BleepingComputer.com: Zero Access Worm/Trojan also Crypt

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Zero Access Worm/Trojan also Crypt Cant get rid of it

#1 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 03 February 2012 - 11:05 PM

Sorry, I read the sticky too late. I already ran combofix and malware bytes. The computer seems to work, but as the virus name implies, I have no access to the internet through this one computer. All others on the router are fine. I was browsing on the internet, heard a strange beep and then the disk drive started making noise. I figured something was up and then immediately started to have error messages from AVG. I next ran AVG and it said the virus couldn't be removed. I ended up uninstalling AVG in order for some of the diagnostics to work. Also, had no firewall at time of infection. It is up now, though (too late!) Ran DDS and GMER. Logs are attached. Thanks in advance for any help. Jim

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Owner at 22:17:08 on 2012-02-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.337 [GMT -5:00]
.
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
svchost.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [VERIZONDM] "c:\program files\verizondm\bin\sprtcmd.exe" /P VERIZONDM
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-12-18 525840]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2012-1-13 67584]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2011-2-1 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2011-2-1 185640]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2010-4-1 529440]
S2 CobianBackup10;Cobian Backup 10;c:\program files\cobian backup 10\cbService.exe [2012-1-13 1125376]
.
=============== Created Last 30 ================
.
2012-02-04 02:59:53 -------- d-----w- c:\documents and settings\compaq_owner\application data\CheckPoint
2012-02-04 02:59:27 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2012-02-04 02:34:05 -------- d-----w- c:\program files\CheckPoint
2012-02-01 00:41:34 -------- d-----w- c:\documents and settings\compaq_owner\local settings\application data\WMTools Downloaded Files
2012-01-13 17:27:41 -------- d-----w- c:\documents and settings\compaq_owner\local settings\application data\Safe mirror
2012-01-13 17:24:58 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-13 17:11:07 -------- d-----w- C:\temp
2012-01-13 15:21:51 -------- d-s---w- C:\ComboFix
2012-01-13 13:39:50 98816 ----a-w- c:\windows\sed.exe
2012-01-13 13:39:50 518144 ----a-w- c:\windows\SWREG.exe
2012-01-13 13:39:50 256000 ----a-w- c:\windows\PEV.exe
2012-01-13 13:39:50 208896 ----a-w- c:\windows\MBR.exe
2012-01-13 02:40:12 -------- d-----w- c:\documents and settings\compaq_owner\application data\Malwarebytes
2012-01-13 02:40:02 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-13 02:39:58 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-13 02:39:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-01-19 12:50:11 60416 -c--a-w- c:\windows\ALCFDRTM.VER
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
.
============= FINISH: 22:17:55.14 ===============

Attached File(s)

  • Attached File  dds.txt (8.52K)
    Number of downloads: 3
  • Attached File  ark.txt (80.46K)
    Number of downloads: 1

This post has been edited by Noviciate: 04 February 2012 - 03:23 PM
Reason for edit: Added DDS from attachment

#2 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 12:35 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 05 February 2012 - 02:33 PM

Gringo,

This is the original Combo Fix log that was run before I was told to do so. My current version says it is expired and will not run. If you need, I can download again and run again.

ComboFix 12-01-13.01 - Compaq_Owner 01/13/2012 8:50.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.570 [GMT -5:00]
Running from: K:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\040t51n704130no0dn630uo
c:\documents and settings\Compaq_Owner\Templates\040t51n704130no0dn630uo
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\$NtUninstallKB38406$\1380959305\@
c:\windows\$NtUninstallKB38406$\1380959305\bckfg.tmp
c:\windows\$NtUninstallKB38406$\1380959305\cfg.ini
c:\windows\$NtUninstallKB38406$\1380959305\Desktop.ini
c:\windows\$NtUninstallKB38406$\1380959305\keywords
c:\windows\$NtUninstallKB38406$\1380959305\kwrd.dll
c:\windows\$NtUninstallKB38406$\1380959305\L\saydefjg
c:\windows\$NtUninstallKB38406$\1380959305\lsflt7.ver
c:\windows\$NtUninstallKB38406$\1380959305\U\00000001.@
c:\windows\$NtUninstallKB38406$\1380959305\U\00000002.@
c:\windows\$NtUninstallKB38406$\1380959305\U\00000004.@
c:\windows\$NtUninstallKB38406$\1380959305\U\80000000.@
c:\windows\$NtUninstallKB38406$\1380959305\U\80000004.@
c:\windows\$NtUninstallKB38406$\1380959305\U\80000032.@
c:\windows\$NtUninstallKB38406$\3623065673
c:\windows\EventSystem.log
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
c:\windows\system32\SETA.tmp
c:\windows\TEMP\MPENGINE.DLL
c:\windows\TEMP\offreg.dll
c:\windows\$NtUninstallKB38406$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
.
.
2012-01-13 13:51 . 2012-01-13 13:51 -------- d-----w- c:\windows\LastGood.Tmp
2012-01-13 02:40 . 2012-01-13 02:40 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2012-01-13 02:40 . 2012-01-13 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-13 02:39 . 2012-01-13 02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-13 02:39 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-26 23:46 . 2011-12-26 23:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Leadertech
2011-12-26 23:46 . 2011-12-26 23:46 -------- d-----w- c:\program files\epson
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-29 18:24 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-29 18:24 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-29 18:22 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-08-29 18:24 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-29 18:21 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-29 18:21 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-29 18:21 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-29 18:22 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-03 15:28 . 2004-08-29 18:22 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-01 16:07 . 2004-08-29 18:22 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-29 18:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-29 18:22 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 05:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-29 18:21 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-14 04:49 . A4E2CE9BFC36045184AAA66EA8759350 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-14 04:49 . A4E2CE9BFC36045184AAA66EA8759350 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Facebook Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-09-08 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-12 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"Alcmtr"="ALCMTR.EXE" [2004-07-03 57344]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [4/1/2010 1:38 AM 529440]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1799627171-2638610152-1011148612-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-08 19:44]
.
2012-01-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1799627171-2638610152-1011148612-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-08 19:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-VTTimer - VTTimer.exe
HKLM-Run-IS CfgWiz - c:\program files\Common Files\Symantec Shared\cfgwiz.exe
AddRemove-Verizon Yahoo! Applications - c:\progra~1\Yahoo!\Common\uninstall.exe
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-13 09:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SOUNDMAN.EXE
c:\windows\AGRSMMSG.exe
c:\windows\ALCWZRD.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\4baee9a5e6a1a391704161d012a4c8a7\update\update.exe
.
**************************************************************************
.
Completion time: 2012-01-13 09:02:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-13 14:02
.
Pre-Run: 33,837,436,928 bytes free
Post-Run: 33,853,149,184 bytes free
.
- - End Of File - - 4F70A61EE220DFEE19F9B0E260259A13

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 02:58 PM

Hello

I would like you to download an updated version of combofix.

update combofix

    Delete the version of combofix you have now on your desktop and download a new one from here


    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

    Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer


"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 05 February 2012 - 03:19 PM

Computer still appears to be working fine, just won't connect to internet. No problems running combofix.

Newest Version and log here:

ComboFix 12-02-05.02 - Compaq_Owner 02/05/2012 14:56:39.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.538 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-05 to 2012-02-05 )))))))))))))))))))))))))))))))
.
.
2012-02-04 02:59 . 2012-02-04 02:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\CheckPoint
2012-02-04 02:59 . 2012-02-04 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2012-02-04 02:34 . 2012-02-04 02:59 -------- d-----w- c:\program files\CheckPoint
2012-02-01 00:41 . 2012-02-01 00:41 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\WMTools Downloaded Files
2012-01-13 17:27 . 2012-01-13 17:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Safe mirror
2012-01-13 17:24 . 2012-02-04 22:07 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-13 17:11 . 2012-01-13 17:11 -------- d-----w- C:\temp
2012-01-13 02:40 . 2012-01-13 02:40 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2012-01-13 02:40 . 2012-01-13 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-13 02:39 . 2012-01-13 02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-13 02:39 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-19 12:50 . 2011-06-02 20:03 60416 -c--a-w- c:\windows\ALCFDRTM.VER
2011-11-25 21:57 . 2004-08-29 18:24 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-29 18:24 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-29 18:22 60416 ----a-w- c:\windows\system32\packager.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-14 04:49 . A4E2CE9BFC36045184AAA66EA8759350 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-14 04:49 . A4E2CE9BFC36045184AAA66EA8759350 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-01-13_13.59.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-04 02:59 . 2012-02-04 02:59 62464 c:\windows\Installer\5727d81.msi
+ 2012-02-04 02:59 . 2012-02-04 02:59 28672 c:\windows\Installer\5727d7b.msi
+ 2012-02-04 02:59 . 2012-02-04 02:59 41472 c:\windows\Installer\5727d75.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 10:23 . 2008-07-29 10:23 626688 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcr90.dll
+ 2008-07-29 10:23 . 2008-07-29 10:23 856576 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcp90.dll
+ 2008-07-29 08:51 . 2008-07-29 08:51 245760 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcm90.dll
+ 2004-08-29 18:24 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
- 2004-08-29 18:24 . 2008-04-14 09:42 176128 c:\windows\system32\winmm.dll
+ 2011-12-19 02:04 . 2011-12-19 02:04 525840 c:\windows\system32\vsdatant.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-12 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [4/1/2010 1:38 AM 529440]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-05 15:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(472)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(528)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2012-02-05 15:04:08
ComboFix-quarantined-files.txt 2012-02-05 20:04
ComboFix2.txt 2012-01-13 15:05
ComboFix3.txt 2012-01-13 14:41
ComboFix4.txt 2012-01-13 14:02
.
Pre-Run: 57,434,931,200 bytes free
Post-Run: 57,443,356,672 bytes free
.
- - End Of File - - 9E13CF4EA79BBF32C15655321F8302EA

This post has been edited by andernamen: 05 February 2012 - 03:21 PM

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 03:36 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 05 February 2012 - 04:05 PM

FSS Log here:

Farbar Service Scanner Version: 05-02-2012
Ran by Compaq_Owner (administrator) on 05-02-2012 at 16:02:37
Running from "C:\Documents and Settings\Compaq_Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-29 13:21] - [2008-04-13 23:49] - 0075264 ____A () A4E2CE9BFC36045184AAA66EA8759350

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
Attention! IpSec Tag value should be 4Attention! IpSec Tag value is missing and it should be 4

**** End of log ****

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 04:13 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
ipsec.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 05 February 2012 - 04:30 PM

System Look Results:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:28 on 05/02/2012 by Compaq_Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [18:32 01/06/2011] [12:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys -----c- 75264 bytes [18:40 01/06/2011] [04:49 14/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [18:21 29/08/2004] [04:49 14/04/2008] A4E2CE9BFC36045184AAA66EA8759350

-= EOF =-

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 04:45 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 05 February 2012 - 11:25 PM

I get the same message every time ComboFix is run. It says: "You are infected with RootKit.ZeroAccess. It has inserted itself into the tcp/ip stack...." After this message I got another that said: "Combofix has detected root kit activity and needs to re-boot the machine." It rebooted and ran combofix. Log as follows:

ComboFix 12-02-05.02 - Compaq_Owner 02/05/2012 23:08:00.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.545 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((( Files Created from 2012-01-06 to 2012-02-06 )))))))))))))))))))))))))))))))
.
.
2012-02-04 02:59 . 2012-02-04 02:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\CheckPoint
2012-02-04 02:59 . 2012-02-04 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2012-02-04 02:34 . 2012-02-04 02:59 -------- d-----w- c:\program files\CheckPoint
2012-02-01 00:41 . 2012-02-01 00:41 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\WMTools Downloaded Files
2012-01-13 17:27 . 2012-01-13 17:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Safe mirror
2012-01-13 17:24 . 2012-02-04 22:07 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-13 17:11 . 2012-01-13 17:11 -------- d-----w- C:\temp
2012-01-13 02:40 . 2012-01-13 02:40 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2012-01-13 02:40 . 2012-01-13 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-13 02:39 . 2012-01-13 02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-13 02:39 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-19 12:50 . 2011-06-02 20:03 60416 -c--a-w- c:\windows\ALCFDRTM.VER
2011-11-25 21:57 . 2004-08-29 18:24 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-29 18:24 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-29 18:22 60416 ----a-w- c:\windows\system32\packager.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-13_13.59.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-29 18:21 . 2008-04-14 04:49 75264 c:\windows\system32\dllcache\ipsec.sys
+ 2012-02-04 02:59 . 2012-02-04 02:59 62464 c:\windows\Installer\5727d81.msi
+ 2012-02-04 02:59 . 2012-02-04 02:59 28672 c:\windows\Installer\5727d7b.msi
+ 2012-02-04 02:59 . 2012-02-04 02:59 41472 c:\windows\Installer\5727d75.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 10:23 . 2008-07-29 10:23 626688 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcr90.dll
+ 2008-07-29 10:23 . 2008-07-29 10:23 856576 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcp90.dll
+ 2008-07-29 08:51 . 2008-07-29 08:51 245760 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcm90.dll
+ 2004-08-29 18:24 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
- 2004-08-29 18:24 . 2008-04-14 09:42 176128 c:\windows\system32\winmm.dll
+ 2011-12-19 02:04 . 2011-12-19 02:04 525840 c:\windows\system32\vsdatant.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-12 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [4/1/2010 1:38 AM 529440]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-05 23:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(472)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(528)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2012-02-05 23:15:05
ComboFix-quarantined-files.txt 2012-02-06 04:15
ComboFix2.txt 2012-02-05 20:04
ComboFix3.txt 2012-01-13 15:05
ComboFix4.txt 2012-01-13 14:41
ComboFix5.txt 2012-02-06 04:00
.
Pre-Run: 57,431,150,592 bytes free
Post-Run: 57,433,669,632 bytes free
.
- - End Of File - - EF646D0FC09DEA2E7F7E0FFA96E01BDD

#12 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 11:28 PM

Hello

rerun FSS for me now and do you have internet


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 06 February 2012 - 07:35 AM

Ran FSS again, log looks about the same. On the taskbar at the bottom right the wireless network connection indicator says the computer is connected to the wireless network, however, still no internet.

Farbar Service Scanner Version: 05-02-2012
Ran by Compaq_Owner (administrator) on 06-02-2012 at 07:27:19
Running from "C:\Documents and Settings\Compaq_Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
Attention! IpSec Tag value should be 4Attention! IpSec Tag value is missing and it should be 4

**** End of log ****

#14 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 06 February 2012 - 03:20 PM

Hello

here is what I want you to try next

1. Locate the file - C:\Windows\inf\Nettcpip.inf
  • It's important that you first make a copy of the file. Place the copy on your Desktop.
  • Once you have done that, use Notepad open the original file for editing.


Posted Image

2. Locate the [MS_TCPIP.PrimaryInstall] section.

3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.

Posted Image

4. Save the file, and then exit Notepad.

Posted Image

5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.

Posted Image Posted Image

6. On the General tab, click Install, select Protocol, and then click Add.

Posted Image

7. In the Select Network Protocols window, click Have Disk.

Posted Image

8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.

Posted Image

9. Select Internet Protocol (TCP/IP), and then click OK.

Posted Image

Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.

11. It is important that you restart the computer to complete the uninstall.

------------

Step #2 - Reinstall of TCP/IP

Posted Image

Take the nettcpip.inf which you have earlier copied to Desktop. Move it back to the directory C:\Windows\INF\ overwriting the existing copy. The file shall now look exactly like the sample above.

Redo sub-steps 4-11 to re-install TCP/IP
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#15 User is offline   andernamen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 13-January 12

Posted 07 February 2012 - 10:18 AM

I'm afraid I may have made a mistake. At step 6 "client" was highlighted and I clicked "add" there instead of with "protocol" highlighted. I went back and did the steps correctly after that, but I get an error message when I try to add the TCP/IP protocal that says: "could not add the requested component. The error is: An extended error occurred" Also, I noticed my "Local Area Connection Properties" is different from the one pictured between steps 5 and 6. Mine doesn't show any TCP/IP protocol, and th "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" boxesa are un-checked. Not sure if this matters or not. I ran FSS again and now the log looks totally different as you can see:

Farbar Service Scanner Version: 05-02-2012
Ran by Compaq_Owner (administrator) on 07-02-2012 at 10:23:06
Running from "C:\Documents and Settings\Compaq_Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open Dnscache registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open Dnscache registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open Dnscache registry key. The service key does not exist.
Checking LEGACY_Dnscache: Attention! Unable to open LEGACY_Dnscache\0000 registry key. The key does not exist.

Dhcp Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open Dhcp registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open Dhcp registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open Dhcp registry key. The service key does not exist.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.

Tcpip Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of Tcpip. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of Tcpip. The value does not exist.
Checking LEGACY_Tcpip: Attention! Unable to open LEGACY_Tcpip\0000 registry key. The key does not exist.

IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) PSched(7)
0x0C0000000900000004000000010000000200000003000000080000000500000006000000070000000A0000000B0000000C000000


**** End of log ****

This post has been edited by andernamen: 07 February 2012 - 10:31 AM

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users