Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop wont connect to internet after Malwarebytes cleaning


  • This topic is locked This topic is locked
64 replies to this topic

#16 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 01 March 2012 - 02:22 PM

Greetings taylor354565,

We are going to run a fix to remove and replace some entries which will hopefully allow your computer to boot once again and access the internet.

Thank you for your patience. You have one of the newest variants of ZeroAccess which is more difficult to remove than previous versions.


===================================================


Farbar's Recovery Scan Tool - Run Fix

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

    2 CdaD10BA; C:\Windows\System32\httpfilter.dll [5632 2006-11-02] (Oak Technology Inc.)
    C:\Windows\System32\httpfilter.dll
    2 NecUsb3; C:\Windows\system32\NCUSBw32.dll [x]
    2 5689; \??\C:\Windows\TEMP\5689.sys [x]
    NETSVC: CdaD10BA
    C:\Windows\system32\NCUSBw32.dll
    C:\Windows\TEMP\5689.sys
    2012-02-05 19:52 - 2012-02-07 19:30 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys
    C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys
    C:\Windows\winsxs\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.0.6000.16386_none_9c1186eb5efc3942\csc.sys
    Replace: C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_9d4661e2\serial.sys C:\Windows\System32\drivers\serial.sys
    Replace: C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_f4514c17\i8042prt.sys C:\Windows\system32\DRIVERS\i8042prt.sys
    Replace: C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys C:\Windows\system32\DRIVERS\afd.sys
    Replcase: C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys C:\Windows\System32\drivers\smb.sys
    unlock: C:\Windows\$NtUninstallKB11963$
    unlock: C:\Windows\$NtUninstallKB11963$\663225536
    C:\Windows\$NtUninstallKB11963$\663225536
    C:\Windows\$NtUninstallKB11963$\3090192011\@
    C:\Windows\$NtUninstallKB11963$\3090192011\cfg.ini
    C:\Windows\$NtUninstallKB11963$\3090192011\Desktop.ini
    C:\Windows\$NtUninstallKB11963$\3090192011\L\vhtmwbun
    cmd: del /a/f/q C:\Windows\$NtUninstallKB11963$\663225536
    cmd: rd C:\Windows\$NtUninstallKB11963$\3090192011\U
    cmd: rd C:\Windows\$NtUninstallKB11963$\3090192011\L
    cmd: rd C:\Windows\$NtUninstallKB11963$\3090192011
    cmd: rd C:\Windows\$NtUninstallKB11963$
    
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Now please enter System Recovery Options.
  • Run FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Try to reboot your computer in Normal Mode
  • If you are able to boot successfully please try to access the internet

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Fixlog.txt
  • How is your machine behaving?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

BC AdBot (Login to Remove)

 


#17 taylor354565

taylor354565
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 01 March 2012 - 03:01 PM

The machine will boot in normal mode, but it still will not connect to the internet.


Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 29-02-2012 01
Ran by SYSTEM at 2012-03-01 14:43:50 R:1
Running from E:\

==============================================

CdaD10BA service deleted successfully.
C:\Windows\System32\httpfilter.dll moved successfully.
NecUsb3 service deleted successfully.
5689 service deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs CdaD10BA Deleted successfully.
C:\Windows\system32\NCUSBw32.dll not found.
C:\Windows\TEMP\5689.sys not found.
C:\Windows\System32\dds_trash_log.cmd moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.0.6000.16386_none_9c1186eb5efc3942\csc.sys moved successfully.
C:\Windows\System32\drivers\serial.sys moved successfully.
C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_9d4661e2\serial.sys copied successfully to C:\Windows\System32\drivers\serial.sys
Could not find C:\Windows\system32\DRIVERS\i8042prt.sys.
C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_f4514c17\i8042prt.sys copied successfully to C:\Windows\system32\DRIVERS\i8042prt.sys
Could not find C:\Windows\system32\DRIVERS\afd.sys.
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys copied successfully to C:\Windows\system32\DRIVERS\afd.sys
permissions for C:\Windows\$NtUninstallKB11963$ restored successfully
C:\Windows\$NtUninstallKB11963$\663225536 not found.
C:\Windows\$NtUninstallKB11963$\3090192011\@ moved successfully.
C:\Windows\$NtUninstallKB11963$\3090192011\cfg.ini moved successfully.
C:\Windows\$NtUninstallKB11963$\3090192011\Desktop.ini moved successfully.
C:\Windows\$NtUninstallKB11963$\3090192011\L\vhtmwbun moved successfully.

========= del /a/f/q C:\Windows\$NtUninstallKB11963$\663225536 =========

Could Not Find C:\Windows\$NtUninstallKB11963$\663225536

========= End of CMD: =========


========= rd C:\Windows\$NtUninstallKB11963$\3090192011\U =========


========= End of CMD: =========


========= rd C:\Windows\$NtUninstallKB11963$\3090192011\L =========


========= End of CMD: =========


========= rd C:\Windows\$NtUninstallKB11963$\3090192011 =========


========= End of CMD: =========


========= rd C:\Windows\$NtUninstallKB11963$ =========

The directory is not empty.

========= End of CMD: =========


==== End of Fixlog ====

#18 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 01 March 2012 - 05:07 PM

Greetings taylor354565,

Very good. Now let's take a look at the internet issue. Please perform the following for me. This will provide a diagnostic scan of your computer for the listed issues.

===================================================


Farbar Service Scanner

--------------------

Please download Farbar Service Scanner, save it to your desktop, and run it.

  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) (a copy of the log will be in the same directory the tool is run)
  • Please copy and paste the log to your reply

===================================================


Farbar's MiniToolBox

--------------------


  • Please download MiniToolBox, save it to your desktop, and run it.
  • Make sure the following options are checked:

    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
  • Click Go
  • It will create a log (Result.txt) (a copy of the log will be in the same directory the tool is run)
  • Please copy and paste the log to your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FSS.txt
    Result.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#19 taylor354565

taylor354565
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 01 March 2012 - 05:32 PM

Farbar Service Scanner Version: 01-03-2012
Ran by henrye (administrator) on 01-03-2012 at 17:21:53
Running from "E:\computer"
Microsoft® Windows Vista™ Business (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll
[2006-11-02 03:56] - [2006-11-02 04:46] - 0204800 ____A (Microsoft Corporation) 17210D8064EC116A3FC6B5E45E577D43

C:\Windows\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****


MiniToolBox by Farbar Version: 18-01-2012
Ran by henrye (administrator) on 01-03-2012 at 17:22:39
Microsoft® Windows Vista™ Business (X86)
Boot Mode: Normal
***************************************************************************
========================= IP Configuration: ================================

Intel® PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Connected)
Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set interface luid=loopback_0 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ethernet_2 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ethernet_1 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ethernet_4 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=wireless_0 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ppp_2 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ppp_3 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : henrye
Primary Dns Suffix . . . . . . . : law.nova.edu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : law.nova.edu
nova.edu

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-1B-77-80-2A-C3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2da6:2c52:ba8f:47e0%9(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.71.224(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-19-B9-7E-09-C3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{5E77E51E-1A11-4931-9F4E-A2F2354961B9}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{743A0389-47B1-47DA-A182-AC50F998C9FF}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1:53

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 192.168.1.1:53

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 192.168.1.1:53

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
9 ...00 1b 77 80 2a c3 ...... Intel® PRO/Wireless 3945ABG Network Connection
8 ...00 19 b9 7e 09 c3 ...... Broadcom NetXtreme 57xx Gigabit Controller
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{5E77E51E-1A11-4931-9F4E-A2F2354961B9}
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 isatap.{743A0389-47B1-47DA-A182-AC50F998C9FF}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.71.224 281
169.254.71.224 255.255.255.255 On-link 169.254.71.224 281
169.254.255.255 255.255.255.255 On-link 169.254.71.224 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 169.254.71.224 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 169.254.71.224 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
9 281 fe80::/64 On-link
9 281 fe80::2da6:2c52:ba8f:47e0/128
On-link
1 306 ff00::/8 On-link
9 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 mswsock.dll [File Not found] ()
Catalog5 03 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/01/2012 02:48:07 PM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (02/29/2012 02:25:10 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (02/29/2012 02:22:35 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6000.16386, time stamp 0x4549adc4, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc00000fd, fault offset 0x000447f2,
process id 0x418, application start time 0xsvchost.exe0.

Error: (02/29/2012 02:03:14 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (02/29/2012 02:00:49 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6000.16386, time stamp 0x4549adc4, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc00000fd, fault offset 0x000447f2,
process id 0x3c8, application start time 0xsvchost.exe0.

Error: (02/29/2012 01:40:12 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (02/29/2012 01:37:28 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6000.16386, time stamp 0x4549adc4, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc00000fd, fault offset 0x000447f2,
process id 0x414, application start time 0xsvchost.exe0.

Error: (02/29/2012 00:38:50 AM) (Source: McLogEvent) (User: SYSTEM)SYSTEM
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 3

Error: (02/29/2012 00:36:11 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6000.16386, time stamp 0x4549adc4, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc00000fd, fault offset 0x000447f2,
process id 0x414, application start time 0xsvchost.exe0.

Error: (02/29/2012 00:32:52 AM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6000.16386, time stamp 0x4549adc4, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc00000fd, fault offset 0x000447f2,
process id 0x410, application start time 0xsvchost.exe0.


System errors:
=============
Error: (03/01/2012 04:51:26 PM) (Source: Service Control Manager) (User: )
Description: WinHTTP Web Proxy Auto-Discovery ServiceDHCP Client%%1068

Error: (03/01/2012 04:51:26 PM) (Source: Service Control Manager) (User: )
Description: DHCP ClientNetIO Legacy TDI Support Driver%%2

Error: (03/01/2012 04:51:26 PM) (Source: Service Control Manager) (User: )
Description: NetIO Legacy TDI Support Driver%%2

Error: (03/01/2012 04:51:24 PM) (Source: Service Control Manager) (User: )
Description: WinHTTP Web Proxy Auto-Discovery ServiceDHCP Client%%1068

Error: (03/01/2012 04:51:24 PM) (Source: Service Control Manager) (User: )
Description: DHCP ClientNetIO Legacy TDI Support Driver%%2

Error: (03/01/2012 04:51:24 PM) (Source: Service Control Manager) (User: )
Description: NetIO Legacy TDI Support Driver%%2

Error: (03/01/2012 04:51:22 PM) (Source: Service Control Manager) (User: )
Description: WinHTTP Web Proxy Auto-Discovery ServiceDHCP Client%%1068

Error: (03/01/2012 04:51:22 PM) (Source: Service Control Manager) (User: )
Description: DHCP ClientNetIO Legacy TDI Support Driver%%2

Error: (03/01/2012 04:51:22 PM) (Source: Service Control Manager) (User: )
Description: NetIO Legacy TDI Support Driver%%2

Error: (03/01/2012 04:46:10 PM) (Source: Service Control Manager) (User: )
Description: WinHTTP Web Proxy Auto-Discovery ServiceDHCP Client%%1068


Microsoft Office Sessions:
=========================
Error: (07/16/2010 10:35:21 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 213 seconds with 120 seconds of active time. This session ended with a crash.

Error: (10/27/2009 00:01:31 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2142 seconds with 1320 seconds of active time. This session ended with a crash.

Error: (10/22/2009 02:47:08 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 15262 seconds with 3660 seconds of active time. This session ended with a crash.

Error: (09/10/2009 11:55:48 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 5935 seconds with 240 seconds of active time. This session ended with a crash.

Error: (08/12/2009 11:48:50 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 141 seconds with 120 seconds of active time. This session ended with a crash.

Error: (06/23/2009 10:22:05 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 4378 seconds with 720 seconds of active time. This session ended with a crash.

Error: (11/20/2008 00:12:42 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 6477 seconds with 240 seconds of active time. This session ended with a crash.

Error: (10/31/2008 08:35:53 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 6081 seconds with 180 seconds of active time. This session ended with a crash.

Error: (10/28/2008 10:37:54 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 3884 seconds with 420 seconds of active time. This session ended with a crash.

Error: (10/23/2008 10:59:59 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 5093 seconds with 540 seconds of active time. This session ended with a crash.


**** End of log ****

#20 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 01 March 2012 - 06:09 PM

Greetings taylor354565,

Let's do one last fix and you should hopefully be online. Please test it after you run this.


===================================================


Farbar's Recovery Scan Tool - Run Fix

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

    Replace: C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys C:\Windows\System32\DRIVERS\tdx.sys
    
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Now please enter System Recovery Options.
  • Run FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Try to reboot your computer in Normal Mode
  • If you are able to boot successfully please try to access the internet

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Fixlog.txt
  • How is your machine behaving?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#21 taylor354565

taylor354565
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 01 March 2012 - 06:30 PM

My laptop is now online and seems to be working normally.

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 29-02-2012 01
Ran by SYSTEM at 2012-03-01 18:19:21 R:2
Running from E:\

==============================================

Could not find C:\Windows\System32\DRIVERS\tdx.sys.
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys copied successfully to C:\Windows\System32\DRIVERS\tdx.sys

==== End of Fixlog ====

#22 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 02 March 2012 - 11:14 AM

Greetings taylor354565,


We have turned the corner and are approaching the home strectch but there are still some things we need to address. We need to take a look at the contents of a folder and reset an internet related entry. Please perform the following for me.


===================================================


Farbar's Recovery Scan Tool - Run Fix

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

    Folder: C:\Windows\$NtUninstallKB11963$
    
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Now please enter System Recovery Options.
  • Run FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please attach it to your reply.
  • If the file is too large to attach please complete the below instructions.
----------

Click on this link: Upload to Channel 66

  • Click Browse... and navigate to Fixlog.txt.
  • Highlight the file and click Open.
  • Click Send File.

===================================================


Reset mswsock.dll

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type Command Prompt
  • In the list of results, right-click Command Prompt, and then click Run as administrator
  • If you are prompted for an administrator password or confirmation, type the password or provide confirmation
  • Copy/paste the following line in the run box and click OK

    netsh winsock reset

  • Reboot your computer

===================================================


Rerun Malwarebytes

--------------------

Temporarily disable your antivirus program.

  • Please locate your Malwarebytes icon Posted Image and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


Things I would like to see in your next reply. :thumbsup2:

  • MBAM log (copy and paste)
  • Fixlog.txt (Attach or upload)

Edited by Oh My, 02 March 2012 - 11:45 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#23 taylor354565

taylor354565
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 02 March 2012 - 02:45 PM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.02.04

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.16982
henrye :: HENRYE [administrator]

3/2/2012 2:18:55 PM
mbam-log-2012-03-02 (14-18-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207405
Time elapsed: 17 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Files



#24 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 02 March 2012 - 04:20 PM

Greetings taylor354565,

That looks better. Let's try to run ComboFix again and see if it runs to completion. Attach the information in your next post.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#25 taylor354565

taylor354565
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 02 March 2012 - 07:48 PM

I don't think Combofix ran all the way through. It told me:
"You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.

If for any reason that you're unable to connect to the internet after running ComboFix, reboot once and see if that fixes it.

If it's not fixed, run ComboFix one more time."

It then told me that Combofix needed to restart the computer. I pushed ok, but rather than restarting it seemed to continue scanning. The same Rootkit.ZeroAccess! warning popped up again and then it told me combofix had to restart the computer. This time the computer restarted when I pushed ok, but I cannot find a ComboFix log.

#26 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 02 March 2012 - 10:32 PM

Greetings taylor354565,

Well let's go hunt for it and see if it is there. Please complete the following.


===================================================


Obtaining Current ComboFix.txt

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time
  • Copy and paste the following text into the Run box and and press Enter

    cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt

  • Should a text file open up, copy and paste the contents in your reply.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#27 taylor354565

taylor354565
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 03 March 2012 - 12:11 PM

Nothing seems to happen when I run "cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt"

#28 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 03 March 2012 - 03:59 PM

Greetings taylor354565,

Ok, no problem.

See if you can locate C:\ComboFix.txt. It may or may not be there since ComboFix had difficulty running. If it is there please copy and paste that information in your next reply.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#29 taylor354565

taylor354565
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 03 March 2012 - 04:09 PM

It doesn't show up when I search for it

#30 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:06 AM

Posted 03 March 2012 - 04:41 PM

Greetings taylor354565,

No problem. I appreciate you checking though.

I will have some additional steps for you to take shortly.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users