Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still no LAN connection after ComboFix & XP reinstall


  • This topic is locked This topic is locked
87 replies to this topic

#1 scott_free

scott_free

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 22 November 2011 - 09:13 PM

ok so,
a kind person from Webrot support guided me through removal of ZeroAccess rootkit (on an HP running XP) by using ComboFix.

The rootkit seems to be gone but I have lost LAN connectivity. Tried WinsockxpFix and several other possible solutions found
while searching this forum. nothing has worked so far.
Webroot support suggested system restore, and then when that didn't work, the full wipe and reinstall.
(in this case off of a partitioned recovery drive)

It was doing the thing where it just tries to aquire a new IP address indefinately
Now that it is back to factory settings it will only look for a new IP address for about a minute
and then stop and declare that it can't be done.

I know the cable modem works because I'm using it right now on this borrowed laptop.

any thoughts on what to try next?

(the Webroot guy is out of ideas and suggested I try to post here...)

Thank You,
-s.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:43 AM

Posted 22 November 2011 - 11:28 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the reply.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 scott_free

scott_free
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 23 November 2011 - 06:10 PM

tried running DDS.

the black box opens with the proper text,
then it types about 50 pound signs (#)
and then nothing.

after about 15 minutes the machine rebooted itself!

no dds.txt or attach.txt are to be found.


GMER was successful.

Attached Files

  • Attached File  ark.txt   744bytes   9 downloads


#4 scott_free

scott_free
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 23 November 2011 - 07:11 PM

ComboFix log from 2nd running.
Was instructed to run it again to see if that would fix the connectivity issue.
Will post original log on request.

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:43 AM

Posted 24 November 2011 - 02:16 AM

Hello scott_free,

Welcome to Bleeping Computer.:)

The system is still infected. So we are going to disinfect the system and restore the connection. But before we do that I would like to request you not to do anything on your own or under the guidance of others as long as we are not done. You my stop with getting assistance from others.

  • Turn off Windows automatic updates as it might lead to unexpected results at this stage, even leaving the system unbootable:
    • Go to start -> Control Panel -> double-click System to open it.
    • Go to the Automatic Updates tab.
    • Select the "Turn off Automatic Updates" box.
    • Click Apply and then OK.
    • Important: Reboot.
  • Download Attached File  removeAt.job.bat   420bytes   9 downloads
    Double-Click to run it and post the log it makes.
  • Please download Farbar Service Scanner and run it on the computer with the issue.
    • Check "Include All Files" option.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List installed programs.
    • List Users, Partitions and Memory size.
    • List Minidump Files.
    Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.


#6 scott_free

scott_free
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 24 November 2011 - 10:21 AM

Roger that, farbar.
You're the boss!
:)

I will get to this late tonight
as here in the US,
the government has mandated that everyone spend the day with their extended families.

thank you,
-s.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:43 AM

Posted 24 November 2011 - 10:36 AM

Please take your time and a Happy Thanksgiving Scott.:)

#8 scott_free

scott_free
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 24 November 2011 - 10:05 PM

removeAt log:

At10.job
At12.job
At14.job
At16.job
At18.job
At2.job
At20.job
At22.job
At24.job
At26.job
At28.job
At30.job
At32.job
At34.job
At36.job
At38.job
At4.job
At40.job
At42.job
At44.job
At46.job
At48.job
At6.job
At8.job
desktop.ini
Easy Internet Sign-up.job
SA.DAT
Symantec NetDetect.job
=========

The operation completed successfully
The Task Scheduler service is stopping.
The Task Scheduler service was stopped successfully.

=========
desktop.ini
Easy Internet Sign-up.job
SA.DAT
Symantec NetDetect.job
=========
End of Scan





FSS log:

Farbar Service Scanner
Ran by HP_Administrator (administrator) on 24-11-2011 at 23:52:08
Microsoft Windows XP Service Pack 2 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-09 23:00] - [2004-08-09 23:00] - 0014336 ____N (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-09 23:00] - [2005-07-26 06:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-09 23:00] - [2004-08-09 23:00] - 0108032 ____N (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-09 23:00] - [2004-08-09 23:00] - 0162816 ____N (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-09 23:00] - [2005-03-14 02:55] - 0359808 ____N (Microsoft Corporation) 0E66B538096A6529D1AC66E78EB0D5C8

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-09 23:00] - [2004-08-09 23:00] - 0074752 ____N (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-09 23:00] - [2004-08-09 23:00] - 0045568 ____N (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to Google returned error: Google site is unreachable
Attempt to yahoo returend error: Yahoo site is unreachable

**** End of log ****



mtb result:

MiniToolBox by Farbar
Ran by HP_Administrator (administrator) on 24-11-2011 at 23:53:25
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® 82562V 10/100 Network Connection = Local Area Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)
Wireless LAN PCI 802.11 b/g adapter WN5301A = Wireless Network Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : BATCITY

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Wireless LAN PCI 802.11 b/g adapter WN5301A

Physical Address. . . . . . . . . : 00-C0-A8-B9-05-BF



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82562V 10/100 Network Connection

Physical Address. . . . . . . . . : 00-17-31-F6-EF-97

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Autoconfiguration IP Address. . . : 169.254.103.216

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 c0 a8 b9 05 bf ...... Wireless LAN PCI 802.11 b/g adapter WN5301A
0x10004 ...00 17 31 f6 ef 97 ...... Intel® 82562V 10/100 Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 169.254.103.216 169.254.103.216 20
169.254.103.216 255.255.255.255 127.0.0.1 127.0.0.1 20
169.254.255.255 255.255.255.255 169.254.103.216 169.254.103.216 20
224.0.0.0 240.0.0.0 169.254.103.216 169.254.103.216 20
255.255.255.255 255.255.255.255 169.254.103.216 10003 1
255.255.255.255 255.255.255.255 169.254.103.216 169.254.103.216 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Windows\System32\nwprovau.dll [144384] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (11/24/2011 11:53:00 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/24/2011 11:53:00 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (11/23/2011 07:43:09 PM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (11/23/2011 07:30:00 PM) (Source: Schedule) (User: )
Description: The At40.job command failed to start due to the following error:
%%2147942405

Error: (11/23/2011 06:30:00 PM) (Source: Schedule) (User: )
Description: The At38.job command failed to start due to the following error:
%%2147942405

Error: (11/23/2011 05:30:00 PM) (Source: Schedule) (User: )
Description: The At36.job command failed to start due to the following error:
%%2147942405

Error: (11/23/2011 04:21:31 PM) (Source: 0) (User: )
Description: \Device\Ide\iaStor0

Error: (11/23/2011 04:19:31 PM) (Source: 0) (User: )
Description: \Device\Ide\iaStor0

Error: (11/23/2011 03:49:47 PM) (Source: Service Control Manager) (User: )
Description: The Intel® Quick Resume technology service hung on starting.

Error: (11/22/2011 10:12:46 PM) (Source: DCOM) (User: HP_Administrator)
Description: The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register with DCOM within the required timeout.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Adobe Reader 7.0.5 (Version: 7.0.5)
AutoUpdate (Version: 1.0)
BufferChm (Version: 70.0.170.000)
CC_ccProxyExt (Version: 104.0.1.17)
ccCommon (Version: 104.0.1.17)
ccPxyCore (Version: 104.0.1.17)
CP_AtenaShokunin1Config (Version: 70.0.170.000)
CP_CalendarTemplates1 (Version: 70.0.170.000)
cp_LightScribeConfig (Version: 70.0.170.000)
cp_OnlineProjectsConfig (Version: 70.0.170.000)
CP_Package_Basic1 (Version: 70.0.170.000)
CP_Package_Variety1 (Version: 70.0.170.000)
CP_Package_Variety2 (Version: 70.0.170.000)
CP_Package_Variety3 (Version: 70.0.170.000)
CP_Panorama1Config (Version: 70.0.170.000)
cp_PosterPrintConfig (Version: 70.0.170.000)
cp_UpdateProjectsConfig (Version: 70.0.170.000)
CueTour (Version: 70.0.170.000)
Customer Experience Enhancement (Version: Customer Experience Enhancement -1.0.0.1680)
Data Fax SoftModem with SmartCP
Destinations (Version: 70.0.170.000)
DeviceManagementQFolder (Version: 1.00.0000)
DISCover (Version: 3.33)
DivX (Version: 5.2.1)
Easy Internet Sign-up (Version: FE UI-4.1.0.1680)
Enhanced Multimedia Keyboard Solution
FullDPAppQFolder (Version: 1.00.0000)
GemMaster Mystic
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HP Boot Optimizer (Version: 3.0.0)
HP DigitalMedia Archive (Version: 2.0)
HP DVD Play 2.1
HP Imaging Device Functions 7.0 (Version: 7.0)
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5 (Version: 6.5)
HP Software Update (Version: 3.0.7.014)
HP Web Helper
HPPhotoSmartExpress (Version: 70.0.170.000)
HpSdpAppCoreApp (Version: 3.00.0000)
InstantShareDevices (Version: 70.0.170.000)
Intel® Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® Quick Resume Technology Drivers
Intel® Viiv™ Software (Version: 1.0.3.2019)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
LightScribe 1.4.105.1 (Version: 1.4.105.1)
LiveUpdate 2.7 (Symantec Corporation) (Version: 2.7.39.0)
Macromedia Flash Player 8 (Version: 8)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft Money 2006 (Version: 15)
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Works (Version: 08.04.0623)
MSRedist (Version: 1.0.0.0)
muvee autoProducer 5.0 (Version: 5.00.050)
muvee autoProducer unPlugged 2.0 (Version: 2.0.0)
My HP Games (Version: HPCMPQ1404)
Netscape Browser (remove only)
Norton AntiSpam (Version: 2006.2.0.153)
Norton AntiVirus 2006 (Version: 12.0.5.3)
Norton Internet Security (Version: 1.0.0)
Norton Internet Security (Version: 9.0.5.5)
Norton Internet Security 2006 (Symantec Corporation) (Version: 9.0.5.5)
Norton Protection Center (Version: 1.1.2)
Norton WMI Update (Version: 2005.1.2.20)
NVIDIA Drivers
OptionalContentQFolder (Version: 1.00.0000)
Otto
PC-Doctor 5 for Windows (Version: 5.00.4060.15)
PhotoGallery (Version: 70.0.170.000)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3 (Version: 2.2.3)
Quicken 2006 (Version: 15.1.4.5)
RandMap (Version: 70.0.170.000)
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
SkinsHP1 (Version: 70.0.170.000)
SlideShow (Version: 70.0.170.000)
SlideShowMusic (Version: 70.0.170.000)
Sonic Express Labeler (Version: 2.1.0)
Sonic MyDVD Plus (Version: 6.2.0)
Sonic RecordNow Audio (Version: 2.0.6)
Sonic RecordNow Copy (Version: 2.0.6)
Sonic RecordNow Data (Version: 2.0.6)
Sonic Update Manager (Version: 3.0.0)
Sonic_PrimoSDK (Version: 70.0.170.000)
SPBBC (Version: 2.0.0.73)
SymNet (Version: 6.0.0.99)
Unload (Version: 7.0.0)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
WebFldrs XP (Version: 9.50.7523)
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339 (Version: 20041117.092459)
Windows XP Hotfix - KB883667 (Version: 20040812.104354)
Windows XP Hotfix - KB885250 (Version: 20050118.202711)
Windows XP Hotfix - KB885835 (Version: 20041027.181713)
Windows XP Hotfix - KB885836 (Version: 20041028.173203)
Windows XP Hotfix - KB887472 (Version: 20041014.162858)
Windows XP Hotfix - KB887742 (Version: 20041103.095002)
Windows XP Hotfix - KB888113 (Version: 20041116.131036)
Windows XP Hotfix - KB890175 (Version: 20041201.233338)
Windows XP Hotfix - KB891781 (Version: 20050110.165439)
Windows XP Hotfix - KB892050 (Version: 3)
Windows XP Hotfix - KB893066 (Version: 1)
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Yahoo! Toolbar for Internet Explorer

========================= Memory info: ===================================

Percentage of memory in use: 19%
Total physical RAM: 2046.38 MB
Available physical RAM: 1657.18 MB
Total Pagefile: 3938.21 MB
Available Pagefile: 3651.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.22 MB

========================= Partitions: =====================================

1 Drive c: (HP_PAVILION) (Fixed) (Total:457.08 GB) (Free:360.6 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:8.66 GB) (Free:0.72 GB) FAT32

========================= Users: ========================================

User accounts for \\BATCITY

Administrator Guest HelpAssistant
HP_Administrator SUPPORT_388945a0 SUPPORT_fddfa904

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini070411-01.dmp
C:\WINDOWS\Minidump\Mini070811-01.dmp
C:\WINDOWS\Minidump\Mini071911-01.dmp
C:\WINDOWS\Minidump\Mini080811-01.dmp
C:\WINDOWS\Minidump\Mini092311-01.dmp
C:\WINDOWS\Minidump\Mini101911-01.dmp
C:\WINDOWS\Minidump\Mini110311-01.dmp
C:\WINDOWS\Minidump\Mini110711-01.dmp

**** End of log ****

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:43 AM

Posted 25 November 2011 - 06:44 AM

Have you run TDSSKiller? If yes please go to C:\ drive, there you see its logs with the date/time. Please attach the latest one to your reply.

  • Please download Junction.zip and save it.
    Unzip it and put junction.exe in the Windows directory (C:\Windows) of the infected computer. No need to run it, it will work when we do the second step.
  • Download Attached File  scan.bat   81bytes   7 downloads
    Double-click to run it.
    The command windows opens.
    Wait as it takes a while until a log file opens. Please post the content to your reply. You may remove the empty lines and the lines with just ... in it.
  • First delete your copy of ComboFix and download the latest one from:

    Link 1
    Link 2
    Link 3

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Driver::
    02583087
    
    File::
    c:\windows\system32\drivers\62251399.sys
    c:\windows\system32\drivers\vGitvMoX.sys
    c:\windows\system32\drivers\pHfkxbSu.sys
    c:\windows\system32\drivers\OzdZYNpa.sys
    c:\windows\system32\drivers\PoEvjOVj.sys
    c:\windows\system32\5U72vJ.exe_
    c:\windows\system32\drivers\uZuvpiXj.sys
    c:\windows\system32\drivers\KYMDeBMr.sys
    c:\windows\system32\drivers\hKHFcTKh.sys
    c:\windows\system32\drivers\McFsdNVD.sys
    c:\windows\system32\drivers\SwAjQTpk.sys
    c:\windows\system32\drivers\LBNGjpUb.sys
    c:\windows\system32\drivers\IMecxDbm.sys
    c:\windows\system32\drivers\mzIbUMlZ.sys
    c:\windows\system32\drivers\peYxBbdx.sys
    c:\windows\system32\drivers\qLfcgdEi.sys
    c:\windows\system32\drivers\wxSbqVHe.sys
    c:\windows\system32\drivers\iyYgcVLi.sys
    

    Save this as CFScript.txt, in the same location as ComboFix.exe

    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#10 scott_free

scott_free
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 25 November 2011 - 08:32 PM

no laptop access until sunday, but I'll definitely be on it then!

thank you...

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:43 AM

Posted 26 November 2011 - 04:30 AM

:thumbup2:

#12 scott_free

scott_free
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 27 November 2011 - 04:21 PM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.







...

.
Failed to open \\?\c:\\Qoobox\BackEnv\AppData.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Cache.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Cookies.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Desktop.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Favorites.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\History.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\LocalAppData.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\LocalSettings.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Music.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\NetHood.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Personal.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Pictures.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\PrintHood.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Programs.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Recent.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\SendTo.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\StartMenu.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\StartUp.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\SysPath.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\Templates.folder.dat: Access is denied.



Failed to open \\?\c:\\Qoobox\BackEnv\VikPev00: Access is denied.


..

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e








.End of Scan



latest combofix log to follow

Attached Files



#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:43 AM

Posted 27 November 2011 - 04:40 PM

:thumbup2:

I'll wait.:)

#14 scott_free

scott_free
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 27 November 2011 - 04:49 PM

after reboot (the one that combofix initiates itself),

a few application errors occurred:


NIRKMD.3XE - Application Error

The instruction at "0x7c868000" referenced memory at "0xc000012f" The memory could not be "written".


Click on OK to terminate the program

and then:

DMAScheduler.exe - Application Error

this time at "0x745ff86e" and "0x00000000"


a 3rd:

svchost.exe

"0x5004c2ad" and "0x00000000"


a 4th:

Explorer.exe
The exception Privileged instruction.
(0xc0000096) occurred in the application at location 0x7722a001



The blue ComboFix - Find3M "Preparing Log Report" window is still open
but i am thinking it is probably hung up...

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:43 AM

Posted 27 November 2011 - 05:03 PM

Can you open Task Manger (Ctrl+Alt+Del) ?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users