Posts by meksikatsi

HP envy i7 with radeon 7670

I got rid of all graphics drivers and installed the 290. I got no display. no beeps, power supply is 600w high efficiency hp

there are no instruction with the card, although it is brand new. sapphire has no support contact on web page. what little pamphlet was there just said install the card, even though there are some power connectors that need to be connected to the power supply.

if I put back the 7670 I turn on and get an almost instant response on the monitor with an HP logo but with the 290 there's nothing and the power switch just flashes. again, no beeps, the computer sounds as if it comes up and runs normally. I've tried safe mode and low resolution mode to no avail and getting very tired of chaning that giant card out of there to replace the original.

any ideas would be welcome. I'll be back on tomorrow

Hello, I got a bug from going on the keltec site - there's discussion but no solution that I've been able to find. I tried to post here before but I could not post or PM for some reason. Now posting is working so....

I've been working on this issue for a few days as this is but one computer on my home network, which is Microsoft net with cameras, computers, etc. Machine is:

HP a1640n Intel Core2 6300@1.86GHz
4G Ram
XP Pro ServPak 3

I ran MalWareBytes a few days ago and removed a couple of Trojans, so I'll post that log here and then post the Logs from the DaniWeb Initial Cleaning below that for comparison....

I can’t post this from the infected machine from either Firefox or Comodo – so I’m transferring this file to another machine and posting from there….

Thanks in advance for any assistance!!

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.20.03

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
HP_Administrator :: MEKSIKATSI [administrator]

3/20/2012 9:58:04 AM
mbam-log-2012-03-20 (09-58-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227485
Time elapsed: 20 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items …

so nobody works on this printer issue, I copied the file from the recovery disk into the C:/I386 folder and was then able to restart the print spooler service - that did it and all my printers miraculously re-appeared.

Evidently, this nasty just erased the spooler.exe file and didn't affect anything else.

Thanks again, crunchie, this was the last issue and I'm marking this thread "solved"

Right. I don't have the printer disk, it's a very old printer plus it's installed on another older computer on my network that acts as my print server. I have other printers local to other network computers as well. All of them disappeared from the Printers and Faxes folder.

I can't uninstall the printer because it's not there. And I can't add a printer because services says the print spooler is "stopped". But when I click "Start" it gives me that message..."Cannot find the file specified.

After going to "services" I've found in Print Spooler Properties a Recovery Tab, but I'm not certain what I'm doing. It offers to select the computer's response if the service fails. You can "Run a Program" and I suppose I could specify D:/I386/SYSTEM32/spoolsv.exe but I'm thinking I should just copy this program into my system files instead. Again, I'm uncertain about this action so I'm refraining until I can get some solid advice. Thanks, m

ps. now that I've had a look at the C:/I386/SYSTEM32 folder, there is indeed no spoolsv.exe file there and, in fact, there's only two files in that folder (NTDLL.DLL and SMSS.EXE)...which is scaring me at this point. Since the D: recovery has a lot of I386 files, I'm wondering if the C:/I386 shouldn't have all those files too.

Thanks for that tip.

crunchie, everything seems stable but the printers all got wiped earlier and they are still not functioning, in fact, there are no icons for my printers at all anymore. When I try to add a printer, it tells me the Print Spooler is not running.

Checking services, the print spooler IS running and set to automatic. When I try to "start" I get a message:

"Could not start the Print Spooler service on local computer. Error 2: The system cannot find the file specified."

I suppose the file is on D: since this is an HP machine and I don't have any system disks but I don't know how to find it or get it loaded.

Thanks crunchie, I didn't use the registry booster, it just got downloaded as part of this issue, automatically I might add. It's gone now.

RunFix Log

All processes killed
========== FILES ==========
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 41 bytes

User: HP_Administrator
->Flash cache emptied: 1931747 bytes

User: LocalService
->Flash cache emptied: 19686 bytes

User: NetworkService
->Flash cache emptied: 14501 bytes

Total Flash Files Cleaned = 2.00 mb

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3869997 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: HP_Administrator
->Temp folder emptied: 83704845 bytes
->Temporary Internet Files folder emptied: 423867837 bytes
->Java cache emptied: 167055996 bytes
->FireFox cache emptied: 47818738 bytes
->Google Chrome cache emptied: 6099312 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 98335726 bytes
->Java cache emptied: 0 bytes
->Flash cache …

I guess it wouldn't take that much info as that post worked...here's the extras file

OTL Extras logfile created on: 11/13/2010 3:54:49 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
7.00 Gb Paging File | 7.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 224.23 Gb Total Space | 170.08 Gb Free Space | 75.85% Space Free | Partition Type: NTFS
Drive D: | 8.63 Gb Total Space | 0.39 Gb Free Space | 4.46% Space Free | Partition Type: FAT32

Computer Name: MEKSIKATSI | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not …

OTL was restarted and completed...having issues posting the files though...will attempt to post one at a time

OTL logfile created on: 11/13/2010 3:54:49 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
7.00 Gb Paging File | 7.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 224.23 Gb Total Space | 170.08 Gb Free Space | 75.85% Space Free | Partition Type: NTFS
Drive D: | 8.63 Gb Total Space | 0.39 Gb Free Space | 4.46% Space Free | Partition Type: FAT32

Computer Name: MEKSIKATSI | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/13 12:05:41 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
PRC - [2010/10/27 01:10:10 | …

I got a message: Access violation at address 0040295B in module 'OTL.exe'. Read of address 0021D000.

OTL is stuck "Creating restore point. DO NOT INTERRUPT..."

I thought I'd check back before shutting it down (with that message) and trying again...but it's been running a while now...more than 30 minutes

MBRCheck Log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 viaide.sys
0xBA5AE000 intelide.sys
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B0000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E6C000 iastor.sys
0xB9E54000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E34000 fltmgr.sys
0xB9E22000 sr.sys
0xBA118000 PxHelp20.sys
0xB9E0B000 KSecDD.sys
0xB9D7E000 Ntfs.sys
0xB9D51000 NDIS.sys
0xB9D37000 Mup.sys
0xBA148000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\ELacpi.sys
0xB937C000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB9368000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9330000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB930C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB92E4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB929F000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xB927C000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9185000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xB90CF000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBA3F0000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA2F8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\PS2.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA5EE000 \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
0xBA308000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA318000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA158000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA766000 …

Thanks, crunchie,

TDSSKILLER REPORT

2010/11/13 11:03:44.0406 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/13 11:03:44.0406 ================================================================================
2010/11/13 11:03:44.0406 SystemInfo:
2010/11/13 11:03:44.0406
2010/11/13 11:03:44.0406 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/13 11:03:44.0406 Product type: Workstation
2010/11/13 11:03:44.0406 ComputerName: MEKSIKATSI
2010/11/13 11:03:44.0406 UserName: HP_Administrator
2010/11/13 11:03:44.0406 Windows directory: C:\WINDOWS
2010/11/13 11:03:44.0406 System windows directory: C:\WINDOWS
2010/11/13 11:03:44.0406 Processor architecture: Intel x86
2010/11/13 11:03:44.0406 Number of processors: 2
2010/11/13 11:03:44.0406 Page size: 0x1000
2010/11/13 11:03:44.0406 Boot type: Normal boot
2010/11/13 11:03:44.0406 ================================================================================
2010/11/13 11:03:44.0578 Initialize success
2010/11/13 11:04:12.0625 ================================================================================
2010/11/13 11:04:12.0625 Scan started
2010/11/13 11:04:12.0625 Mode: Manual;
2010/11/13 11:04:12.0625 ================================================================================
2010/11/13 11:04:13.0438 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2010/11/13 11:04:13.0469 Aavmker4 (2ccfa74242741ca22a4267cce9b586f4) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/11/13 11:04:13.0563 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/13 11:04:13.0594 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/13 11:04:13.0641 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/13 11:04:13.0703 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/13 11:04:13.0813 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/13 11:04:13.0907 aswFsBlk (b4079a98f294a3e262872cb76f4849f0) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
2010/11/13 11:04:13.0938 aswMon2 (dbee7b5ecb50fc2cf9323f52cbf41141) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/11/13 11:04:13.0969 aswRdr (8080d683489c99cbace813f6fa4069cc) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/11/13 11:04:13.0985 aswSP (2e5a2ad5004b55df39b7606130a88142) C:\WINDOWS\system32\drivers\aswSP.sys
2010/11/13 11:04:14.0016 aswTdi (d4c83a37efadfa2c398362e0776e3773) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/11/13 11:04:14.0063 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/13 11:04:14.0078 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/13 11:04:14.0125 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/13 11:04:14.0172 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/13 11:04:14.0219 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2010/11/13 11:04:14.0235 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2010/11/13 11:04:14.0282 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/13 11:04:14.0328 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/13 11:04:14.0344 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/13 11:04:14.0375 …

Hello folks,

System:

HP a1649n computer, O/S XP Pro, SP3, BIOS 3.08. Processor Intel Core 2 @1.86GHz, Fam6, Mod15, Stepping6, 4GB RAM, connected to TWC through WRT54G

Running Avast! and Windows firewall - this and other 6 computers on network have shown no issues in over a year with this setup.

Initial issues:

1. First noticed this problem with repeated error messages here and there:

Generic Host Process for Win32 Service has encountered a problem and needs to close. We are sorry for this inconvenience.

Ran MBAM and Spybot Search & Destroy and cleaned up system but issues continued.

On looking at what the system wants to send to Microsoft, there's an error signature (sz App and Mod names and versions, plus offset:00023845) and two files, names end in svchost.exe.mdmp and appcompat.txt - I can include those files if needed.

2. Avast! keeps giving me on-access messages (maybe a few times per hour) which don't appear long enough to copy - they are malicious attacks from: X - I was able to copy one that repeats 2Og7yailO.com and there's a long string after but not enough time to copy. this is not the only url to come through though.

3. Cannot print - whatever this is erased all my printers/drivers from the printer folder - I tried to add a printer and get:

Operation cannot be completed - Print Spooler Service not running.

I checked Services …

Hi folks...this issue is also related to a restart issue...I'll explain momentarily.

AMD Athlon 64 X2 Dual Core 3800+
XP Pro SP3
NVidia GeForce 6150 LE - just updated driver

As mentioned, at random, even while working on this computer on our home network, the LG monitor turns off at random...can be days...can be an hour. It briefly shows the box saying no signal and goes black...the power button blinks...

...but the computer is still running. No way to get to the computer - you can't restart the monitor. You can't even do a cold start from the power button...it must be unplugged from the mains and then plugged in again.

***
Interestingly, the same thing (sort of) happens on this computer when one tries to restart...same thing when an update asks to restart the computer. What you end up with is the computer sitting there "on" and the monitor "dead". Only unplugging the computer from the wall will initiate a restart that will bring the monitor back up.

I admit I'm stumped on this one...please help! I posted here but I personally think it's a virus...if you think I should re-post to the virus forum, I will. However, there are no other symptoms...and between instances, the computer runs perfectly.

Thanks...meksikatsi

What happens if she opens a cmd window and runs this:
shutdown -r -t 05

does exactly the same thing - the computer ends up with the display off but powered up - can't tell exactly what state it's in but it doesn't have a power switch in back so you either have to remove the power cord or hold the power button down until the computer goes off and then power up again.

Tried "Turn Off" and that works correctly - the computer turns all the way off.

Hi folks,

My wife's computer will not reboot when the restart option is selected. She's running XP Pro SP 3.

I've checked out the Roxio CD creation issue and she doesn't use it - same with advanced power issues.

The computer does stop because you can see the Windows Shutting Down message but after the screen goes blank, the computer doesn't start back up. You have to power the computer down manually with the power button or switch and do a cold boot to get it back up.

Any help appreciated.
meksikatsi

again, thnx

That looks good - apparently iaStor.sys was still the culprit but combofix was able to replace it.

I wonder if it got re-infected after you replaced it the first time or if there was a problem with the replacement...?

Anyhoo, how are things looking now?

PP:)

Yeah, I think the combofix got it...doesn't seem to be redirecting at this point. I'll see what it looks like by tomorrow and if nothing new crops up I'll mark this thread solved.

Many thanks for sticking with me on this...I sure didn't want to have to reload this guy. I suppose I should consider a mirror backup or something, any suggestions?

Here's a fresh run of combofix...

ComboFix 10-04-08.02 - HP_Administrator 04/09/2010 4:29.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.3021 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 100408-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db

Infected copy of c:\windows\system32\DRIVERS\iastor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-07 21:45 . 2010-04-07 21:45 77312 ----a-w- C:\mbr.exe
2010-04-02 11:08 . 2005-06-17 13:33 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys.sys
2010-03-30 18:24 . 2005-06-17 13:33 872064 ----a-w- C:\iaStor.sys
2010-03-28 11:33 . 2010-03-28 11:34 -------- d-----w- C:\Images for internet sites
2010-03-27 22:59 . 2010-03-30 18:18 -------- d-----w- C:\Leads
2010-03-25 23:30 . 2010-03-25 23:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 23:30 . 2010-03-25 23:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-16 19:08 . 2010-03-16 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 08:26 . 2008-09-12 16:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-04-09 04:06 . 2008-09-12 17:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-04-08 11:34 . 2009-02-02 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-04 08:24 . 2005-06-17 13:33 246784 ----a-w- c:\windows\system32\drivers\iastor.sys
2010-03-30 18:54 . 2010-01-24 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 18:53 . 2010-03-30 18:53 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 04:46 …

did you see the Kaspersky's results in the previous page of the thread? Sorry but I put the results you wanted in two different posts... I have just flushed the dns to see that yields results.

Kaspersky found a few files I cannot get rid of...including one rootkit

here's the jotti scans results:

for iastor.sys:

Jotti's malware scan
Filename: iaStor.sys.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 8 Apr 2010 13:08:32 (CET) Permalink

Additional info
File size: 872064 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 9a65e42664d1534b68512caad0efe963
SHA1: ca3b5fb10f27f0a83f60beae10c2ef188787aa22

Scanners
[ArcaVir]
2010-04-07 Found nothing
[F-Secure Anti-Virus]
2010-04-08 Found nothing
[A-Squared]
2010-04-08 Found nothing
[G DATA]
2010-04-08 Found nothing
[Avast! antivirus]
2010-04-08 Found nothing
[Ikarus]
2010-04-08 Found nothing
[Grisoft AVG Anti-Virus]
2010-04-08 Found nothing
[Kaspersky Anti-Virus]
2010-04-07 Found nothing
[Avira AntiVir]
2010-04-08 Found nothing
[ESET NOD32]
2010-04-08 Found nothing
[Softwin BitDefender]
2010-04-08 Found nothing
[Panda Antivirus]
2010-04-07 Found nothing
[ClamAV]
2010-04-08 Found nothing
[Quick Heal]
2010-04-08 Found nothing
[CPsecure]
2010-04-06 Found nothing
[Sophos]
2010-04-08 Found nothing
[Dr.Web]
2010-04-08 Found nothing
[VirusBlokAda VBA32]
2010-04-07 Found nothing
[Frisk F-Prot Antivirus]
2010-04-07 Found nothing
[VirusBuster]
2010-04-07 Found nothing

for atapi.sys: (it's reporting atapi512.sys but it downloaded atapi.sys)

Jotti logo

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.

Filename: atapi512.sys
Status:
Scan finished. 0 out of 20 …

Thanks, PP - it took me a while but here is the first part of your instructions:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 17:43 on 07/04/2010 (HP_Administrator)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:49 12/09/2008]
{B13721C7-F507-4982-B2E5-502A71474FED} [04:24 01/04/2009]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [21:37 29/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [00:56 06/05/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [12:18 10/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [15:26 08/08/2009]

C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\izkwi3ur.default\extensions\
[email]addon@privacychoice.org[/email] [13:19 21/12/2009]
TFToolbarX@torrent-finder [19:56 15/05/2009]
{20a82645-c095-46ed-80e3-08825760534b} [19:49 03/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:03 08/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:37 29/03/2009]

-=E.O.F=-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [url]http://www.gmer.net[/url]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B398CA1]<< 
kernel: MBR read successfully
user & kernel MBR OK 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Thursday, April 8, 2010
 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Wednesday, April 07, 2010 20:02:47
 Records in database: 3918834
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

Scan statistics:
    Objects scanned: 205370
    Threats found: 3
    Infected objects found: 5
    Suspicious objects found: 0
    Scan duration: 03:15:19


File name / Threat / Threats count
C:\HP\bin\wbug\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
C:\Program Files\Alwil Software\Avast4\DATA\moved\iaStor.sys.vir    Infected: Rootkit.Win32.Tdss.ai 1
D:\I386\APPS\APP11700\src\CompaqPresario_Spring06.exe   Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP11700\src\HPPavillion_Spring06.exe  Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
E:\4-Common Software\TFTP Server\SolarWinds\OEM-TFTP-Server.EXE Infected: not-a-virus:Server-FTP.Win32.Tftp.400 1

Selected area has been scanned.

PP-
Well, maybe we've made some progress...I haven't seen any screens announcing the virus for a couple of days.

I'll try to explain because I had to take several steps before I could replace the bad iaStor file. Here's what finally worked...all other attempts to erase a replace resulted in a virus screen.

I had to rename the bad file. Then I renamed the good file and copied it into the driver folder. Then I moved the bad file into the recycle bin and got rid of it. Then I renamed the good file to iaStor.sys...

no other combination worked. And like I said, I'm not certain this worked, however, no more notifications. I have had some issues with Firefox redirecting, though - BUT Firefox has now downloaded a new security version (it said). That hasn't helped the redirecting...but IE doesn't seem to redirect...I hardly ever use IE until I just tried it to see if it was stable.

Any further suggestions on diagnostics would be welcome...and thanks again for your patience so far.

meksikatsi

I already tried, so I tried once again and unchecked the check for rootkits, since it already had done that clean. No change...

what would happen if I just tried to delete that file and copy the new copy over?

I finally got to it, sorry! something went wrong...it's asking for a disk?

WINDOWS - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6b7c 75b6bf7c

here's the logfile:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not move file "C:\iaStor.sys"
File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

PP, I've now got iastor.sys on a flash drive ready to go...

I'll be ecstatic if we're this close - this machine would be HARD to duplicate.

But I admit I'm intrigued on how you're going to replace a .sys file.

meksikatsi

Volume in drive C is HP_PAVILION
Volume Serial Number is 18D0-9135

that's it....here's what DOS did:

File not found

I'll look for the file on another computer

the first time I ran GMER it hung up. I rebooted and ran it again and these are those logs. The first preliminary log didn't change from the two runs so I only included the second one.

I did reboot before running TDSSKiller because I had to disconnect from the internet while running GMER and could not get it reconnected (message saying cable unplugged...but it was plugged) until I rebooted and it came up normally.

PP-

Here are the GMER file at last...took most of the day

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-27 10:24:22
Windows 5.1.2600 Service Pack 3
Running: o3r6gc4j.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\afloypog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8B4ADCA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-27 14:30:19
Windows 5.1.2600 Service Pack 3
Running: o3r6gc4j.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\afloypog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x99BCF6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x99BCF574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x99BCFA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x99BCF14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x99BCF64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x99BCF08C]

OK, guys, I ran it again and this time it didn't take very long and Windows did not go away. I assume it just recaptured the results of the last run and the log file seems to bear this out.

So here's the log file - I look forward to an analysis! And thanks again!!

*********************

ComboFix 10-03-25.06 - HP_Administrator 03/26/2010 5:46.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2754 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 100325-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
.
---- Previous Run -------
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
C:\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-25 23:30 . 2010-03-25 23:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 23:30 . 2010-03-25 23:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-16 19:08 . 2010-03-16 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-10 03:04 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 09:54 . 2008-09-12 16:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-03-26 04:01 . 2008-09-12 17:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-03-25 22:43 . 2005-06-17 13:33 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-25 22:21 . 2009-02-02 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-10 08:03 . 2009-08-08 14:17 -------- d-----w- c:\documents …

PP, I ran Combofix and it got stuck for a few hours after running the 50 steps and deleting some files...so no log!

I had to cold start the system and choose an earlier configuration to get the machine started again but it has now been stable (no avast messages) for about 12 hours so hopefully the nasty was contained in those deleted files...there were 4.

However, on a google search just now, it was redirected, so I may go through the combofix sequence again since it did not complete normally. Many thanks...

meksikatsi

Which os is this you don't say.

CP Pro 5.`.2600 ServPak 3.0

HP so O/S is on D: no boot disk

The worm is also back...starts appearing on reboot...taking no action at least allows me to run some diagnostics.

PP - running MalWareBytes no....is that MBAM? Anyway, last time I ran it nothing was found...

Also, what is an ARK tool please?

Many thanks,
meksikatsi

it's crazy...I made the choice to reboot to a previous version and there's no sign of the worm so far...hope it continues...I'll get back if it does but now I've got to leave out of town and was just trying to get my email back before I left...since that's OK at the moment, I appreciate your attention and I'll keep you posted on this thread in about 3 days...again, MANY thanks.

well, avast kept getting an error and reporting alureon-fr. I tried to boot into safe mode and now the machine will not boot up...I get to the screen with a choice of safe mode, etc. but no matter what I choose it just reboots over and over to that screen.

any advice? thanks in advance!!

When you don't have DHCP set up ONE system will connect to the internet, I don't know how that one system is chosen, probably by the lowest IP address. You should be able to enable DHCP and simply change the routers port-range to include the cameras, you can then assign static IPs to them using the routers control page. This is just how it works, you need to have DHCP somewhere on your network, if it's not on the router you'd have to have a dedicated DHCP server (or another router) before the primary router.

There are no cameras in the network in question. Static IPs should be outside the dhcp ip pool.

sounds like you may be getting interference...are you in a city, apartments, what?

Bellsouth DNS servers are different in every region.

Cisco/Linksys makes several like RV082 - so does Barracuda

thanks for telling us the solution.

permissions can be st how?

All I did was let Windows update install SP1. I get the box:

Startup Repair cannot repair this computer automatically.

I'm now doing a full system recover...thank goodness this was a new computer! So, do I prevent the thing from doing a Windows update? How do you take care of Vista when it crashes when doing a "security and bug update"?

Or do I just go backwards and install XP on this thing?

You don´t need any software to view the camera. After you establish what the camera´s IP address is, just enter that in your browser and you´ll see the image.

I have not but they do not have high resolution. If you just want to see an image they would work probably.

Freedom at any price!!

I think wireless cameras are expensive but they will work.

Depends on what kind of resolution the camera is capable of and how many frames per second you need for quality. If you need live feed that's about 30 fps and a rule of thumb might be about 10Mbps per camera. Are you planning to run ethernet cable to all the cameras?

It is amazing, Dave -- where do you find this Bull Pucky? No one has a transcript of anything but the responses to the pucky.

You're just another 'ditto head' dupe spreading specious stuff around now that you see McCain/Palin is going down in flames.

we'll see - that lawyer's letter isn't a response - Dave, good find!

welcome to Daniweb

I don't believe you have the kind of QUS you want in that router. Take a look at this, though:

http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&pagename=Linksys%2FCommon%2FVisitorWrapper&cid=1146774321820

zeroth

this is way cool!!

Byte Me

that's great!

thanks once again!