31 replies to this topic

[bluespiderweb]

When I was closing out of the two Look windows, I found this in a notepad that I hadn't seen until I did:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:36 on 21/08/2012 by Owner
Administrator - Elevation successful

========== Filefind ==========

Searching for "aspnet_state.exe "
C:\My Backup -- 23-04-07 0706\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe --a--c- 32768 bytes [16:49 15/07/2004] [16:49 15/07/2004] E1A1206A4FB19B675E947B29CCD25FBA
C:\Program Files\MSN\MSNCoreFiles\aspnet_state.exe --a---- 32768 bytes [18:08 21/08/2012] [19:43 20/08/2012] E1A1206A4FB19B675E947B29CCD25FBA
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0000\svc0000\aspnet_state.exe --a---- 32768 bytes [19:43 20/08/2012] [19:43 20/08/2012] E1A1206A4FB19B675E947B29CCD25FBA
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe --a---- 32768 bytes [16:49 15/07/2004] [16:49 15/07/2004] E1A1206A4FB19B675E947B29CCD25FBA

Searching for "mDNSResponder.exe "
C:\Program Files\Bonjour\mDNSResponder.exe --a---- 229376 bytes [19:17 24/07/2007] [19:17 24/07/2007] CFD4C3352E29A8B729536648466E8DF5
C:\Program Files\MSN\MSNCoreFiles\mDNSResponder.exe --a---- 73728 bytes [18:08 21/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\mDNSResponder.exe --a---- 229376 bytes [19:43 20/08/2012] [19:43 20/08/2012] CFD4C3352E29A8B729536648466E8DF5
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\mDNSResponder.exe --a---- 73728 bytes [19:43 20/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3

Searching for "Cdr4_xp.sys "
C:\Program Files\MSN\MSNCoreFiles\Cdr4_xp.sys --a---- 2432 bytes [18:08 21/08/2012] [19:43 20/08/2012] BF79E659C506674C0497CC9C61F1A165
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0002\svc0000\Cdr4_xp.sys --a---- 2432 bytes [19:43 20/08/2012] [19:43 20/08/2012] BF79E659C506674C0497CC9C61F1A165
C:\WINDOWS\system32\drivers\cdr4_xp.sys ------- 2432 bytes [00:27 11/11/2004] [23:42 09/07/2008] BF79E659C506674C0497CC9C61F1A165

Searching for "mDNSResponder.exe "

and there it ended, blinking cursor after. Don't know if it was still searching or not.

Anyway, thanks for trying to help.

[MrCharlie]

So far the files it copied are in the correct place.

Stop System Look
and start over using this script:



:Filefind
mDNSResponder.exe
PRISMXL.SYS
sp_rsdrv2.sys
sunkfilt.sys
wanmpsvc.exe
WLSetupSvc.exe


MrC

[bluespiderweb]

OK, great, and thanks Mr C for not giving up on me! I know it's trying for your expertise, but I do appreciate your help very much.

I did as you suggested, exited and restarted Look with those search parameters you gave. I have to go out for a bit, but will report the findings when I return.

B

[bluespiderweb]

OK, back again, here's the result of the Look search in Notepad:

SystemLook 30.07.11 by jpshortstuff
Log created at 20:04 on 21/08/2012 by Owner
Administrator - Elevation successful

========== Filefind ==========

Searching for "mDNSResponder.exe"
C:\Program Files\Bonjour\mDNSResponder.exe --a---- 229376 bytes [19:17 24/07/2007] [19:17 24/07/2007] CFD4C3352E29A8B729536648466E8DF5
C:\Program Files\MSN\MSNCoreFiles\mDNSResponder.exe --a---- 73728 bytes [18:08 21/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0001\svc0000\mDNSResponder.exe --a---- 229376 bytes [19:43 20/08/2012] [19:43 20/08/2012] CFD4C3352E29A8B729536648466E8DF5
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0004\svc0000\mDNSResponder.exe --a---- 73728 bytes [19:43 20/08/2012] [19:43 20/08/2012] 2D091A99624FB9E7EEF0A86D872EC0C3

Searching for "PRISMXL.SYS"
C:\My Backup -- 23-04-07 0706\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS --a--c- 172032 bytes [16:03 11/05/2005] [16:05 11/05/2005] 33D7285F12D934268A34206DFC4AD1B3
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS --a---- 172032 bytes [15:22 23/04/2007] [15:24 23/04/2007] 33D7285F12D934268A34206DFC4AD1B3
C:\Program Files\MSN\MSNCoreFiles\PRISMXL.SYS --a---- 172032 bytes [18:08 21/08/2012] [19:43 20/08/2012] 33D7285F12D934268A34206DFC4AD1B3
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0005\svc0000\PRISMXL.SYS --a---- 172032 bytes [19:43 20/08/2012] [19:43 20/08/2012] 33D7285F12D934268A34206DFC4AD1B3

Searching for "sp_rsdrv2.sys"
C:\Program Files\MSN\MSNCoreFiles\sp_rsdrv2.sys --a---- 32768 bytes [18:08 21/08/2012] [19:43 20/08/2012] 7B426B8E809EDF081D771EF429345528
C:\Program Files\Spyware Terminator\Driver\sp_rsdrv2.sys --a---- 32768 bytes [16:24 21/06/2011] [16:24 21/06/2011] 7B426B8E809EDF081D771EF429345528
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0006\svc0000\sp_rsdrv2.sys --a---- 32768 bytes [19:43 20/08/2012] [19:43 20/08/2012] 7B426B8E809EDF081D771EF429345528
C:\WINDOWS\system32\drivers\sp_rsdrv2.sys --a---- 32768 bytes [18:11 05/03/2012] [16:24 21/06/2011] 7B426B8E809EDF081D771EF429345528

Searching for "sunkfilt.sys"
C:\My Backup -- 23-04-07 0706\WINDOWS\system32\drivers\Sunkfilt.sys --a--c- 36804 bytes [00:41 16/11/2004] [00:41 16/11/2004] 86CA1A5C15A5A98D5533945FB1120B05
C:\Program Files\MSN\MSNCoreFiles\sunkfilt.sys --a---- 36804 bytes [18:08 21/08/2012] [19:43 20/08/2012] 86CA1A5C15A5A98D5533945FB1120B05
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0007\svc0000\sunkfilt.sys --a---- 36804 bytes [19:43 20/08/2012] [19:43 20/08/2012] 86CA1A5C15A5A98D5533945FB1120B05
C:\WINDOWS\system32\drivers\Sunkfilt.sys --a---- 36804 bytes [00:41 16/11/2004] [00:41 16/11/2004] 86CA1A5C15A5A98D5533945FB1120B05

Searching for "wanmpsvc.exe"
C:\Program Files\Common Files\AOL\ACS\wanmpsvc.exe --a--c- 65536 bytes [15:37 23/04/2007] [17:29 27/08/2003] EB9A99AB5D17B1727034FF191E6448D7
C:\Program Files\MSN\MSNCoreFiles\wanmpsvc.exe --a---- 65536 bytes [18:08 21/08/2012] [19:43 20/08/2012] EB9A99AB5D17B1727034FF191E6448D7
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0008\svc0000\wanmpsvc.exe --a---- 65536 bytes [19:43 20/08/2012] [19:43 20/08/2012] EB9A99AB5D17B1727034FF191E6448D7
C:\WINDOWS\wanmpsvc.exe --a---- 65536 bytes [10:19 25/04/2007] [17:29 27/08/2003] EB9A99AB5D17B1727034FF191E6448D7

Searching for "WLSetupSvc.exe "
C:\Program Files\MSN\MSNCoreFiles\WLSetupSvc.exe --a---- 266240 bytes [18:08 21/08/2012] [19:43 20/08/2012] 94A85E956A065E23E0010A6A7826243B
C:\Program Files\Windows Live\installer\WLSetupSvc.exe --a---- 266240 bytes [20:27 25/10/2007] [20:27 25/10/2007] 94A85E956A065E23E0010A6A7826243B
C:\TDSSKiller_Quarantine\20.08.2012_15.34.04\susp0009\svc0000\WLSetupSvc.exe --a---- 266240 bytes [19:43 20/08/2012] [19:43 20/08/2012] 94A85E956A065E23E0010A6A7826243B

-= EOF =-

[MrCharlie]

OK, well done........all the files are where they should be.

Next........


Download TFC to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Let me know when you're done with this.

Gone for tonight, MrC

[bluespiderweb]

Alright, that's done. It sure seemed to take out the trash, from what I saw on the scan details! And more good news, it seems the computer is now operating normally-no more hard running to be heard at idle. I did have to reboot one more time since I could not sign in on AOL, but all OK after that.

Would you suggest anything else? And, can I get rid of anything on the desktop that I don't need from the downloads before that you suggested?

For instance, I have 4 different notepads on the desktop now, from Look, System Look, RK report and dds. I also have the RK Quarantine folder. Can I send them to the recycle bin, or is there anything there I should keep?

I will keep the programs that were downloaded for this, at your suggestion in case I need them again later.

Thanks MrC!
B

[MrCharlie]

bluespiderweb, on 21 August 2012 - 10:53 PM, said:

Alright, that's done. It sure seemed to take out the trash, from what I saw on the scan details! And more good news, it seems the computer is now operating normally-no more hard running to be heard at idle. I did have to reboot one more time since I could not sign in on AOL, but all OK after that.

Great!

Quote

Would you suggest anything else? And, can I get rid of anything on the desktop that I don't need from the downloads before that you suggested?

For instance, I have 4 different notepads on the desktop now, from Look, System Look, RK report and dds. I also have the RK Quarantine folder. Can I send them to the recycle bin, or is there anything there I should keep?

I will keep the programs that were downloaded for this, at your suggestion in case I need them again later.

No delete them (You can keep TFC and use it once in a while to clean out temp files)

~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[bluespiderweb]

Great, thanks MrC! I didn't download Combofix, so just proceeded to run the OTL cleanup. It's still a big mystery to me what happened, and to my surprise this morning the computer was still running hard when I got up (didn't shut it down last night), and I had to reboot 2 times until it stabilized again. The first time, AOL would not sign on, but the second time it worked.

So far, after all, no more problems with it running hard as before. Guess maybe I will continue to shut it down whenever I can, especially overnight?

By the way, how do I uninstall Look that is still on my desktop? Can I just send it to the recycle bin, or do I need to do more?

B

[MrCharlie]

Quote

By the way, how do I uninstall Look that is still on my desktop? Can I just send it to the recycle bin, or do I need to do more?

Put it in the recycle bin.

Windows needs to be shut down everyday and started back up, don't leave it running all the time.

MrC

[bluespiderweb]

Thank you MrC, much obliged. I also appreciate you hanging in there with me over the rough spots!

Be well,
B

[MrCharlie]

OK...Take Care MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!