Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Network after removing Trojan Dropper (Sirefef.B)


  • This topic is locked This topic is locked
75 replies to this topic

#31 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 17 March 2012 - 08:55 AM

Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 17-03-2012 at 08:53:00
Running from "C:\Temp\virus 2012"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2012-03-05 19:46] - [2004-08-04 00:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
DNE(9) Gpc(6) IPSec(8) NetBT(15) PSched(7) Tcpip(3)
0x0E0000000800000004000000010000000200000003000000050000000600000007000000090000000A0000000B0000000C0000000D0000000E000000


**** End of log ****

BC AdBot (Login to Remove)

 


#32 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:34 PM

Posted 17 March 2012 - 09:10 AM

Please download and run this file: http://download.bleepingcomputer.com/win-services/xp/IPSec.reg
Restart your computer afterwards and let me know if the internet works now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#33 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 17 March 2012 - 12:30 PM

Ran it. Still does not work.

Observed that Windows Firewall is OFF and wil not turn on (informed me that ICS will not start).

#34 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 17 March 2012 - 12:33 PM

Re-ran FSS with different results from before:

Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 17-03-2012 at 12:31:16
Running from "C:\Temp\virus 2012"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2012-03-05 19:46] - [2004-08-04 00:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
DNE(9) Gpc(6) IPSec(5) NetBT(15) PSched(7) Tcpip(3)
0x0E0000000800000004000000010000000200000003000000050000000600000007000000090000000A0000000B0000000C0000000D0000000E000000


**** End of log ****

#35 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:34 PM

Posted 17 March 2012 - 01:31 PM

Hi again,
Please download and run the following tool. Post me the resulting log.

http://download.bleepingcomputer.com/sUBs/Beta/CheckConns.exe

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#36 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 17 March 2012 - 11:32 PM

==== ServiceGroupOrder =========

PNP_TDI
TDI
NetBIOSGroup

==========================
PNP_TDI = [0e], 08, 04, 01, 02, 03, 05, 06, 07, 09, 0a, 0b, 0c, 0d, 0e

SERVICE_NAME: DNE
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\dne2000.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 9
DISPLAY_NAME : Deterministic Network Enhancer Miniport

SERVICE_NAME: Gpc
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\msgpc.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 6
DISPLAY_NAME : Generic Packet Classifier

SERVICE_NAME: IPSec
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\ipsec.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 5
DISPLAY_NAME : IPSEC driver

SERVICE_NAME: NDProxy
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
LOAD_ORDER_GROUP : PNP_TDI
TAG : 0
DISPLAY_NAME : NDIS Proxy

SERVICE_NAME: NetBT
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\drivers\netbt.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 15
DISPLAY_NAME : NetBios over Tcpip
DEPENDENCIES : tcpip

SERVICE_NAME: PSched
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\psched.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 7
DISPLAY_NAME : QoS Packet Scheduler
DEPENDENCIES : Gpc

SERVICE_NAME: Tcpip
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 31 (0x1F)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\tcpip.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 3
DISPLAY_NAME : TCP/IP Protocol Driver
DEPENDENCIES : IPSec

SERVICE_NAME: WS2IFSL
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\ws2ifsl.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 0
DISPLAY_NAME : Windows Socket 2.0 Non-IFS Service Provider Support Environment

==========================

SERVICE_NAME: AFD
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\afd.sys
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : AFD

SERVICE_NAME: Dhcp
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1068 (0x42C)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip, Afd, NetBT

SERVICE_NAME: Dnscache
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1068 (0x42C)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip

SERVICE_NAME: Dot3svc
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
PID : 1468
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k dot3svc
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wired AutoConfig
DEPENDENCIES : Ndisuio, eaphost

SERVICE_NAME: LmHosts
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
PID : 1452
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT, Afd

SERVICE_NAME: WZCSVC
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
PID : 1244
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs, Ndisuio

==========================
NetBIOSGroup = [01], 01

SERVICE_NAME: NetBIOS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\netbios.sys
LOAD_ORDER_GROUP : NetBIOSGroup
TAG : 1
DISPLAY_NAME : NetBIOS Interface

#37 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:34 PM

Posted 18 March 2012 - 04:16 AM

Please click Start > Run, type cmd and press enter.

Type netsh int ip reset > resetlog.txt

start resetlog.txt


Post me the resetlog.txt file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#38 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 18 March 2012 - 07:58 PM

reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
old REG_MULTI_SZ =
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\BcastNameQueryCount
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\BcastQueryTimeout
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\CacheTimeout
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NameServerPort
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NameSrvQueryCount
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NameSrvQueryTimeout
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NbProvider
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\SessionKeepAlive
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Size/Small/Medium/Large
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7C489CE-9887-4A53-B6CE-0E1BAF276603}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7C489CE-9887-4A53-B6CE-0E1BAF276603}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7C489CE-9887-4A53-B6CE-0E1BAF276603}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset Linkage\Bind for ms_netbt. bad value was:
REG_MULTI_SZ =
\Device\{B784EBAA-1127-4FA7-8FCD-AFAFE4D90B6C}
\Device\{C7C489CE-9887-4A53-B6CE-0E1BAF276603}
\Device\{27D16400-B49E-4BDA-AD0E-B184303A97DC}
\Device\{2FBA3234-CB1B-415C-BBC5-9577752A2488}
\Device\{FDB18F06-4FFF-458B-B81B-E166AF8EB6DF}
\Device\NdisWanIp

reset Linkage\Route for ms_netbt. bad value was:
REG_MULTI_SZ =
"{B784EBAA-1127-4FA7-8FCD-AFAFE4D90B6C}"
"{C7C489CE-9887-4A53-B6CE-0E1BAF276603}"
"{27D16400-B49E-4BDA-AD0E-B184303A97DC}"
"{2FBA3234-CB1B-415C-BBC5-9577752A2488}"
"{FDB18F06-4FFF-458B-B81B-E166AF8EB6DF}"
"NdisWanIp"

reset Linkage\Export for ms_netbt. bad value was:
REG_MULTI_SZ =
\Device\Tcpip_{B784EBAA-1127-4FA7-8FCD-AFAFE4D90B6C}
\Device\Tcpip_{C7C489CE-9887-4A53-B6CE-0E1BAF276603}
\Device\Tcpip_{27D16400-B49E-4BDA-AD0E-B184303A97DC}
\Device\Tcpip_{2FBA3234-CB1B-415C-BBC5-9577752A2488}
\Device\Tcpip_{FDB18F06-4FFF-458B-B81B-E166AF8EB6DF}
\Device\Tcpip_{03947A36-5B8A-43B3-8A41-72B75A842FB1}
\Device\Tcpip_{464EEA8C-7E5D-4AA8-8A6F-77DFC08C1E50}

reset Linkage\UpperBind for PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&2F0F5866&0&0030. bad value was:
REG_MULTI_SZ =
DNE

reset Linkage\UpperBind for ROOT\NET\0000. bad value was:
REG_MULTI_SZ =
DNE

reset Linkage\UpperBind for PCI\VEN_10EC&DEV_8139&SUBSYS_184C1462&REV_10\4&2E26DDEC&0&18A4. bad value was:
REG_MULTI_SZ =
DNE

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
REG_MULTI_SZ =
DNE

<completed>

#39 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:34 PM

Posted 19 March 2012 - 02:06 AM

Does your internet work now (be sure to restart your computer first)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#40 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 19 March 2012 - 06:44 AM

No. Still not working.

#41 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:34 PM

Posted 19 March 2012 - 08:44 AM

Please rerun FSS and post me the new log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#42 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 19 March 2012 - 05:52 PM

Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 19-03-2012 at 17:51:19
Running from "C:\Temp\virus 2012"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2012-03-05 19:46] - [2004-08-04 00:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
DNE(9) Gpc(6) IPSec(5) NetBT(15) PSched(7) Tcpip(3)
0x0E0000000800000004000000010000000200000003000000050000000600000007000000090000000A0000000B0000000C0000000D0000000E000000


**** End of log ****

#43 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:34 PM

Posted 20 March 2012 - 03:16 AM

Hello again,

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please download Erunt
  • Run the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


We Need to Run a Registry Script

  • Go to Start -> Run...
  • Enter notepad in the Run dialog box.
  • Press Posted Image.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
    "PNP_TDI"=hex:0e,00,00,00,08,00,00,00,04,00,00,00,01,00,00,00,02,00,00,00,05,\
      00,00,00,03,00,00,00,06,00,00,00,07,00,00,00,09,00,00,00,0a,00,00,00,0b,00,\
      00,00,0c,00,00,00,0d,00,00,00,0e,00,00,00
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.reg.
  • Press Posted Image.
  • Close Notepad.
  • Double click Posted Image on your desktop.
  • Press Yes, and then Ok, when prompted.
  • Right click on Posted Image and choose Delete.
  • Press Yes.


Restart your computer afterwards and let me know if the internet works now. If not, post a new FSS log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#44 Joel R.

Joel R.
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 21 March 2012 - 12:04 AM

Still not working.

Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 21-03-2012 at 00:01:08
Running from "C:\Temp\virus 2012"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2012-03-05 19:46] - [2004-08-04 00:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
DNE(9) Gpc(6) IPSec(5) NetBT(15) PSched(7) Tcpip(3)
0x0E0000000800000004000000010000000200000005000000030000000600000007000000090000000A0000000B0000000C0000000D0000000E000000


**** End of log ****

#45 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,984 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:34 PM

Posted 21 March 2012 - 02:01 AM

How long ago was XP installed on this computer (approximately)?

Please upload the following file to http://www.bleepingcomputer.com/submit-malware.php?channel=105

c:\windows\repair\system.bak

Let me know once it is uploaded.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users