[djmaddogfreak]

extra part 2

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type38312 / Warning
Event Submitted/Written: 07/02/2008 11:26:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%%8271.1.1505.0{97BC3B26-B6A7-4DFF-8275-ED6E4705312C}Bryan-PCBryanS-1-5-21-331273825-1107932480-618443972-1000Unknown%%832service:xpdt0%%807

Event Record #/Type38311 / Warning
Event Submitted/Written: 07/02/2008 11:26:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%%8271.1.1505.0{D98B7539-6705-4345-B617-CC60F0180FCA}Bryan-PCBryanS-1-5-21-331273825-1107932480-618443972-1000Unknown%%832driver:xpdt0%%807

Event Record #/Type38310 / Warning
Event Submitted/Written: 07/02/2008 11:26:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%%8271.1.1505.0{24F8B995-599D-4879-8B7A-BE704CD56E53}Bryan-PCBryanS-1-5-21-331273825-1107932480-618443972-1000Unknown%%832driver:huy320%%807

Event Record #/Type38309 / Warning
Event Submitted/Written: 07/02/2008 11:26:27 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%%8271.1.1505.0{73E20FC4-2053-44E2-883C-60184552CE2D}Bryan-PCBryanS-1-5-21-331273825-1107932480-618443972-1000Unknown%%832drivere3860%%807

Event Record #/Type38308 / Warning
Event Submitted/Written: 07/02/2008 11:26:27 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%%8271.1.1505.0{C5F58289-9302-45F8-8572-722D201F4D74}Bryan-PCBryanS-1-5-21-331273825-1107932480-618443972-1000Unknown%%832service:lzx320%%807



-- End of Deckard's System Scanner: finished at 2008-07-02 23:28:07 ------------

[djmaddogfreak]

That is all, I am SOOO sorry for making 5 posts, i tried attaching but too large. I will look into the IMG files.

[djmaddogfreak]

Update:

I cant open or mount the img files, have tried every way that I can think of.

One of the suggestions I was made at work was that the trojan collected information, compiled it into .img files, uploaded, then destroyed the IP stack to cover it's tracks/be a pain in the a$$.
So when I get home today, i will run repair console from the windows disc and see if that rebuilds it for me.

Any comments?

[Saxon]

No problem DSS makes long complex logs so we allow as many as needed when it comes to them.

One of the security team will will be along asap to look over your new scan.

[Mak213]

Hello,

Alright i found some thigns that are of interest to me. But nothing that shows a virus that i can find for certain. So let me try a couple of things here.

Step1 | HiJack This

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - Error
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Step2 | CFScript

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

Look::
C:\Windows\35C03C043F1F42C2A989A757EE691F65.TMP

File::
C:\Windows\system32\knmlmnmp.ini2

Folder::
C:\Users\Bryan\{abb64232-8e77-4158-a2fa-33cd4f769051}

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Logs needed in next post:

ComboFix Log

Cheers,
Mak

[djmaddogfreak]

I didnt get a chance to run these yet, but I did fix the ethernet problem. I turned off the power supply and then turned it back on, and the ethernet ports work fine.

[techpro5238]

I suggest you run the above script. The whole problem isn't gone