Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet connection after Removed XP Antivirus 2012 and Zeroaccess


  • This topic is locked This topic is locked
34 replies to this topic

#1 joech

joech

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 12 January 2012 - 08:59 PM

After removing Windows XP Antivirus 2012 and Zeroaccess, lost internet connection. Says internet explorer cannot display the webpage. Network diagnostics says winsock error but still nothing after repair. DNS service does not work. Will not work in safe mode with networking. NIC card allows ip address invoking of router. Rest of network functioning for other computers, thankfully, because its gonna be a flashdrive job from a different computer.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Deanna Schwartz at 14:00:53 on 2012-01-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2815.2274 [GMT -5:00]
.
AV: WOW! Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: WOW! Security 9.01 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\WOW Security\Anti-Virus\fsgk32st.exe
C:\Program Files\WOW Security\Common\FSMA32.EXE
C:\Program Files\WOW Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxducoms.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WOW Security\Anti-Virus\fssm32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WOW Security\Common\FSLAUNCH.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
uURLSearchHooks: H - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {C4B8BAB4-1667-11DF-A242-BA9455D89593} - No File
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\wow security\nrs\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.7.0\IEViewBar.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\wow security\nrs\iescript\baselitmus.dll
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Facebook Update] "c:\documents and settings\deanna schwartz\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [AOL Fast Start] "c:\program files\aol 9.0\AOL.EXE" -b
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"
mRun: [Lexmark 5600-6600 Series Fax Server] "c:\program files\lexmark 5600-6600 series\fm3032.exe" /s
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [F-Secure Manager] "c:\program files\wow security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\wow security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: <NO NAME> =
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jane's%20Realty/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} - hxxp://www.worldwinner.com/games/v47/skillgam/skillgam.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v53/wwhearts/wwhearts.cab
DPF: {61900274-3323-4446-BDCD-91548D32AF1B} - hxxp://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.gamehouse.com/games/DoggieDash.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} - hxxp://www.worldwinner.com/games/v68/clue/clue.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Paradise%20Pet%20Salon/Images/armhelper.ocx
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/virtualmark/tc/MSC3.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v54/wwspades/wwspades.cab
TCP: DhcpNameServer = 64.233.217.3 64.233.217.5
TCP: Interfaces\{A238F17E-6C19-4AD0-B0C3-936B6021A631} : DhcpNameServer = 64.233.217.3 64.233.217.5
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2010-9-15 42672]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-9-15 82120]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\wow security\hips\drivers\fshs.sys [2010-9-15 68064]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\wow security\anti-virus\fsgk32st.exe [2010-9-15 215648]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-10-18 12184]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-27 24652]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\wow security\anti-virus\minifilter\fsgk.sys [2010-9-15 148632]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2003-9-19 15104]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-7-10 98984]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\wow security\orsp client\fsorsp.exe [2010-9-15 61088]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
.
=============== Created Last 30 ================
.
2012-01-12 01:02:40 -------- d-----w- c:\program files\Cisco Systems
2012-01-11 22:53:17 -------- d-----w- C:\Macromedia
2012-01-11 22:15:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-11 21:29:20 -------- d-----w- c:\program files\Trend Micro
2012-01-11 20:01:37 -------- d-sha-r- C:\cmdcons
2012-01-11 18:05:08 98816 ----a-w- c:\windows\sed.exe
2012-01-11 18:05:08 518144 ----a-w- c:\windows\SWREG.exe
2012-01-11 18:05:08 256000 ----a-w- c:\windows\PEV.exe
2012-01-11 18:05:08 208896 ----a-w- c:\windows\MBR.exe
2012-01-11 03:52:33 8192 ----a-w- c:\windows\winsock.reg
2012-01-11 03:52:33 20480 ----a-w- c:\windows\winsock2.reg
2012-01-11 03:52:31 -------- d-----w- c:\documents and settings\all users\application data\WinsockFix
2012-01-10 23:04:51 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-16 13:26:01 -------- d-----w- c:\program files\iPod
2011-12-16 13:25:49 -------- d-----w- c:\program files\iTunes
2011-12-15 03:04:05 -------- d-----w- c:\program files\common files\xing shared
2011-12-15 03:03:10 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-15 03:03:10 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
==================== Find3M ====================
.
2012-01-11 22:14:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-10 19:52:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 22:03:37 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-11-12 20:02:12 163644 -c--a-w- c:\windows\system32\drivers\secdrv.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-30 16:07:20 2818 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 17:19:42 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2005-12-10 18:32:22 0 -c--a-w- c:\program files\MCAsvchost.exe
2001-06-20 21:19:18 40960 -c--a-w- c:\program files\ACMonitor_X83.exe
.
============= FINISH: 14:01:12.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 16 January 2012 - 12:57 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 07:03 AM

Hi Gringo Thank you and I appreciate any help you can give as I am stumped. Still saying no internet connection after running combofix.

ComboFix 12-01-16.05 - Deanna Schwartz 01/16/2012 20:28:18.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2815.1932 [GMT -5:00]
Running from: H:\ComboFix.exe
AV: WOW! Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: WOW! Security 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jessie\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\jessie\Application Data\PriceGong
c:\documents and settings\jessie\Application Data\PriceGong\Data\1.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\a.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\b.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\c.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\d.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\e.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\f.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\g.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\h.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\i.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\J.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\k.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\l.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\m.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\n.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\o.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\p.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\q.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\r.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\s.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\t.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\u.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\v.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\w.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\x.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\y.xml
c:\documents and settings\jessie\Application Data\PriceGong\Data\z.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-12 01:02 . 2012-01-12 01:02 -------- d-----w- c:\program files\Cisco Systems
2012-01-11 22:53 . 2012-01-11 22:53 -------- d-----w- C:\Macromedia
2012-01-11 22:15 . 2012-01-11 22:15 -------- d-----w- c:\program files\Common Files\Java
2012-01-11 22:15 . 2012-01-11 22:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-11 21:29 . 2012-01-11 21:29 -------- d-----w- c:\program files\Trend Micro
2012-01-11 03:52 . 2012-01-11 03:54 8192 ----a-w- c:\windows\winsock.reg
2012-01-11 03:52 . 2012-01-11 03:54 20480 ----a-w- c:\windows\winsock2.reg
2012-01-11 03:52 . 2012-01-11 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\WinsockFix
2012-01-10 23:04 . 2012-01-10 23:04 138112 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-11 22:14 . 2010-09-18 12:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-10 19:52 . 2011-06-09 20:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-15 03:03 . 2011-12-15 03:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-15 03:03 . 2011-12-15 03:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-10 20:24 . 2011-10-19 20:00 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2002-08-29 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 22:03 . 2009-04-03 23:45 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-11-12 20:02 . 2002-08-29 10:00 163644 -c--a-w- c:\windows\system32\drivers\secdrv.sys
2011-11-04 19:20 . 2004-02-06 22:05 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2002-08-29 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-04-16 11:40 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-30 16:07 . 2011-10-30 16:07 2818 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-10-28 05:31 . 2002-08-29 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 1980-01-01 05:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 1980-01-01 05:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2005-12-10 18:32 . 2005-12-10 18:32 0 -c--a-w- c:\program files\MCAsvchost.exe
2001-06-20 21:19 . 2001-06-19 21:34 40960 -c--a-w- c:\program files\ACMonitor_X83.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-11_20.46.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-17 01:45 . 2012-01-17 01:45 16384 c:\windows\Temp\Perflib_Perfdata_5dc.dat
+ 2012-01-17 01:39 . 2012-01-17 01:39 16384 c:\windows\Temp\Perflib_Perfdata_4ec.dat
+ 2012-01-11 22:15 . 2012-01-11 22:14 157472 c:\windows\SYSTEM32\javaws.exe
- 2010-12-26 03:27 . 2010-11-12 23:53 157472 c:\windows\SYSTEM32\javaws.exe
+ 2012-01-11 22:15 . 2012-01-11 22:14 149280 c:\windows\SYSTEM32\javaw.exe
+ 2012-01-11 22:15 . 2012-01-11 22:14 149280 c:\windows\SYSTEM32\java.exe
+ 2012-01-11 22:15 . 2012-01-11 22:15 203776 c:\windows\Installer\4ec264.msi
+ 2012-01-11 22:14 . 2012-01-11 22:14 902656 c:\windows\Installer\4ec254.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Deanna Schwartz\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-10-19 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-09-10 676520]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-09-10 16040]
"Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-09-10 311976]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"F-Secure Manager"="c:\program files\WOW Security\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\WOW Security\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1386776]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-12-15 296056]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-9-15 24576]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-06-17 07:33 66328 ----a-w- c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 04:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jenkat Arcade]
2010-10-07 10:31 221184 ----a-w- c:\documents and settings\Deanna Schwartz\Application Data\Jenkat\Jenkat Games Arcade\NotifyApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 20:01 1630208 ----a-w- c:\windows\SYSTEM32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-07-15 17:36 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-01 23:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxducoms.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\UBISOFT\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\UBISOFT\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\UBISOFT\\Far Cry 2\\bin\\FC2Editor.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\day of defeat\\hl.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\deathmatch classic\\hl.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Documents and Settings\\Deanna Schwartz\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\counter-strike\\hl.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\ricochet\\hl.exe"=
"g:\\Program Files\\2K Games\\GRAW.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\half-life\\hl.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\half-life 2 deathmatch\\hl2.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\common\\brink\\brink.exe"=
"g:\\Program Files\\Valve\\Steam\\SteamApps\\cnvjharris\\opposing force\\hl.exe"=
"c:\\Program Files\\Winmx\\WinMX.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 fsbts;fsbts;c:\windows\SYSTEM32\DRIVERS\fsbts.sys [9/15/2010 2:56 PM 42672]
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [9/15/2010 2:55 PM 82120]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\WOW Security\HIPS\drivers\fshs.sys [9/15/2010 2:55 PM 68064]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [10/18/2011 12:18 PM 12184]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 1:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/14/2011 1:01 AM 399416]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/27/2007 11:17 AM 24652]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\WOW Security\Anti-Virus\minifilter\fsgk.sys [9/15/2010 2:55 PM 148632]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\WOW Security\ORSP Client\fsorsp.exe [9/15/2010 2:55 PM 61088]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [9/19/2003 8:44 AM 15104]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxduserv.exe [7/10/2009 8:35 PM 98984]
S3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [9/1/2010 3:30 AM 15544]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-755835796-3294634427-2740674114-1008Core.job
- c:\documents and settings\Deanna Schwartz\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-10-19 00:24]
.
2012-01-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-755835796-3294634427-2740674114-1008UA.job
- c:\documents and settings\Deanna Schwartz\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-10-19 00:24]
.
2012-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-755835796-3294634427-2740674114-1012Core.job
- c:\documents and settings\vicky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-24 05:53]
.
2012-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-755835796-3294634427-2740674114-1012UA.job
- c:\documents and settings\vicky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-24 05:53]
.
2012-01-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-755835796-3294634427-2740674114-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
2012-01-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-755835796-3294634427-2740674114-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
2012-01-17 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\WOWSEC~1\ANTI-V~1\fsav.exe [2010-09-15 15:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 64.233.217.3 64.233.217.5
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.gamehouse.com/games/DoggieDash.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{C4B8BAB4-1667-11DF-A242-BA9455D89593} - (no file)
HKCU-Run-AOL Fast Start - c:\program files\AOL 9.0\AOL.EXE
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-17 05:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-755835796-3294634427-2740674114-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6e,26,1c,ea,24,5b,93,b3,ac,e3,cd,17,c5,82,56,fe,bc,c9,26,2f,de,f6,94,
90,69,2e,2e,25,85,bd,53,70,67,f6,69,85,ba,ca,59,13,e8,8d,ad,56,74,e8,d4,4b,\
"??"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
[HKEY_USERS\S-1-5-21-755835796-3294634427-2740674114-1008\Software\SecuROM\License information*]
"datasecu"=hex:b0,6b,a4,f1,58,40,51,97,c3,3f,2a,9c,4d,32,3f,8f,d2,98,3b,98,03,
16,11,4d,26,79,23,b5,3d,9d,c5,b2,e8,4f,ae,cb,5f,59,aa,6c,3c,11,ac,cf,41,96,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(468)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\wow security\hips\fshook32.dll
.
- - - - - - - > 'lsass.exe'(524)
c:\program files\wow security\hips\fshook32.dll
.
- - - - - - - > 'explorer.exe'(3164)
c:\windows\system32\WININET.dll
c:\program files\wow security\hips\fshook32.dll
c:\program files\WOW Security\Spam Control\fsscoepl.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\WOW Security\Anti-Virus\fsgk32st.exe
c:\program files\WOW Security\Common\FSMA32.EXE
c:\program files\WOW Security\Anti-Virus\FSGK32.EXE
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\WOW Security\Common\FSHDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxducoms.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\WOW Security\FWES\Program\fsdfwd.exe
c:\program files\WOW Security\Anti-Virus\fssm32.exe
c:\program files\WOW Security\Anti-Virus\fsav32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark 5600-6600 Series\lxduMsdMon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2012-01-17 06:01:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 11:01
ComboFix2.txt 2012-01-12 03:16
ComboFix3.txt 2012-01-11 23:37
ComboFix4.txt 2012-01-11 22:35
ComboFix5.txt 2012-01-17 01:24
.
Pre-Run: 6,186,070,016 bytes free
Post-Run: 6,178,938,880 bytes free
.
- - End Of File - - 8EB368C646D55157AA1D263F99343C4A

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 17 January 2012 - 07:50 AM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 08:55 AM

Farbar Service Scanner
Ran by Deanna Schwartz (administrator) on 17-01-2012 at 08:52:03
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(6) NetBT(5) NwlnkIpx(11) NwlnkNb(12) PSched(7) Tcpip(3) Tcpip6(13)
0x0D00000005000000040000000100000002000000030000000A000000090000000800000006000000070000000B0000000C0000000D000000
Attention! IpSec Tag value should be 5

**** End of log ****

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 17 January 2012 - 09:07 AM

Hello

here is what I want you to try next

1. Locate the file - C:\Windows\inf\Nettcpip.inf
  • It's important that you first make a copy of the file. Place the copy on your Desktop.
  • Once you have done that, use Notepad open the original file for editing.

Posted Image

2. Locate the [MS_TCPIP.PrimaryInstall] section.

3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.

Posted Image

4. Save the file, and then exit Notepad.

Posted Image

5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.

Posted Image Posted Image

6. On the General tab, click Install, select Protocol, and then click Add.

Posted Image

7. In the Select Network Protocols window, click Have Disk.

Posted Image

8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.

Posted Image

9. Select Internet Protocol (TCP/IP), and then click OK.

Posted Image

Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.

11. It is important that you restart the computer to complete the uninstall.

------------

Step #2 - Reinstall of TCP/IP

Posted Image

Take the nettcpip.inf which you have earlier copied to Desktop. Move it back to the directory C:\Windows\INF\ overwriting the existing copy. The file shall now look exactly like the sample above.

Redo sub-steps 4-11 to re-install TCP/IP
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 10:32 AM

Still no connection

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 17 January 2012 - 10:57 AM

Copy all of the quoted text to a notepad file -
Then in the notepad file select file type All Files
Save the file as IPSEC.reg to your desktop




Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000005
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


On the desktop will be the rubics cube type icon
Double click that it will ask if you want to merge into the registry click ok and reboot
Then retry the net
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 11:33 AM

:angry: NOPE. Nothing yet...

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 17 January 2012 - 11:36 AM

rerun Farbar Service Scanner and let me have the report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 11:37 AM

OK. Couple minutes.

#12 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 11:40 AM

Farbar Service Scanner
Ran by Deanna Schwartz (administrator) on 17-01-2012 at 11:38:36
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(5) NetBT(16) NwlnkIpx(11) NwlnkNb(12) PSched(7) Tcpip(14) Tcpip6(13)
0x100000000F0000000600000005000000040000000100000002000000030000000A0000000900000008000000070000000B0000000C0000000D0000000E00000010000000


**** End of log ****

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:30 PM

Posted 17 January 2012 - 11:47 AM

Download and run WinSockFix. This is a two step process that will Back up the Registry and Reset the Winsock Stack.
  • Double click on WinsockXPFix.exe to open.
  • On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
  • On the ERDNT Welcome screen, click "OK".
  • On the Backup to: screen, click "OK".
  • On the Folder does not exist question screen click "Yes".
  • You will see a status screen as your registry is being backed up.
  • On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
  • On the Winsock and TCP Repair Utility screen, click "Fix".
  • On the Apply the VB_Winsock fix? screen click "Yes".
  • The screen will display a status message "repair completed please reboot."
  • On the Repair Completed screen click "OK" to reboot your computer.
  • If your computer was not using DHCP, you will need to reconfigure TCP/IP.
  • You should have connectivity restored.
If you have internet back come back and let me know if not go to next step

Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Click "Finish" and LSPfix will restore the chain numbers.
  • restart the computer


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 11:47 AM

As I mentioned in original post, rest of network -Wireless and wired- functioning. Can invoke cisco router with ip address. Cisco connect connected router but also said no internet connection?? This computer,2 wireless, an iPod and the infected one are all on same connection so that is false. Honestly makes no sense to me. Again, Thank you for helping with this.

#15 joech

joech
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 17 January 2012 - 11:53 AM

I get a warning "error saving file C:\ERDNT\SECURITY!" "continue to next file?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users