K
Kenact
I have an XP Pro pc sp3, recently infected, cleaned with combofix, along with
the help of several Sysinternals utilities.
McAfee & Symantec have both been unistalled. AVG Pro has been installed
without the firewall component. Windows firewall is turned off.
I'm able to get to the pc through Manage Computer and Regedit. Rebooted
several times using Shutdown –m \\pc-name -r.
Regisrty has been checked:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
AllowTSConnections - 1
DeleteTempDirsOnExit - 0
fAllowToGetHelp - 1
fDenyTSConnections - 0
fEnableSalem - 1
fInHelpMode - 0
FirstCountMsgQPeeksSleepBadApp - f
fWritableTSCCPermTab - 0
IdleWinStationPoolCount - 0
Modems With Bad DSR - MultiTech MultiModem MT2834
MultiTech MultiModem MT2834ZDX
MultiTech MT2834
MultiTech MT2834ZDX
MultiTech 2834
MultiTech 2834ZDX
MsgQBadAppSleepTimeInMillisec - 1
NthCountMsgQPeeksSleepBadApp - 5
PerSessionTempDir - 0
ProductVersion - 5.1
TSAdvertise - 0
TSAppCompat - 0
TSEnabled - 1
TSUserEnabled - 0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List:
3389:TCP - 3389:TCP:*:Enabled
xpsp2res.dll,-22009
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List:
3389:TCP - 3389:TCP:*:Enabledxpsp2res.dll,-22009
Telnet to 3389 fails
Tried nVidia registry hack, no help.
I have not been able to get to the physical pc to see if .Net 3 is installed.
RDP was working prior to and during the time the pc was infected. Current
AV scans on the pc and from a remote pc show no infections.
Anyone have any clues?
Thanks,
Ken
the help of several Sysinternals utilities.
McAfee & Symantec have both been unistalled. AVG Pro has been installed
without the firewall component. Windows firewall is turned off.
I'm able to get to the pc through Manage Computer and Regedit. Rebooted
several times using Shutdown –m \\pc-name -r.
Regisrty has been checked:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
AllowTSConnections - 1
DeleteTempDirsOnExit - 0
fAllowToGetHelp - 1
fDenyTSConnections - 0
fEnableSalem - 1
fInHelpMode - 0
FirstCountMsgQPeeksSleepBadApp - f
fWritableTSCCPermTab - 0
IdleWinStationPoolCount - 0
Modems With Bad DSR - MultiTech MultiModem MT2834
MultiTech MultiModem MT2834ZDX
MultiTech MT2834
MultiTech MT2834ZDX
MultiTech 2834
MultiTech 2834ZDX
MsgQBadAppSleepTimeInMillisec - 1
NthCountMsgQPeeksSleepBadApp - 5
PerSessionTempDir - 0
ProductVersion - 5.1
TSAdvertise - 0
TSAppCompat - 0
TSEnabled - 1
TSUserEnabled - 0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List:
3389:TCP - 3389:TCP:*:Enabled
xpsp2res.dll,-22009HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List:
3389:TCP - 3389:TCP:*:Enabled
xpsp2res.dll,-22009Telnet to 3389 fails
Tried nVidia registry hack, no help.
I have not been able to get to the physical pc to see if .Net 3 is installed.
RDP was working prior to and during the time the pc was infected. Current
AV scans on the pc and from a remote pc show no infections.
Anyone have any clues?
Thanks,
Ken