Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After Removal Of Vista Antivirus 2012...No internet connection


  • Please log in to reply
37 replies to this topic

#1 BrianPA

BrianPA

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 04:56 PM

My daughters laptop got the virus last night(this is the second time). Removed it again using your great guides, thanks. Now, this time(didn't happen the first time) she has no internet(wireless) connection. I ran malwarebytes again to see if it missed something. Well, it didn't. Need some help on figuring this one out. I haven't a clue!!!!

I thought you would ask for a FSS log, so here it is. Hope its not too bad, UGH!!!!

Farbar Service Scanner
Ran by Melissa (administrator) on 30-12-2011 at 16:43:56
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll
[2011-02-01 12:29] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

C:\Windows\system32\wbem\WMIsvc.dll
[2011-02-01 12:30] - [2009-04-11 01:28] - 0162304 ____A (Microsoft Corporation) 6B2A1D0E80110E3D04E6863C6E62FD8A

C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2011-02-01 12:31] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll
[2011-02-01 12:30] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

C:\Windows\system32\cryptsvc.dll
[2011-02-01 12:30] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

I already see some problems in there. Just need a hand on what to do.

THANKS!!

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:34 AM

Posted 30 December 2011 - 05:10 PM

Launch farbar service scanner

Type this in the BOX

tdx.sys

CLick search files

Post the generated log

Edited by narenxp, 30 December 2011 - 05:11 PM.


#3 BrianPA

BrianPA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 05:18 PM

Farbar Service Scanner
Ran by Melissa (administrator) on 30-12-2011 at 17:15:47
Windows Vista ™ Home Premium Service Pack 2 (X86)

************************************************
================== Search: "tdx.sys" ===================

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
[2011-02-01 12:29] - [2009-04-10 23:45] - 0072192 ____A () 49D26DBDBE169E6E855F4A7AE5108050

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys
[2008-06-18 16:56] - [2008-01-19 00:55] - 0071680 ____A (Microsoft Corporation) D09276B1FAB033CE1D40DCBDF303D10F

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys
[2006-11-02 03:57] - [2006-11-02 03:57] - 0068096 ____A (Microsoft Corporation) AB4FDE8AF4A0270A46A001C08CBCE1C2

====== End Of Search ======

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:34 AM

Posted 30 December 2011 - 05:27 PM

Click on start button

Go to RUN and copy this line

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3

Click ok

Now copy the tdx.sys from the location and paste it in C:/Windows/system32/drivers folder

DOwnload tdx.reg from here

http://www.mediafire.com/?1xluk7j8a2d2v4l

Launch it ,click YES to import it

Restart your PC,Check your browser


You are missing your windows firewall and security center service too.Lets look into it after your connection gets restored.

Good luck

Edited by narenxp, 30 December 2011 - 05:30 PM.


#5 BrianPA

BrianPA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 05:55 PM

I got internet!!!!!

THANK YOU VERY MUCH!!!!!!!!!!!!!!!!!!


Was there anything else I need to do? Here is the new FSS log

Farbar Service Scanner
Ran by Melissa (administrator) on 30-12-2011 at 17:53:07
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll
[2011-02-01 12:29] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

C:\Windows\system32\wbem\WMIsvc.dll
[2011-02-01 12:30] - [2009-04-11 01:28] - 0162304 ____A (Microsoft Corporation) 6B2A1D0E80110E3D04E6863C6E62FD8A

C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2011-02-01 12:31] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll
[2011-02-01 12:30] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

C:\Windows\system32\cryptsvc.dll
[2011-02-01 12:30] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:34 AM

Posted 30 December 2011 - 09:34 PM

:thumbsup:

Please follow the method i gave here

http://www.bleepingcomputer.com/forums/topic434478.html

That should enable your windows firewall and defender


You are missing security center service too.This key is for 32 BIT OS


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\
  72,00,69,00,63,00,74,00,65,00,64,00,00,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,\
  4d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security]
"Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
  00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
  00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,\
  00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,\
  7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
  00,00,00

Open a notepad and copy the script ,save it as

Filename:wscsvc.reg
Save as:All types

Restart your PC.

Good luck.

#7 BrianPA

BrianPA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 10:45 PM

AAARRRRGGGHHHHHHHHHHHH!!!!!!!!!

Just as I was copying the registry text to flash drive, the daughter came to me and said she had the damn virus again. So, I will start using the guide again to remove the virus.

She has AVAST (free version) on her computer. Is there any known antivirus protection from this thing?? Does the Malwarebytes (paid version) pick this up before it does damage?

Sorry if I sound irritated, but, well..........you know!



THANKS for your help!
Will post back when its removed. AGAIN!

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:34 AM

Posted 30 December 2011 - 10:48 PM

If you're daughter PC is infected by vista antivirus 2012 then you just need a free version of malwarebytes.

Boot the PC to safemode with networking

Copy malwarebytes from a clean PC to the infected PC

Right click on installer-Select Run as administrator


It should start installing,update and run a full scan

Good luck

Edited by narenxp, 30 December 2011 - 10:49 PM.


#9 BrianPA

BrianPA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 10:55 PM

She has the free version on her computer. But it doesn't stop the virus from getting on her computer, just the removal when her computer gets infected.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:34 AM

Posted 30 December 2011 - 10:59 PM

Did she run a full scan? Free version should be properly updated before scanning.

Make sure to run a full scan.

Good luck.

Edited by narenxp, 30 December 2011 - 11:01 PM.


#11 BrianPA

BrianPA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 11:12 PM

Yes, a full scan was always done. I was referring to an antivirus program that will stop the virus from getting on the computer in the first place. Malwarebytes does remove it nicely. I just want to stop it from entering again. She probably picked it up while on the internet again. Sorry if my last post was unclear.

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:34 AM

Posted 30 December 2011 - 11:18 PM

You should understand that most of the antivirus fails in cleaning out these type of rogue.We can try to prevent it.I would recommend AVIRA or ESET nod32.Its better to scan the PC with malwarebytes and super antispyware once in a while.

Good luck

#13 BrianPA

BrianPA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 11:25 PM

Yeah, I don't have a problem with removing it. I'm looking at preventing it from happening again. Are both of those antivirus programs free? Free is good for me, but free doesn't always give the best protection.

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:34 AM

Posted 30 December 2011 - 11:35 PM

Avira has both free and paid versions.ESET nod 32 has trial versions.If you are satisfied with it,you can purchase it.

Good luck

#15 BrianPA

BrianPA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 30 December 2011 - 11:40 PM

Ok, thanks. I will check them out after the malwarebytes is complete. Should be done within the hour.

I will post a new FSS log when completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users