Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pretty well hosed at this point...


  • Please log in to reply
14 replies to this topic

#1 hs2000

hs2000

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 31 December 2011 - 11:48 PM

Sister's computer.

Dell, win XP pro sp3, mcafee AV; was reasonably up to date w/ win patches and the AV defs were as well.

At some point she picked up some sort of malware.

Initially the symptoms were browser(IE) search hijacking/redirects and unable to get to windows update.

Firefox seemed to be unaffected.

Anyway, I've gotten in here and mucked around a bit, removed a bunch of nasty stuff using various tools and now neither IE nor FF seems to be able to see the light of day. So, I'm better off but not better off. :)

Normally I'd try and save files, re-format and re-build but I just did this for her about 6 months ago. :)

So, if possible, with your help, I'd like to try a more nuanced approach.

Thanks,
HS

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:51 PM

Posted 01 January 2012 - 12:26 AM

Please download Farbar Service Scanner

http://download.bleepingcomputer.com/farbar/FSS.exe

and run it on the computer with the issue.


* Press "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply.

#3 hs2000

hs2000
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 January 2012 - 12:47 PM

Please download Farbar Service Scanner

http://download.bleepingcomputer.com/farbar/FSS.exe

and run it on the computer with the issue.


* Press "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply.




Hi! Happy new year and thanks for your help.

Here are the results:

----

Farbar Service Scanner
Ran by monicab (administrator) on 01-01-2012 at 00:14:08
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: Attention! Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) mfetdi2k(13) NetBT(5) PSched(7) Tcpip(3)
0x0D000000040000000100000002000000030000000D0000000B0000000C00000005000000060000000700000008000000090000000A000000
Attention! IpSec Tag value is missing and it should be 4

**** End of log ****

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:51 PM

Posted 01 January 2012 - 01:03 PM

Happy new year :)

Launch the FSS again and type


ipsec.sys in the BOX

Click on search files

Post the generated log

#5 hs2000

hs2000
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 January 2012 - 01:13 PM

Happy new year :)

Launch the FSS again and type


ipsec.sys in the BOX

Click on search files

Post the generated log



Ok, here's what I got:

----

Farbar Service Scanner
Ran by monicab (administrator) on 01-01-2012 at 13:09:20
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "ipsec.sys" ===================

C:\WINDOWS\system32\dllcache\ipsec.sys
[2008-09-12 22:02] - [2008-04-13 14:19] - 0075264 ____A (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008-09-12 22:02] - [2008-04-13 14:19] - 0075264 ____N (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys
[2008-09-19 09:31] - [2004-08-04 06:00] - 0074752 ____C (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\i386\ipsec.sys
[2008-01-04 22:07] - [2004-08-04 06:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

====== End Of Search ======

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:51 PM

Posted 01 January 2012 - 01:20 PM

Navigate to this path

C:\WINDOWS\ServicePackFiles\i386

Copy the ipsec.sys from the location and paste it in

C:/windows/system32/drivers folder

Download

http://www.mediafire.com/?n91brtx7gd86rnc

Launch it and click YES to import it to registry

Restart your PC and check your browser

Good luck

#7 hs2000

hs2000
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 January 2012 - 02:09 PM

No joy. IE to windows update doesn't work; IE and FF to www.cnn.com (for example) doesn't work. Anything I can do to verify that I did things correctly?

Here is an updated FSS log searching for ipsec.sys as per above in case it's useful(it seems to indicate the change took):

----

Farbar Service Scanner
Ran by monicab (administrator) on 01-01-2012 at 13:56:19
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "ipsec.sys" ===================

C:\WINDOWS\system32\drivers\ipsec.sys
[2012-01-01 13:35] - [2008-04-13 14:19] - 0075264 ____A (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\system32\dllcache\ipsec.sys
[2012-01-01 13:35] - [2008-04-13 14:19] - 0075264 ____A (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008-09-12 22:02] - [2008-04-13 14:19] - 0075264 ____N (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys
[2008-09-19 09:31] - [2004-08-04 06:00] - 0074752 ____C (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\i386\ipsec.sys
[2008-01-04 22:07] - [2004-08-04 06:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

====== End Of Search ======

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:51 PM

Posted 01 January 2012 - 02:29 PM

Please post the FSS log again

* Press "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply.

#9 hs2000

hs2000
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 January 2012 - 02:44 PM

Ok, all boxes checked:

----

Farbar Service Scanner
Ran by monicab (administrator) on 01-01-2012 at 14:35:29
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: Attention! Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(5) mfetdi2k(13) NetBT(5) PSched(7) Tcpip(3)
0x0D000000040000000100000002000000030000000D0000000B0000000C00000005000000060000000700000008000000090000000A000000
Attention! IpSec Tag value should be 4

**** End of log ****

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:51 PM

Posted 01 January 2012 - 02:47 PM

Download

Winsock fix

Launch it ,Click on FIX

Restart your PC after it gets completed

Check your browser.If that doesnt work try this


PLEASE create a restore point before trying this

Please copy the entire contents of the codebox below into Notepad:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]





Open a notepad ,copy the script,save it as

Filename:winsock.reg
save as type:All files


Launch it and click YES to add it to registry

After that, Reboot your computer.

After the restart,

Go to Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, restart your computer and see if you can browse now.


Good luck

Edited by narenxp, 01 January 2012 - 02:48 PM.


#11 hs2000

hs2000
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 January 2012 - 04:26 PM

Ok, good news! Option #1 above did not work but option #2 did.

I can now get to windows update in IE and cnn.com in FF.

Should I also apply step #2 above to the wired connection; I'm using a temp usb wireless here but my sister uses the wired at her house.

Also, what other scans/checks, etc should I do at this point to ensure that I'm rid of all the malware at this point?

Thanks!

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:51 PM

Posted 01 January 2012 - 04:31 PM

Whatever the connection is,apply it if you face connection issues

Also in your initial post i could read that you used different tools,what are they?

#13 hs2000

hs2000
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 January 2012 - 05:23 PM

Well, I was pretty much all over the place, google cowboy style, lol...

I started w/ downloading spybot s&d and ms security essentials as well as McAfee scans; then after poking around here a bit and reading the various similar threads dealing w/ browser redirects and such, I started using some of the tools recommended in those threads as well - mbam, tdsskiller; downloaded and ran minitoolbox, securitycheck, gmer...

There were just some additional registry settings dealing w/ windows update that I just applied to get it to work properly - it would go to the update site but couldn't actually do any updates or allow me to view history. The troubleshooting within ms update got me to the fix for that. The last updates were applied on 11nov so she wasn't too out of date there...it's applying a .NET 3.5 update at this moment...

I'm going to set up another admin account for her and revoke the admin priv from the account she normally uses day to day in an attempt to add another layer against some of this stuff...anything else you might recommend at this point?

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:51 PM

Posted 01 January 2012 - 05:31 PM

Make sure to run scans with malwarebytes and super antispyware frequently.

Updates your antivirus.

Safe surfing :thumbup2:

#15 hs2000

hs2000
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 January 2012 - 05:59 PM

We'll do. Thanks for your help and advice.

I sent you a PM.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users