackTHis log.

    Welcome to MajorGeeks.com, please follow the steps below:

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

    Downloading, Installing, and Running HijackThis
     
  3. wrj

    wrj Private E-2

    Shadow_Puter_Dude The computer will not connect with the modem in user mode either. The only two online scans that I could do with all the users was Bitdefender and XCleaner. One user I could do a online scan was the Trendmicro Spyware Scan. I also download and ran Sysclean and Stinger,Avast. Norton Corp. Edition is installed but will not run(errors).I also downloaded Spybot and ran and installed free Zone Alarm. I need help on how to attach a log. I tried to click on the attachment icon but nothing happened. Do I copy and paste or browse for the attachment log. Thanks for Your Time. wrj
     
  4. wrj

    wrj Private E-2

    I think I have it figured out now. I hope wrj
     

    Attached Files:

  5. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Scan and have HJT Fix the following:
    Download
    - Pocket Killbox
    - ExplorerXP

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.
    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)
    Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

    Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    REBOOT to Normal Mode.


    Download WinPFind

    Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

    When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.
     
  6. wrj

    wrj Private E-2

    Here is the WinPFind log that was requested and I also included my first Spysweeper log also. Thanks for your time. wrj
     

    Attached Files:

  7. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Follow the direction to
    AproposMedia Fix
    .

    In safe Mode delete the following files/folders:
    Run Spy Sweeper again.

    Post the Spy Sweeper log along with a fresh HijackThis log.
     
    Last edited by a moderator: Dec 11, 2005
  8. wrj

    wrj Private E-2

    Here are the logs and Spyweeper was clean and Device Manager is showing info now. If you see anymore problems or if I run into any more problems I will post them in this thread.Thank You Very Much Shadow_Puter_Dude for your time. wrj
     

    Attached Files:

  9. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Your HijackThis log is clean.

    Please post a fresh Spy Sweeper log.
     
  10. wrj

    wrj Private E-2

    Here is the log that was requested.Device Manager is there and dial-up works on all users. I still get this error from TrendMicro online Spyware Scanner with either normal mode or safe mode.This product does not appear to be installed correctly.[SPYSUB] unable to use ss engine ProductConfig. HRESULT = 800401f3 Error #: 0x6d also on the same two users Microsoft Antispyware will not load at startup or run a scan. One user you can do both on in normal mode and safe mode. All three users are administrators. Thank You for Your Time. wrj
     

    Attached Files:

  11. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Please don't run any scans, we don't ask you to run.

    Did you reboot before running Spy Sweeper? The Apropos infection is still present.

    Please run Panda Online Scan. After the scan attach the log to your next post.
     
  12. wrj

    wrj Private E-2

    Sorry for the doing the other scans. Yes there was a reboot between the last two Spysweeper scans. Here is the Panda Scan. Thanks for your time. wrj
     

    Attached Files:

  13. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Please follow the directions for Running Hoster.

    Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

    Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK

    Download FixAprop to your Desktop.

    Reboot to Safe Mode.

    Run FixAprop.

    Reboot to Safe Mode.

    Run Microsoft AntiSpyware and let it fix what it finds.

    Reboot to Normal Mode.

    This should remove Apropos

    Next Open ExplorerXP and delete the following:
    REBOOT

    Run Spy Sweeper and Panda. Post both logs when finished.
     
  14. wrj

    wrj Private E-2

    Here are the requested logs. I did everything in order as requested. Microsoft Antispyware and FixAprop did not find any problems. I found every file that was listed and deleted them. Thanks for more of your time. wrj
     

    Attached Files:

  15. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Open ExplorerXP and delete the following:
    REBOOT

    Run CCleaner before doing the below.


    Download WinPFind

    Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

    When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.
     
  16. wrj

    wrj Private E-2

    Here is the requested log. I did not fined the host as a directory, only the host file inside the etc folder. All the other files were deleted. Thank you wrj
     

    Attached Files:

  17. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Open ExplorerXP and delete the following:
    The lsasss.exe is from Sasser.

    Download and Run the Microsoft Windows Malicious Software Removal Tool.

    REBOOT

    Run WinPFind again.

    Post the WinPFind log and a fresh HijackThis log.
     
    Last edited by a moderator: Dec 12, 2005
  18. wrj

    wrj Private E-2

    Here are the two logs. lsasss was found and deleted. Microsoft Windows removal tool was run and nothing was found. Thank You wrj
     

    Attached Files:

  19. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Your logs are fine.

    How is your sytem running?
     
  20. wrj

    wrj Private E-2

    Shadow, The computer runs pretty good for the amount of viruses and spyware that was on the computer. I am going to run some more scans on the different users. If I find some more problems I will reply back in this thread. Thank You Very Much for your time. I learned alot. wrj
     
  21. wrj

    wrj Private E-2

    I was able to run the Kaspersky virus scan last night on three users. I combined the three scans results into one attachment so some of the files are the same. lf anybody could look at these sometime I would be very grateful. Thank you for your time. wrj
     

    Attached Files:

  22. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Empty the Quarantine folder for Norton Antivirus.

    C:\Program Files\Comerica\npf.sys <<---- This may be a valid file. Do you recognize Comerica?

    Run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.
    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)
    Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

    Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    REBOOT to Normal Mode.
     
  23. wrj

    wrj Private E-2

    Shadow I have no idea what Comerica is. Did you want me to delete that item too? wrj
     
  24. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Take a look inside the folder and tell me what all is there. Filename and such.
     
  25. wrj

    wrj Private E-2

    Shadow The only file showing is npf.sys. It is listed as a systerm file and the size of the file is 12KB
     
  26. wrj

    wrj Private E-2

    Shadow All the files listed in the quote box were found and deleted. wrj
     
  27. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Delete the entire folder.
     
  28. wrj

    wrj Private E-2

    Shadow I deleted the folder and if I find anything else I will post it. Thanks for your time. wrj
     
  29. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    You're welcome.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds