Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Access Internet after trying to remove fake antivirus software!


  • Please log in to reply
17 replies to this topic

#1 samandtabitha

samandtabitha

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 05 January 2012 - 04:49 PM

Hi all! I recently tried to rid my computer of a the fake XP Antivirus 2012 and thought I had succeeded. However, I can no longer access the internet through Mozilla even though my wireless receiver shows connectivity. After reading several other posts describing a similar problem I ran several programs to obtain logs to post here in the hope it will help in solving the problem! Thanks so much for any help! It might be of importance to note that when I ran GMER my computer shut down spontaneously and then told me it had just recovered from a serious error when it rebooted. I unchecked devices and then it ran just fine though. I ran in this order: SecurityCheck, Farbar Service Scanner, MiniToolBox, MWB and GMER.

============================================================================================

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

AVG Free 9.0
Antivirus out of date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 11.0.1.152
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgemc.exe
``````````End of Log````````````

==========================================================================================

Farbar Service Scanner
Ran by Owner (administrator) on 04-01-2012 at 18:22:13
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(9) AvgTdiX(86) Gpc(3) IPSec(5) NetBT(6) PSched(7) s24trans(8) Tcpip(4) Tcpip6(10)
0x0B000000050000000100000002000000030000000400000056000000060000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

==========================================================================================

MiniToolBox by Farbar
Ran by Owner (administrator) on 04-01-2012 at 18:23:42
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
Hosts file not detected in the default directory
========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Connected)
Intel® PRO/Wireless 2200BG Network Connection = Wireless Network Connection (Connected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



An internal error occurred: The request is not supported.



Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.

Unable to contact IP driver, error code 2,

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/04/2012 06:11:57 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (01/04/2012 04:11:02 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (01/04/2012 04:00:37 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (01/04/2012 03:52:39 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (01/04/2012 03:41:14 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/28/2011 03:53:20 AM) (Source: ESENT) (User: )
Description: Catalog Database (852) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb was partially detached. Error -1032 encountered updating database headers.

Error: (12/28/2011 03:53:20 AM) (Source: ESENT) (User: )
Description: Catalog Database (852) Unable to write a shadowed header for file C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb. Error -1032.

Error: (12/28/2011 03:53:19 AM) (Source: ESENT) (User: )
Description: svchost (852) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (12/28/2011 01:51:52 AM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)

Error: (12/27/2011 11:18:27 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
The content index metadata cannot be read. (0xc0041801)


System errors:
=============
Error: (01/04/2012 06:23:52 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1068

Error: (01/04/2012 06:23:52 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the IPSEC driver service which failed to start because of the following error:
%%2

Error: (01/04/2012 06:23:52 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC driver service failed to start due to the following error:
%%2

Error: (01/04/2012 06:23:51 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1068

Error: (01/04/2012 06:23:51 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the IPSEC driver service which failed to start because of the following error:
%%2

Error: (01/04/2012 06:23:51 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC driver service failed to start due to the following error:
%%2

Error: (01/04/2012 06:23:50 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1068

Error: (01/04/2012 06:23:50 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the IPSEC driver service which failed to start because of the following error:
%%2

Error: (01/04/2012 06:23:50 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC driver service failed to start due to the following error:
%%2

Error: (01/04/2012 06:23:50 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (04/09/2010 03:27:51 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 621 seconds with 480 seconds of active time. This session ended with a crash.

Error: (04/09/2010 03:17:12 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 3665 seconds with 1140 seconds of active time. This session ended with a crash.

Error: (04/09/2010 01:49:51 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (04/09/2010 01:49:40 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6514.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 15 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

Acrobat.com (Version: 2.0.0)
Acrobat.com (Version: 2.0.0.0)
Adobe AIR (Version: 1.5.3.9120)
Adobe Flash Player 10 ActiveX (Version: 10.0.42.34)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Adobe Reader 9.2 (Version: 9.2.0)
ALOT Toolbar
AVG Free 9.0
Bing Bar (Version: 7.0.609.0)
Broadcom 440x 10/100 Integrated Controller (Version: 5.51.03)
C-Major Audio (Version: 42xx)
Conexant D110 MDC V.92 Modem
Dungeon Crawl Stone Soup (Version: 0.8.1)
Inbox Toolbar (Version: 1.0.0)
Intel® Graphics Media Accelerator Driver for Mobile (Version: 6.14.10.4609)
Intel® PROSet/Wireless Software (Version: 11.01.0000)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Lexmark 2600 Series
Malwarebytes' Anti-Malware
mCore (Version: 9.03.0000)
mDriver (Version: 9.03.0000)
mDrWiFi (Version: 9.03.0000)
mHlpDell (Version: 9.03.0000)
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Default Manager (Version: 2.1.54.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft UI Engine (Version: 4.0.0318.1)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
mIWA (Version: 9.03.0000)
mLogView (Version: 9.03.0000)
mMHouse (Version: 9.03.0000)
Mozilla Firefox 8.0.1 (x86 en-US) (Version: 8.0.1)
mPfMgr (Version: 9.03.0000)
mPfWiz (Version: 9.03.0000)
mProSafe (Version: 9.00.0000)
mSCfg (Version: 9.03.0000)
mSSO (Version: 9.03.0000)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (Version: 6.00.3883.8)
mWlsSafe (Version: 9.00.0000)
mWMI (Version: 9.03.0000)
mZConfig (Version: 9.03.0000)
Nero 8 Essentials (Version: 8.3.382)
neroxml (Version: 1.0.0)
OpenOffice.org 3.1 (Version: 3.1.9420)
Update Rollup 2 for Windows XP Media Center Edition 2005
VCRedistSetup (Version: 1.0.0)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0 (Version: 04.00.6001.503)
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 77%
Total physical RAM: 503.37 MB
Available physical RAM: 115.33 MB
Total Pagefile: 844.47 MB
Available Pagefile: 340.62 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.21 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:55.88 GB) (Free:41.87 GB) NTFS
3 Drive e: () (Removable) (Total:15.1 GB) (Free:14.33 GB) FAT32

========================= Users: ========================================

User accounts for \\OWNER-38CCF13CB

Administrator ASPNET Guest
HelpAssistant Owner SUPPORT_388945a0


**** End of log ****

==========================================================================================

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.24.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Owner :: OWNER-38CCF13CB [administrator]

1/4/2012 6:43:23 PM
mbam-log-2012-01-04 (18-43-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 180860
Time elapsed: 11 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Heuristics.Shuriken) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Owner\My Documents\Downloads\cnet_WiseFixer_exe.exe (PUP.Adware.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\obaeta\setup.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

(end)

==========================================================================================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-04 21:29:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST960822A rev.8.03
Running: lmtu3hdv.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfnoafog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1180] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes
File C:\WINDOWS\$NtUninstallKB30368$\1142587331 0 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729 0 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\bckfg.tmp 794 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\cfg.ini 207 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\L 0 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\L\sioepilf 75264 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\U 0 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB30368$\3478239729\U\80000032.@ 97792 bytes

---- EOF - GMER 1.0.15 ----

Edited by Budapest, 05 January 2012 - 05:31 PM.
Moved from XP ~Budapest


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 05 January 2012 - 09:11 PM

Welcome aboard Posted Image

We have several issues there.

Let's start with missing system file.

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

ipsec.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 samandtabitha

samandtabitha
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 January 2012 - 02:14 PM

Here is the log of the FSS search. Thanks Broni for checking this out :)

============================================================================================

Farbar Service Scanner
Ran by Owner (administrator) on 06-01-2012 at 12:52:18
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "ipsec.sys" ===================

C:\WINDOWS\system32\dllcache\ipsec.sys
[2008-04-13 13:19] - [2008-04-13 13:19] - 0075264 ___AC (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008-04-13 13:19] - [2008-04-13 13:19] - 0075264 ____N (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys
[2009-12-16 15:53] - [2004-08-10 06:00] - 0074752 ____C (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

====== End Of Search ======

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 06 January 2012 - 04:16 PM

Download following batch file: http://www.filedropper.com/fix_11
Double click on it to run the fix.
Command prompt window will appear briefly.

Restart computer, check on internet connection and post new FSS log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 samandtabitha

samandtabitha
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 January 2012 - 05:08 PM

Broni you are an angel sent from Heaven!! My internet now works :) Thanks so much and here is the FSS log.

============================================================================================

Farbar Service Scanner
Ran by Owner (administrator) on 06-01-2012 at 16:03:35
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(9) AvgTdiX(86) Gpc(3) IPSec(5) NetBT(6) PSched(7) s24trans(8) Tcpip(4) Tcpip6(10)
0x0B000000050000000100000002000000030000000400000056000000060000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 06 January 2012 - 05:14 PM

Looks perfectly fine now :)

Update your AVG now and run full scan.
Let me know if it found anything.

Then....

We also have "hosts" file missing.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#  	102.54.94.97 	rhino.acme.com      	# source server
#   	38.25.63.10 	x.acme.com          	# x client host

127.0.0.1   	localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. Make sure the file is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

Posted Image

============================================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 samandtabitha

samandtabitha
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 January 2012 - 07:44 PM

AVG showed no infections!! Yay! Here is the SystemLook log after saving the notepad file.

========================================================================================================================================================

SystemLook 30.07.11 by jpshortstuff
Log created at 18:42 on 06/01/2012 by Owner
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\SYSTEM32\DRIVERS\ETC - Parameters: "(none)"

---Files---
hosts --a---- 711 bytes [00:38 07/01/2012] [00:38 07/01/2012]
lmhosts.sam --a---- 3683 bytes [12:00 10/08/2004] [12:00 10/08/2004]
networks --a---- 407 bytes [12:00 10/08/2004] [12:00 10/08/2004]
protocol --a---- 799 bytes [12:00 10/08/2004] [12:00 10/08/2004]
services --a---- 7116 bytes [12:00 10/08/2004] [12:00 10/08/2004]

---Folders---
None found.

-= EOF =-

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 06 January 2012 - 08:45 PM

Good job :)

Last checks...

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 samandtabitha

samandtabitha
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 January 2012 - 09:38 PM

I know this sounds silly but I'm not sure how to disable my AVG to do the online scan. I tried looking in the help section and through all the menus, but found nothing. Do you happen to know how?

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 06 January 2012 - 09:41 PM

Unfortunately you can disable AVG only for 15 minutes so run Eset with AVG on.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 samandtabitha

samandtabitha
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 January 2012 - 11:51 PM

I ran the ESET Online Scan. Here is the log.

========================================================================================================================================================

C:\Documents and Settings\Owner\My Documents\Downloads\cnet_RegpairSetup_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\SpeedMaxPc_License_Key.rar_mediaget.exe a variant of Win32/MediaGet application cleaned by deleting - quarantined

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 07 January 2012 - 12:43 AM

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

================================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Except for MBAM and TFC, which are keepers you can simply delete all other tools we used as they don't install.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 samandtabitha

samandtabitha
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 07 January 2012 - 03:16 AM

Thank you for everything! I've taken all the steps you gave me, and am in the process of reading the guide. I really appreciate all the help!

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:46 AM

Posted 07 January 2012 - 11:45 AM

You're very welcome Posted Image

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 samandtabitha

samandtabitha
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 08 January 2012 - 08:52 PM

Every once in a while I get an error saying "jusched.exe had encountered a problem and needs to close". Is that bad? If so, what can I do to solve the problem? Is it associated with the problems you just helped me solve?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users