BleepingComputer.com: tcp/ip driver problems after virus? lingering rootkit? can't get on the internet

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

tcp/ip driver problems after virus? lingering rootkit? can't get on the internet gmer was taking over 24 hours and was still running

#1 User is offline   carolynski 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 30-December 09

Posted 14 August 2011 - 08:02 AM

Merged topics so you retain your place in line. ~ OB

Hi there
Can't wait to use the forum for a virus problem but Gmer is still running after 24 hours. I have the dds logs but can't stop my usb to get them off the infected computer because Gmer is running and it won't let me remove the usb.

Task manager says Gmer is running and the computer is not frozen.

Do i stop gmer at this point? Is there another way to get you the logs you need?

Running xp sp3 pro.

Thanks!

This post has been edited by Orange Blossom: 14 August 2011 - 03:04 PM

#2 User is offline   carolynski 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 30-December 09

Posted 14 August 2011 - 10:29 AM

I posted eariler that i have problems with running gmer but i guess it was done and I just didn't know?

Anyway...
I ran mbam, super antivirus but still had problems so i went to run kaspersky tool and thought it froze so i did a force restart and now my computer can't get on the internet.
Tried previous restore point, didn't work.
Tried to reset tcp/ip things and registrys but didn't work.
Tried to reinstall tcp/ip protocal but says "Driver not signed" so i tried to replace the tcpip.sys but it just reappears if you delete it which makes me think I still have a virus.
Firewall won't start because it can't start shared services.
An old version of Viper rescue found a couple more infections but no change.

My CD drive also diappeared after the restart but i was able to uninstall and reinstall to get it back without reinstlling a new drivers but i did anyway for good measure.
I really think a virus is jacking with my tcp/ip driver or may be there is a system setting need adjusted? I may try uninstalling more programs.
Can you help?
Thanks in advance!



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Tiffany at 9:46:51 on 2011-08-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1624 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: {C4B8BAB4-1667-11DF-A242-BA9455D89593} - No File
BHO: {dbc80044-a445-435b-bc74-9c25c1c588a9} - Java™ Plug-In 2 SSV Helper
BHO: {E4E6BF2A-1667-11DF-A01F-1F9655D89593} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tiffany\application data\mozilla\firefox\profiles\i9vjsuhv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com/web?src=ffb&systemid=2&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\tiffany\application data\mozilla\firefox\profiles\i9vjsuhv.default\extensions\{59c6f12b-f004-43e5-9997-08f2123119b6}\components\dtTransparency.dll
FF - component: c:\documents and settings\tiffany\application data\mozilla\firefox\profiles\i9vjsuhv.default\extensions\{59c6f12b-f004-43e5-9997-08f2123119b6}\components\dtTransparency3.5.dll
FF - component: c:\documents and settings\tiffany\application data\mozilla\firefox\profiles\i9vjsuhv.default\extensions\{59c6f12b-f004-43e5-9997-08f2123119b6}\components\dtTransparency3.6.dll
FF - component: c:\documents and settings\tiffany\application data\mozilla\firefox\profiles\i9vjsuhv.default\extensions\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}\components\dtTransparency.dll
FF - component: c:\documents and settings\tiffany\application data\mozilla\firefox\profiles\i9vjsuhv.default\extensions\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}\components\dtTransparency3.5.dll
FF - component: c:\documents and settings\tiffany\application data\mozilla\firefox\profiles\i9vjsuhv.default\extensions\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}\components\dtTransparency3.6.dll
FF - component: c:\program files\bearshare applications\mediabar\datamngr\firefoxextension\components\DataMngrHlp.dll
FF - plugin: c:\documents and settings\tiffany\local settings\application data\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Fantapper: FantapperExtension@brandaffinity.net - %profile%\extensions\FantapperExtension@brandaffinity.net
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Surf Canyon - Search Engine Assistant: {75623d5d-4683-402a-b610-ac4bab767c86} - %profile%\extensions\{75623d5d-4683-402a-b610-ac4bab767c86}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-8-12 93872]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-8-10 352656]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-20 136176]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-20 136176]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-28 30576]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-08-13 03:28:26 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-13 03:28:26 27944 ----a-w- c:\windows\system32\sbbd.exe
2011-08-13 03:27:27 -------- d-----w- C:\VIPRERESCUE
2011-08-13 00:43:16 -------- d-----w- C:\SMCLpav
2011-08-12 22:57:21 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-08-12 22:57:21 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-12 12:48:26 7294 ----a-w- C:\cc_20110812_074819.reg 5.reg
2011-08-12 12:45:07 -------- d-----w- c:\documents and settings\tiffany\application data\simppulltoolbar
2011-08-12 12:23:16 30816 ----a-w- C:\cc_20110812_072309.reg 4.reg
2011-08-11 12:33:21 -------- d-----w- c:\documents and settings\tiffany\local settings\application data\PCHealth
2011-08-11 12:32:54 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-11 06:55:24 79238 ----a-w- C:\cc_20110811_015516.reg 3.reg
2011-08-11 05:53:05 -------- d-----w- C:\ERDNT
2011-08-11 04:38:15 43408 --sha-w- c:\windows\system32\c_73654.nl_
2011-08-11 03:46:12 -------- d-----w- C:\2011-08-10 22-46-12
2011-08-11 03:36:46 -------- d-----w- c:\documents and settings\tiffany\application data\IObit
2011-08-11 03:36:44 -------- d-----w- c:\program files\IObit
2011-08-11 02:01:17 22730 ----a-w- C:\cc_20110810_210103.reg 2.reg
2011-08-11 01:28:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-11 01:28:59 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-10 23:49:38 -------- d-----w- c:\windows\system32\NtmsData
2011-08-10 22:27:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-10 20:35:27 52834 ----a-w- C:\cc_20110810_153509.reg
2011-08-10 19:17:07 -------- d-----w- c:\documents and settings\tiffany\application data\SUPERAntiSpyware.com
2011-08-10 19:17:07 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-10 19:17:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-10 18:56:38 54016 ----a-w- c:\windows\system32\drivers\dbelxox.sys
2011-08-10 18:24:17 -------- d-----w- c:\windows\system32\LogFiles
2011-08-10 18:23:03 -------- d-----w- c:\documents and settings\tiffany\application data\Malwarebytes
2011-08-10 18:22:57 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 18:22:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-10 18:22:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 18:22:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-10 18:21:17 -------- d-----w- c:\program files\CCleaner
2011-08-10 15:42:37 -------- d-----w- c:\windows\pss
2011-08-10 14:05:56 1134 ----a-w- C:\FixNCR.reg
.
==================== Find3M ====================
.
2011-08-10 20:40:36 256 ----a-w- c:\windows\system32\pool.bin
.
============= FINISH: 9:47:15.32 ===============

Attached File(s)

  • Attached File  attach.txt (14.42K)
    Number of downloads: 0
  • Attached File  ark.txt (1.23K)
    Number of downloads: 1

This post has been edited by Orange Blossom: 14 August 2011 - 03:03 PM
Reason for edit: Merged topics. ~ OB

#3 User is offline   carolynski 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 30-December 09

Posted 16 August 2011 - 05:51 PM

... I reinstalled windows. Problem solved

#4 User is offline   Orange Blossom 

  • OBleepin Investigator
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 29,827
  • Joined: 14-July 06
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 17 August 2011 - 09:44 PM

Hello,

Thank you for letting us know. I'm sorry we couldn't get to you sooner. Sometimes a reformat and reinstall is the quickest solution.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users