Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lost internet access after ScanSpyware scan


  • Please log in to reply
11 replies to this topic

#1 sharkbait

sharkbait

  • Validating
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida, USA
  • Local time:02:24 AM

Posted 06 March 2012 - 10:03 AM

I scanned my computer with ScanSpyware (shame on me) and have lost my internet access. I reinstalled Int Expl 8 but it still doesn't work. I had system restore off (shame on me).I had used ScanSpyware before with no problem. This time it wiped out operating system files it seems (I can't find explorer.exe for example). I normally run Malawarebytes and Superantispyware religiously.
My wireless connection icon indicates connection to the internet but going into IE returns: "Internet expl. cannot display this webpage"
Below are the "ScanSpyware log" and the "Diagnose Connection Problems" results. Thank you in advance. I'm new to this website so I hope I'm doing this right.
Regards, Sharkbait


Application Version: ScanSpyware v3.8 build 3.8.0.4

Original Database: pests03-07-06.db

Updated Database: ssdb030312.db

Current Date: Saturday, March 03, 2012 09:16:14 AM

Directories recognized:

Files recognized:

[Trojan.Ransom.E]

C:\WINDOWS\system32\dllcache\explorer.exe

[Trojan.Ransom.F]

C:\WINDOWS\system32\dllcache\taskmgr.exe

[Trojan.Ransom.F]

C:\WINDOWS\system32\dllcache\userinit.exe

Registry keys recognized:
=========================

[RootKit.ZeroAccess.B]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsapint

[RootKit.ZeroAccess.B]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vsapint

[RootKit.ZeroAccess.B]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsapint

[RootKit.ZeroAccess]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DNE

[RootKit.ZeroAccess]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DNE

[RootKit.ZeroAccess]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNE

[RootKit.ZeroAccess]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmxsdk

[RootKit.ZeroAccess]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mdmxsdk

[RootKit.ZeroAccess]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmxsdk

[RootKit.ZeroAccess.L]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dlapoolm

[RootKit.ZeroAccess.L]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dlapoolm

[RootKit.ZeroAccess.L]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dlapoolm


EXPLORER DIAGNOSTICS:

Last diagnostic run time: 03/05/12 08:49:47
Network Adapter Diagnostic
Network location detection

info Network location could not be detected
action User input required: Select network location
info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=Broadcom NetXtreme 57xx Gigabit Controller, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=Wireless Network Connection 2, Device=Dell Wireless 1370 WLAN Mini-PCI Card, MediaType=LAN, SubMediaType=WIRELESS
info Network connection: Name=Local Area Connection 2, Device=Cisco Systems VPN Adapter, MediaType=LAN, SubMediaType=LAN
warn This machine has more than one Ethernet or more than one Wireless adapter
info Redirecting user to support call

HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.

Edited by hamluis, 06 March 2012 - 10:21 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Study Hall Senior
  • 4,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:24 AM

Posted 06 March 2012 - 11:54 AM

Hi,

After performing these scans, enter the results in your next post and also update me on the status of the PC.

Note: You may have to perform some or all of the following in Safe Mode With Networking, depending on if you have internet access while in the normal Windows environment.

You can also transfer the installers from a working computer to the infected computer via flash drive.

================================================================================

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

================================================================================

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

================================================================================

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

================================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Network+ Certified | Senior at UCF pursuing Information Technology B.S. | System Administrator

Please note that I am currently in training. All malware related posts must first be approved by an instructor. This may cause a delay.


#3 sharkbait

sharkbait
  • Topic Starter

  • Validating
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida, USA
  • Local time:02:24 AM

Posted 06 March 2012 - 12:55 PM

Thank you so much for your quick response; I'll follow your instructions ASAP.

#4 TheShooter93

TheShooter93

    Cody


  • Malware Study Hall Senior
  • 4,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:24 AM

Posted 06 March 2012 - 04:04 PM

Sounds good. :thumbup2:

Network+ Certified | Senior at UCF pursuing Information Technology B.S. | System Administrator

Please note that I am currently in training. All malware related posts must first be approved by an instructor. This may cause a delay.


#5 sharkbait

sharkbait
  • Topic Starter

  • Validating
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida, USA
  • Local time:02:24 AM

Posted 07 March 2012 - 11:00 AM

I can't disable Trend Micro Office Scan as this is my old corporate computer and it requires a password. I haven't run GMER for that reason. Would running GMER in safe mode help? Also, after installing the newest version of Malwarebytes (using a fake .exe name), the mbam-rules.exe did not update the database and I would get an error ".....database corrupted or missing". I uninstalled and reinstalled MB and ran the quick-scan per your instructions using the database that came in the installer. I have just found out that the rules.exe won't work with the version 1.6 and newer of MB. Should I install a version older than 1.6 and redo? I tryied finding the actual rules.ref file which I could manually copy in the proper MB folder but I can't find it as a stand-alone file but as a rules.exe. Please advise.

Scan results:


Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Trend Micro OfficeScan Client pccntmon.exe
Windows Defender MsMpEng.exe
Trend Micro OfficeScan Client ntrtscan.exe
Trend Micro OfficeScan Client tmlisten.exe
Trend Micro OfficeScan Client CNTAoSMgr.exe
Trend Micro OfficeScan Client TmProxy.exe
Trend Micro BM TMBMSRV.exe
``````````End of Log````````````

MiniToolBox by Farbar Version: 18-01-2012
Ran by pevargas (administrator) on 06-03-2012 at 13:11:35
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com

There are 13140 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Dell Wireless 1370 WLAN Mini-PCI Card = Wireless Network Connection 2 (Disconnected)
Cisco Systems VPN Adapter = Local Area Connection 2 (Disconnected)
Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\BarracudaWSA.dll [368000] (Barracuda Networks)
Catalog9 02 C:\WINDOWS\system32\BarracudaWSA.dll [368000] (Barracuda Networks)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\WINDOWS\system32\BarracudaWSA.dll [368000] (Barracuda Networks)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/06/2012 08:34:26 AM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for MEGTEC\pevargas failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (03/06/2012 08:33:34 AM) (Source: UserInit) (User: )
Description: Could not execute the following script \\megtec.com\netlogon\AddTrustedSites.vbs. The network location cannot be reached. For information about network troubleshooting, see Windows Help.
.

Error: (03/06/2012 08:33:09 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (03/06/2012 08:32:46 AM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (03/06/2012 08:32:46 AM) (Source: UserInit) (User: )
Description: Could not execute the following script \\megtec.com\netlogon\Barracuda\WebAgent.vbs. The network location cannot be reached. For information about network troubleshooting, see Windows Help.
.

Error: (03/06/2012 08:32:46 AM) (Source: UserInit) (User: )
Description: Could not execute the following script \\Megtec.com\netlogon\AddTrustedSites.vbs. The network location cannot be reached. For information about network troubleshooting, see Windows Help.
.

Error: (03/06/2012 08:32:32 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (03/05/2012 04:42:03 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for MEGTEC\pevargas failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (03/05/2012 04:40:52 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (03/05/2012 09:00:53 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 8024001f, P2 endsearch, P3 search, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.


System errors:
=============
Error: (03/06/2012 00:59:14 PM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain MEGTEC due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (03/06/2012 08:32:41 AM) (Source: Service Control Manager) (User: )
Description: The Cisco Systems IPsec Driver service depends on the following nonexistent service: DNE

Error: (03/06/2012 08:32:41 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (03/06/2012 08:32:39 AM) (Source: Service Control Manager) (User: )
Description: The Cisco Systems IPsec Driver service depends on the following nonexistent service: DNE

Error: (03/06/2012 08:32:32 AM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain MEGTEC due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (03/05/2012 05:08:47 PM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain MEGTEC due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (03/05/2012 08:41:51 AM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (03/05/2012 08:40:46 AM) (Source: Service Control Manager) (User: )
Description: The Cisco Systems IPsec Driver service depends on the following nonexistent service: DNE

Error: (03/05/2012 08:40:46 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (03/05/2012 08:40:43 AM) (Source: Service Control Manager) (User: )
Description: The Cisco Systems IPsec Driver service depends on the following nonexistent service: DNE


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader X (10.1.2) (Version: 10.1.2)
Akamai NetSession Interface
Google Update Helper (Version: 1.3.21.99)
Revo Uninstaller 1.89 (Version: 1.89)
SUPERAntiSpyware (Version: 5.0.1108)
Web Security Agent (Version: 4.2.1.20)
Windaq194
Windows Internet Explorer 8 (Version: 20090308.140743)

========================= Memory info: ===================================

Percentage of memory in use: 71%
Total physical RAM: 503.36 MB
Available physical RAM: 145.16 MB
Total Pagefile: 1227.83 MB
Available Pagefile: 775.05 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.29 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:37.25 GB) (Free:19.59 GB) NTFS

========================= Users: ========================================

User accounts for \\XPVERO-08

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0


**** End of log ****


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/06/2012 at 03:18 PM

Application Version : 5.0.1144

Core Rules Database Version : 8307
Trace Rules Database Version: 6119

Scan type : Complete Scan
Total Scan Time : 00:54:25

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 272
Memory threats detected : 0
Registry items scanned : 34804
Registry threats detected : 0
File items scanned : 102617
File threats detected : 0


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.13.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
pevargas :: XPVERO-08 [administrator]

3/6/2012 4:21:04 PM
mbam-log-2012-03-06 (16-21-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232920
Time elapsed: 13 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thanks again.

#6 TheShooter93

TheShooter93

    Cody


  • Malware Study Hall Senior
  • 4,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:24 AM

Posted 07 March 2012 - 05:19 PM

How are things looking now?

Network+ Certified | Senior at UCF pursuing Information Technology B.S. | System Administrator

Please note that I am currently in training. All malware related posts must first be approved by an instructor. This may cause a delay.


#7 sharkbait

sharkbait
  • Topic Starter

  • Validating
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida, USA
  • Local time:02:24 AM

Posted 08 March 2012 - 10:13 AM

My PC still doesn't connect......could this be related to missing files (removed by the Scanspyware that started this whole thing?; my first attachment). I can't find explorer.exe nor userinit.exe in C:\windows\system32\dllcache\; taskmgr is there though.
Regards,

Sharkbait

#8 TheShooter93

TheShooter93

    Cody


  • Malware Study Hall Senior
  • 4,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:24 AM

Posted 08 March 2012 - 10:36 AM

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Network+ Certified | Senior at UCF pursuing Information Technology B.S. | System Administrator

Please note that I am currently in training. All malware related posts must first be approved by an instructor. This may cause a delay.


#9 sharkbait

sharkbait
  • Topic Starter

  • Validating
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida, USA
  • Local time:02:24 AM

Posted 08 March 2012 - 12:25 PM

Farbar Service Scanner Version: 01-03-2012
Ran by pevargas (administrator) on 08-03-2012 at 12:18:36
Running from "C:\Documents and Settings\pevargas\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) irda(11) NetBT(6) PSched(7) s24trans(8) Tcpip(4)
0x0B0000000500000001000000020000000300000004000000060000000700000008000000090000000A0000000B000000
IpSec Tag value is correct.

**** End of log ****

#10 TheShooter93

TheShooter93

    Cody


  • Malware Study Hall Senior
  • 4,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:24 AM

Posted 08 March 2012 - 01:09 PM

TCP/IP stack repair options for use with Windows XP with SP2/SP3

Start, Run, CMD to open a command prompt:

In the command prompt window that opens, type the following commands, each followed by the Enter key:

Note: Type only the text in bold for the following commands.

Reset TCP/IP stack to installation defaults, type: netsh int ip reset reset.log

Reset WINSOCK entries to installation defaults, type: netsh winsock reset catalog

Reboot the machine.

Network+ Certified | Senior at UCF pursuing Information Technology B.S. | System Administrator

Please note that I am currently in training. All malware related posts must first be approved by an instructor. This may cause a delay.


#11 sharkbait

sharkbait
  • Topic Starter

  • Validating
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida, USA
  • Local time:02:24 AM

Posted 08 March 2012 - 01:37 PM

You are a Genious!....It works...!
I can't thank you enough.
I've created a restore point after this fix.....
Best of luck to you,
Paul

#12 TheShooter93

TheShooter93

    Cody


  • Malware Study Hall Senior
  • 4,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:24 AM

Posted 08 March 2012 - 02:39 PM

You're welcome.

Network+ Certified | Senior at UCF pursuing Information Technology B.S. | System Administrator

Please note that I am currently in training. All malware related posts must first be approved by an instructor. This may cause a delay.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users