Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows xp won't connect to the internet after running combofix


  • This topic is locked This topic is locked
3 replies to this topic

#1 jonezy06

jonezy06

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 29 June 2010 - 12:24 PM

Hello,

I recently ran combo fix on a xp pro machine. After it found and deleted some files, I am not longer able to get on the internet.

I have a network of three pos machines at my pizza shop. One of the machines (used as a server) had many virus and root kits. I used malwarebytes, nod32, and finally combo fix to delete and repair the files. When all was said and done I was confident all malicious files were gone. Unfortunaly the server can no longer access the Internet, making it unable to communicate with the other two pos systems. Now I have no working pos systems sad.gif

I have tried to repair the connection and am asking for help to get the server back online. I assume once this is accomplished then the other pos systems will be fine. I have the log file from combo fix and I will get that info posted next. Thank you

Russ

10-06-28.01 - Administrator 06/29/2010 11:51:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1584 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\839eccef.exe
c:\documents and settings\Administrator\biecei.exe
c:\documents and settings\Administrator\c.exe
c:\documents and settings\Administrator\ciecei.exe
c:\documents and settings\Administrator\loezi.exe
c:\documents and settings\Administrator\rauoza.exe
c:\windows\Ewikaa.exe
c:\windows\Ewikab.exe
c:\windows\Ewikac.exe
c:\windows\install.exe
c:\windows\system32\6to4ex.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\Data
c:\windows\system32\ernel32.dll
c:\windows\system32\fixmapip.dll
c:\windows\system32\spool\prtprocs\w32x86\1c9s17.dll
c:\windows\system32\spool\prtprocs\w32x86\55555.dll
c:\windows\system32\spool\prtprocs\w32x86\5i5qG.dll
c:\windows\system32\spool\prtprocs\w32x86\7931gMY.dll
c:\windows\system32\spool\prtprocs\w32x86\7kUO79m.dll
c:\windows\system32\spool\prtprocs\w32x86\7kUOC93.dll
c:\windows\system32\spool\prtprocs\w32x86\93wSKUO79.dll
c:\windows\system32\spool\prtprocs\w32x86\c1sK3y7c.dll
c:\windows\system32\spool\prtprocs\w32x86\gMYW5.dll
c:\windows\system32\spool\prtprocs\w32x86\m9gM793.dll
c:\windows\system32\spool\prtprocs\w32x86\mYW79y179.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\drivers\nvraid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
2010-06-29 15:44 . 2005-05-17 17:45 76288 ----a-w- c:\windows\system32\drivers\nvraid.sys
2010-06-29 14:49 . 2010-06-29 14:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2010-06-29 14:35 . 2010-05-26 14:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-29 13:32 . 2010-06-29 13:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2010-06-29 13:17 . 2010-06-29 13:17 -------- d-----w- c:\program files\Sophos
2010-06-29 13:15 . 2010-06-29 13:15 -------- d-----w- c:\program files\ESET
2010-06-29 13:15 . 2010-06-29 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-06-29 12:56 . 2010-06-29 12:57 -------- d-----w- c:\documents and settings\Administrator\host
2010-06-28 20:49 . 2010-06-28 20:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-06-28 20:48 . 2010-06-29 12:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-06-28 20:48 . 2010-06-28 20:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Deployment
2010-06-28 18:56 . 2010-06-28 18:56 -------- d-----w- C:\spoolerlogs
2010-06-28 18:46 . 2010-06-28 18:46 123 ----a-w- c:\documents and settings\Administrator\a.bat
2010-06-22 15:49 . 2004-08-04 03:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-22 15:49 . 2004-08-04 03:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-06-29 15:29 . 2007-06-01 16:52 -------- d-----w- c:\program files\Symantec
2010-06-28 20:30 . 2007-10-11 18:43 -------- d-----w- c:\program files\Samsung Network Printer Utilities
2010-06-28 20:30 . 2007-06-01 15:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-28 20:29 . 2007-06-01 15:36 -------- d-----w- c:\program files\Creative
2004-12-21 22:34 . 2004-12-21 22:34 25214 ----a-w- c:\program files\dplogo32.ico

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"P17Helper"="P17.dll" [2005-05-03 64512]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-08-18 113152]
"MsmqIntCert"="mqrt.dll" [2004-08-04 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2002-12-03 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-03 49152]
"DefaultP17"="P17Def.Exe" [2005-05-03 20480]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SWAS_Core"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 8:32 AM 15328]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R1 oxmep;OXPCI support driver;c:\windows\system32\drivers\oxmep.sys [8/6/2007 6:31 PM 5248]
R1 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [8/6/2007 6:31 PM 18944]
R1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [8/6/2007 6:31 PM 59392]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/29/2010 10:35 AM 18816]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [3/20/2007 1:41 PM 95449]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 11:34 AM 216032]
R2 RevBackup;RevBackup;c:\revention\RevBackup.exe [3/20/2007 1:41 PM 32768]
R2 RevCallerId;RevCallerId;c:\revention\ReventionCallerId.exe [3/20/2007 1:41 PM 32768]
R2 RevPrtSrv;Revention Print Server;c:\revention\RevPrtService.exe [3/20/2007 1:41 PM 36864]
R3 dpK00701;U.are.U Fingerprint Reader Upper Driver;c:\windows\system32\drivers\dpK00701.sys [10/12/2004 3:51 PM 41856]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [8/6/2007 6:31 PM 6016]
R3 UsbdpFP;U.are.U Fingerprint Reader Class Driver;c:\windows\system32\drivers\UsbdpFP.sys [10/12/2004 3:53 PM 45056]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/5/2007 9:38 PM 639224]
S3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\drivers\EloFiltr.sys [6/1/2007 1:10 PM 53248]
S3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\drivers\EloUsb.Sys [6/1/2007 1:10 PM 92032]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6E2.tmp --> c:\windows\system32\6E2.tmp [?]
S3 SNXPCARD;Sunix PCI Multi I/O Card Driver;c:\windows\system32\drivers\snxpcard.sys [2/15/2005 2:17 PM 23040]

Contents of the 'Scheduled Tasks' folder
2010-06-28 c:\windows\Tasks\At2.job
- c:\revention\utilities\copydb.bat [2007-03-20 10:39]
------- Supplementary Scan -------
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ciecei - c:\documents and settings\Administrator\ciecei.exe
HKLM-Run-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
AddRemove-RegCure - c:\windows\RegCure\uninstall.exe
**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 12:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x889E0EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba60f7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xba48dba0
PacketIndicateHandler -> NDIS.sys @ 0xba49ab21
SendHandler -> NDIS.sys @ 0xba47887b
user & kernel MBR OK
**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6E2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1052)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3056)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\netdde.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\Rundll32.exe
c:\windows\System32\msdtc.exe
c:\program files\DigitalPersona\Bin\DpHost.exe
c:\windows\system32\EloSrvce.exe
c:\windows\system32\msiexec.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-06-29 12:09:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-29 16:09

Pre-Run: 182,477,672,448 bytes free
Post-Run: 182,960,623,616 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

Current=2 Default=2 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 7E8600F7A3C0B06B302B4298C06FDEFE

EDIT: Added log to orig post, moved from XP to Malware Removal Logs ~ Hamluis.

Edited by hamluis, 29 June 2010 - 12:57 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:45 PM

Posted 29 June 2010 - 05:08 PM

Hi jonezy06,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

We clean the computer and them concentrate more on the internet connection. In case in the course of action you get connection back please inform me.
  1. Tell me if the computer is connected to internet via a router.

  2. Daemon Tools and Alcohol 120 might interfere with our fixes and lead to false positive. Please uninstall any of them you have and install it after we are done.

  3. I would like to have a close look the following file. To submit the file:
  4. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

  5. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    AtJob::


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  6. Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot if you had to change any setting.


#3 jonezy06

jonezy06
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 29 June 2010 - 10:45 PM

farbar,

Hello! Thank you for the quick reply. I just now got a chance to check the forum. I will have to sign up for automatic email (;

I wish I would have had time to give it a try. You might have saved me some dough! I felt that I had to have those computers working asap. I called an old buddy from high school. He fixed the internet problem. It was a DNS problem. That how-ever did not fix the communications between POS stations. That had something to do with a service for SQL server not starting. I ran combo fix again right after I wrote in the forum(before I revived your message). It found another root kit. It took three restarts, but got rid of it. I'm not sure what my friend did to fix the SQL problem, but after three hours and 190 dollars later he fixed it!

thank you for your attempt to help me. This is my first experience with this site. I am a fan!

Jonezy06

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:45 PM

Posted 30 June 2010 - 04:19 AM

Hi jonezy06,

I'm glad the issue is resolved anyway. And thank you for letting me know.

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users