Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Sphere 2012 infection on XP.


  • Please log in to reply
31 replies to this topic

#1 JedB

JedB

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 27 December 2011 - 07:14 PM

Hi,
My friend's XP PC got infected tonight with this nasty malware.

So I followed the instructions on your site at this page:
http://www.bleepingcomputer.com/virus-removal/remove-security-sphere-2012

The main issue is that I cannot get the internet to connect on that PC to update the Malwarebytes tool, receiving the message:
PROGRAM_ERROR_UPDATING (11004, 0, No address found)

I used RKILL and TDSSKiller.

The first scan by Malwarebytes detected one file - but nothing on rerunning.

I also used the Microsoft instructions http://support.microsoft.com/kb/2540100 which detected one rogue entry, and I also removed that.

Would appreciate any advice on how to proceed and what logs to collect.

Many thanks for your help.

BC AdBot (Login to Remove)

 


#2 JedB

JedB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 29 December 2011 - 01:54 PM

Update:
Followed all the instructions and added a new database file via USB, cleared out 2 more trojan files. Rebooted and reset the Hosts file (via USB again).

No obvious infection showing up, but still unable to connect that PC to the internet by wireless or cable.

Any advice on diagnostics to fix that greatly appreciated. Thanks.

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:14 AM

Posted 29 December 2011 - 03:18 PM

Please download Farbar Service Scanner

http://download.bleepingcomputer.com/farbar/FSS.exe

and run it on the computer with the issue.


* Press "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply.

#4 JedB

JedB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 29 December 2011 - 05:51 PM

Thanks,
Here is the fss log:

Farbar Service Scanner
Ran by catherine (administrator) on 29-12-2011 at 22:49:07
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:14 AM

Posted 29 December 2011 - 06:23 PM

Download

http://www.mediafire.com/?kegsoy6pzq5168b

Launch it and click YES to import it to registry

Restart your PC and check your browser

Good luck

Edited by narenxp, 29 December 2011 - 06:23 PM.


#6 JedB

JedB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 30 December 2011 - 01:19 PM

Thanks Narenxp

I ran the Registry edit - but still no success. It sees the router but fails to acquire a network address. Grrr.

Should I either rollback (system restore) or get ready to reinstall XP?

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:14 AM

Posted 30 December 2011 - 01:30 PM

Can you post the new FSS log?

Thanks

#8 JedB

JedB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 30 December 2011 - 04:42 PM

Here you go mate...

Farbar Service Scanner
Ran by catherine (administrator) on 30-12-2011 at 21:38:37
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:14 AM

Posted 30 December 2011 - 05:05 PM

Download

Winsock fix


Launch it ,Click on FIX

Restart your PC after it gets completed

Check your browser.If that doesnt work try this


PLEASE create a restore point before trying this


Please copy the entire contents of the codebox below into Notepad:



REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]



Open a notepad ,copy the script,save it as

Filename:winsock.reg
save as type:All files


Launch it and click YES to add it to registry

After that, Reboot your computer.

After the restart,

Go to Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, restart your computer and see if you can browse now.

Good luck

Edited by narenxp, 30 December 2011 - 05:08 PM.


#10 JedB

JedB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 31 December 2011 - 11:24 AM

Thanks again.
Tried those - still no joy connecting to network.

I also notice an error message in Security Centre (service currently unavailable) and that the Windows Firewall service is not starting, and will not start when tried - probably a related issue?

Sigh. :-)

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:14 AM

Posted 31 December 2011 - 11:38 AM

Press Windows + R key and type

cmd and click ok

Now run these commands

net start afd

net start dhcp

Do you receive errors?

#12 JedB

JedB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 31 December 2011 - 01:54 PM

Yes - Errors received:

net start afd
System error 2 has occurred
The system cannot find the file specified

net start dhcp
System error 1068 has occurred
The dependency service or group failed to start

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:14 AM

Posted 31 December 2011 - 02:16 PM

Open command prompt again and run this command

sfc /scannow

After it gets finished,restart your PC and check the browser

Good luck

Edited by narenxp, 31 December 2011 - 02:16 PM.


#14 JedB

JedB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 31 December 2011 - 08:23 PM

Thanks - tried running it.

Unfortunately it seems to require a WIndows CD-ROm, which was not shipped with the PC. I guess all this PC has is a recovery Windows image in a HD partition.

What a mess!

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:14 AM

Posted 31 December 2011 - 08:28 PM

No issues

Launch the FSS again and type

afd.sys in the BOX

Click on search files

Post the generated log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users