Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aluratek Root Kit recovery help, ipec.sys


  • Please log in to reply
5 replies to this topic

#1 Ryutso

Ryutso

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 17 December 2011 - 10:49 AM

So my step-father has WinXP Home installed on his computer and I installed avast! on it. Through some stupidity, the Aluratek rootkit got through and infected his ip.sys file (I think it might be "ipec.sys, but I can't be sure.) He moved it to the chest and then he couldn't connect to the internet. I tried cleaning it and restoring it but it didn't work.

Also, because he's on a wireless connection, a notice pops up that says Windows can generate a "certificate" for the connection.

Edited by Ryutso, 17 December 2011 - 10:52 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:25 PM

Posted 17 December 2011 - 11:51 AM

Welcome aboard Posted Image

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Ryutso

Ryutso
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 19 December 2011 - 05:04 PM

Welcome aboard Posted Image

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.



Contents of FSS.txt:

Farbar Service Scanner 
Ran by Owner (administrator) on 19-12-2011 at 17:03:50
Microsoft Windows XP Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-12 09:06] - [2004-08-12 09:06] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-12 09:04] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-12 09:05] - [2004-08-12 09:05] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-12 09:01] - [2004-08-12 09:01] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-12 09:07] - [2005-05-25 14:04] - 0359808 ____A (Microsoft Corporation) 88763A98A4C26C409741B4AA162720C9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-12 08:58] - [2004-08-12 08:58] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-12 08:56] - [2004-08-12 08:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

**** End of log ****

Edited by Ryutso, 19 December 2011 - 05:25 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:25 PM

Posted 19 December 2011 - 07:56 PM

It looks like you have one registry key missing/corrupted.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipsec /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Ryutso

Ryutso
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 29 December 2011 - 10:10 PM

It looks like you have one registry key missing/corrupted.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE

  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipsec /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Sure. Sorry for the long wait. Holidays got the most of us around here.

SystemLook 30.07.11 by jpshortstuff
Log created at 21:54 on 29/12/2011 by Owner
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipsec]
(Unable to open key - key not found)

-= EOF =-


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:25 PM

Posted 30 December 2011 - 12:34 PM

Please don't quote my replies as it creates unnecessary clutter.
Thanks :)

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/


Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Right click on ipsec.reg file, click "Merge".
Allow registry merge.
Restart computer, check on internet connection and post new FSS log.

There is a new version of FSS, so...

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users