Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit Malware


  • This topic is locked This topic is locked
203 replies to this topic

#1 Cactus John

Cactus John

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rumney, NH
  • Local time:07:10 AM

Posted 25 March 2012 - 10:34 AM

Did an update the other day, the computer restarted and when i came back, i no longer had internet access and Avast was going off about a virus/rootkit. Checked my logs on Avast and i have the Win32:Sirefef-PL [Rtk] which has about 7 system files in the chest since 2008!

So reading on other forums about how to fix this, and i came across the use of combofix,tds, and otl, i am a repair tech as a hobby, and i am uncomfortable running these programs.

Can not scan with Malwarebytes/Hijackthis as it closes out after i click scan.
Can not get the PC online because the rootkit corrupts the TCP/IP stack (can not repair until removed)
and the kicker Can not use CD-rom drive, which i traced back to the driver being corrupted by this issue.

Any help would be appreciated!

Sent over here by jntkwx.

http://www.bleepingcomputer.com/forums/topic447232.html

Guess my issue is pretty bad!

DDS LOG
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Cactus John at 23:58:59 on 2012-03-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.154 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
F:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\AVAST Software\Avast\AvastSvc.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\LxrJD31s.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\system32\RunDLL32.exe
F:\Program Files\AVAST Software\Avast\avastUI.exe
F:\Program Files\DivX\DivX Update\DivXUpdate.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Documents and Settings\Cactus John.RHOTHGAR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
F:\Documents and Settings\Cactus John.RHOTHGAR\Local Settings\Application Data\Google\Update\1.3.21.99\GoogleCrashHandler.exe
F:\Program Files\Logitech\SetPoint\KEM.exe
F:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
F:\WINDOWS\system32\LVComsX.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.*;direcwaysupport.com;192.168.0.1;<local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - f:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - f:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - f:\program files\avast software\avast\aswWebRepIE.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [LDM] \Program\BackWeb-8876480.exe
uRun: [Google Update] "f:\documents and settings\cactus john.rhothgar\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] f:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [avast] "f:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [DivXUpdate] "f:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: f:\docume~1\alluse~1.win\startm~1\programs\startup\logite~2.lnk - f:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: f:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - f:\program files\logitech\setpoint\KEM.exe
IE: &eBay Search - f:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} - hxxp://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222215679578
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://pogo.oberon-media.com/online2/pogo/wedding_dash/WeddingDash.1.0.0.47.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AD4500A8-8843-4C0B-A7C1-1DB1665D4245} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B30349F0-3E90-4C31-BDFA-A4E38978D796} : DhcpNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - f:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - f:\documents and settings\cactus john.rhothgar\application data\mozilla\firefox\profiles\s6si45jh.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: f:\documents and settings\cactus john.rhothgar\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: f:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: f:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\microsoft\office live\npOLW.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: f:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;f:\windows\system32\drivers\aswSnx.sys [2011-7-25 612184]
R1 aswSP;aswSP;f:\windows\system32\drivers\aswSP.sys [2008-9-23 337880]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [2008-9-23 20696]
R2 avast! Antivirus;avast! Antivirus;f:\program files\avast software\avast\AvastSvc.exe [2011-7-25 44768]
R2 nvUpdatusService;NVIDIA Update Service Daemon;f:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-6-26 2214504]
R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\viewpoint\common\ViewpointService.exe [2008-9-23 24652]
S1 SSHDRV85;SSHDRV85;\??\f:\windows\system32\drivers\sshdrv85.sys --> f:\windows\system32\drivers\SSHDRV85.sys [?]
S2 aawservice;Lavasoft Ad-Aware Service;"f:\program files\lavasoft\ad-aware\aawservice.exe" --> f:\program files\lavasoft\ad-aware\aawservice.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 mbamchameleon;mbamchameleon;f:\windows\system32\drivers\mbamchameleon.sys [2012-3-20 24064]
S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [2012-3-20 40776]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;f:\windows\system32\drivers\RTL8192su.sys [2010-1-6 599936]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-22 15:13:48 98816 ----a-w- f:\windows\sed.exe
2012-03-22 15:13:48 256000 ----a-w- f:\windows\PEV.exe
2012-03-22 15:13:48 208896 ----a-w- f:\windows\MBR.exe
2012-03-22 15:13:41 -------- d-s---w- F:\ComboFix
2012-03-20 06:33:27 40776 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2012-03-20 05:15:03 2038 ----a-w- f:\windows\system32\drivers\AFD.reg
2012-03-20 04:38:06 24064 ----a-w- f:\windows\system32\drivers\mbamchameleon.sys
2012-03-20 04:32:09 20464 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-03-20 04:32:09 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2012-03-19 07:10:14 62976 -c--a-w- f:\windows\system32\dllcache\cdrom.sys
2012-03-19 07:10:14 62976 ----a-w- f:\windows\system32\drivers\cdrom.sys
2012-03-19 07:10:14 162816 -c--a-w- f:\windows\system32\dllcache\netbt.sys
2012-03-19 07:10:14 162816 ----a-w- f:\windows\system32\drivers\netbt.sys
2012-03-19 05:10:34 75264 -c--a-w- f:\windows\system32\dllcache\ipsec.sys
2012-03-19 05:10:34 75264 ----a-w- f:\windows\system32\drivers\ipsec.sys
2012-03-19 05:01:32 -------- d-----w- f:\windows\system32\wbem\repository\FS
2012-03-19 05:01:32 -------- d-----w- f:\windows\system32\wbem\Repository
2012-03-17 04:01:41 -------- d-----w- F:\backups
2012-03-16 11:22:44 -------- d-----w- f:\documents and settings\cactus john.rhothgar\application data\Malwarebytes
2012-03-16 11:21:59 -------- d-----w- f:\documents and settings\all users.windows\application data\Malwarebytes
2012-03-16 11:17:23 9502424 ----a-w- F:\mbam--setup-1.60.1.1000.exe
2012-03-16 11:05:53 -------- d-----w- f:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2012-03-16 09:55:20 0 --sha-w- f:\windows\system32\dds_trash_log.cmd
2012-03-15 09:34:02 592824 ----a-w- f:\program files\mozilla firefox\gkmedias.dll
2012-03-15 09:34:02 44472 ----a-w- f:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-03-20 05:28:12 138112 ----a-w- f:\windows\system32\drivers\afd.sys
2012-03-07 00:15:19 41184 ----a-w- f:\windows\avastSS.scr
2012-03-07 00:03:51 612184 ----a-w- f:\windows\system32\drivers\aswSnx.sys
2012-03-05 10:28:23 414368 ----a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- f:\windows\system32\win32k.sys
2012-01-09 16:20:25 139784 ----a-w- f:\windows\system32\drivers\rdpwd.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: USB2.0__ rev.____ -> Harddisk1\DR2 -> \Device\0000007c
.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk1\DR2[0xFFBCA390]
kernel: MBR read successfully
_asm { CLI ; XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; PUSH AX; POP ES; PUSH AX; POP DS; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REPNZ MOVSW ; JMP FAR 0x0:0x61d; }
user != kernel MBR !!!
.
============= FINISH: 0:02:27.03 ===============


GMER LOG FAILURE - BLUE SCREEN OF DEATH!
GMER LOG posted to other forum w/o issue

Attached Files



BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 25 March 2012 - 10:48 AM

Hi Cactus John,

Please give me some time to look over your logs and I will get back to you as soon as possible. Thanks in advance for your patience.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 26 March 2012 - 07:26 AM

Cactus John,

It looks like you've run Combofix previously. If it was able to run, it should have produced a log file at F:\QooBox\ComboFix.txt If it exists, please copy this file onto your USB drive and copy/paste it into your next reply from a computer than can get on the Internet.

Do you have multiple drives connected to this computer? Do you recognize a drive D?


:step1: Please do the following. You will need a USB drive.

  • On the computer that you can access the internet on, insert your USB drive.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format (NOTE: This will erase any files already on your USB drive. If you want to keep any files, please move them to your computer before doing this step.)
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-windows-latest.exe that you just downloaded.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will write files to your USB device and make it bootable
  • Once the files have been written to the device you will be prompted to reboot ~ do NOT reboot and instead just Exit the UNetbootin interface
  • Next download http://noahdfear.net/downloads/driver.sh and http://noahdfear.net/downloads/dumpit to your USB drive (you may have to right click on these links, and click "Save Target As" or "Save Link As". Make sure the file is not saved with a .txt file extension. To do this, change the File Type to All Files when saving this file to your USB drive)
  • Insert the USB drive into the infected computer
  • The computer must be set to boot from USB
  • Gently tap F12 and choose to boot from USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your hard drive
  • sdb1 is likely your USB
  • Click on sdb1 (this is your USB drive)
  • If you don't see sdb1:
    • Click on the Tool menu, and then click on Open Terminal
    • In the Terminal window that opens, type each of the following lines, pressing enter after each one:
      mkdir /mnt/sdb1
      mount /dev/sdb1 /mnt/sdb1
    • Close the Terminal window
  • Click on the folder that represents your USB drive
  • Confirm that you see driver.sh and dumpit files that you saved there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh, and press Enter
  • After it has finished a report will be located in the USB drive called report.txt
  • Close the Terminal window
  • Double click the dumpit file
  • It will create some MBR copies on the USB drive.
  • When it completes press Enterto exit the Terminal window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip and report.txt files in your USB drive. Attach the mbr.zip file, and copy/paste the report.txt to your next reply.

Please let me know if you have any questions or run into any problems following these steps.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 Cactus John

Cactus John
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rumney, NH
  • Local time:07:10 AM

Posted 27 March 2012 - 03:03 PM

Under my Computer i have removable drives C, E those are card reader drives. F is my HDD, and D is my zip drive. This issue i am having is that program can not pick up drive D, it only shows C,E under usb and F under hard disk. I had another zip lying around so i tossed it in, comes up drive G, but still only shows C,E under the Unetbootin program, any ideas?

On combofix, i ran it and it came to the opening screen, and hung for about an hour, and did nothing, that is when i posted to the forums because i read combofix crash can wipe your HDD, i do not have any logs in that location, and also searched the pc and found nothing with that name.


EDIT***** hold on, i just re-read that and i am going to try to make the bootable usb using my laptop! HA! will post reponce in a few min, after i try that

EDIT 2************ yeah even on the laptop the usb drive is not showing up on the program, it actually shows no drive letters for usb on the laptop with both usbs i have, i did try my external HDD and even that did not show up ?!?

Edited by Cactus John, 27 March 2012 - 03:30 PM.


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 28 March 2012 - 08:35 AM

Cactus John,

That's odd that it didn't recognize your USB drives. Let's try running Combofix...

On your clean computer, please download a new version of Combofix from one of these links, and save it to your USB drive.
Link 1
Link 2
Link 3
  • Plug the USB drive into the infected computer, and copy and paste the Combofix file from your USB drive to your desktop.
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
  • Double click on combofix.exe & follow the prompts. It may take some time to run. Please be patient.

    Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 Cactus John

Cactus John
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rumney, NH
  • Local time:07:10 AM

Posted 28 March 2012 - 05:20 PM

I think we are making progress!

comboxfix ran to completion, and seems to have set my windows setting back to stock!

Machine runs normal, besides no internet or cdrom drive, but i played a quick game, and its running fine.

EDIT*** With your go ahead, i have a USB wireless adapter, i found the drivers for that i want to try when everything is done.


ComboFix 12-03-28.02 - Cactus John 03/28/2012 17:19:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.233 [GMT -4:00]
Running from: f:\documents and settings\Cactus John.RHOTHGAR\Desktop\1j677sh772h.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\documents and settings\Cactus John.RHOTHGAR\WINDOWS
f:\documents and settings\Cactus John\WINDOWS
f:\windows\bwUnin-6.1.4.68-8876480L.exe
f:\windows\system32\dds_trash_log.cmd
f:\windows\system32\se27unic.dll
f:\windows\system32\SET3D.tmp
f:\windows\system32\SET40.tmp
f:\windows\system32\SET4C.tmp
f:\windows\system32\SET92.tmp
f:\windows\system32\SET93.tmp
G:\AUTORUN.INF . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-22 18:53 . 2012-03-22 18:54 -------- d-----w- f:\program files\ERUNT
2012-03-20 06:33 . 2012-03-20 13:26 40776 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2012-03-20 05:15 . 2012-03-20 05:24 2038 ----a-w- f:\windows\system32\drivers\AFD.reg
2012-03-20 04:38 . 2012-03-20 06:30 24064 ----a-w- f:\windows\system32\drivers\mbamchameleon.sys
2012-03-20 04:32 . 2012-03-20 06:33 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2012-03-20 04:32 . 2011-12-10 19:24 20464 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-03-19 07:10 . 2008-04-13 19:21 162816 -c--a-w- f:\windows\system32\dllcache\netbt.sys
2012-03-19 07:10 . 2008-04-13 19:21 162816 ----a-w- f:\windows\system32\drivers\netbt.sys
2012-03-19 07:10 . 2008-04-13 18:40 62976 -c--a-w- f:\windows\system32\dllcache\cdrom.sys
2012-03-19 07:10 . 2008-04-13 18:40 62976 ----a-w- f:\windows\system32\drivers\cdrom.sys
2012-03-19 05:10 . 2008-04-13 19:19 75264 -c--a-w- f:\windows\system32\dllcache\ipsec.sys
2012-03-19 05:10 . 2008-04-13 19:19 75264 ----a-w- f:\windows\system32\drivers\ipsec.sys
2012-03-19 05:01 . 2012-03-19 05:01 -------- d-----w- f:\windows\system32\wbem\Repository
2012-03-17 04:01 . 2012-03-17 04:35 -------- d-----w- F:\backups
2012-03-17 03:51 . 2012-03-17 03:51 -------- d-----w- f:\documents and settings\Administrator.HROTHGAR\Application Data\Malwarebytes
2012-03-16 11:22 . 2012-03-16 11:22 -------- d-----w- f:\documents and settings\Cactus John.RHOTHGAR\Application Data\Malwarebytes
2012-03-16 11:21 . 2012-03-16 11:21 -------- d-----w- f:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-03-16 11:17 . 2012-03-16 11:18 9502424 ----a-w- F:\mbam--setup-1.60.1.1000.exe
2012-03-16 11:05 . 2012-03-16 11:06 -------- d-----w- f:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2012-03-15 09:34 . 2012-03-15 09:34 592824 ----a-w- f:\program files\Mozilla Firefox\gkmedias.dll
2012-03-15 09:34 . 2012-03-15 09:34 44472 ----a-w- f:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-20 05:28 . 2004-08-04 12:00 138112 ----a-w- f:\windows\system32\drivers\afd.sys
2012-03-07 00:15 . 2011-07-25 23:52 41184 ----a-w- f:\windows\avastSS.scr
2012-03-07 00:15 . 2005-10-08 05:53 201352 ----a-w- f:\windows\system32\aswBoot.exe
2012-03-07 00:03 . 2011-07-25 23:52 612184 ----a-w- f:\windows\system32\drivers\aswSnx.sys
2012-03-07 00:03 . 2008-09-23 07:18 337880 ----a-w- f:\windows\system32\drivers\aswSP.sys
2012-03-07 00:02 . 2005-10-08 05:53 35672 ----a-w- f:\windows\system32\drivers\aswRdr.sys
2012-03-07 00:01 . 2005-10-08 05:53 53848 ----a-w- f:\windows\system32\drivers\aswTdi.sys
2012-03-07 00:01 . 2005-10-08 05:53 95704 ----a-w- f:\windows\system32\drivers\aswmon2.sys
2012-03-07 00:01 . 2005-10-08 05:53 89048 ----a-w- f:\windows\system32\drivers\aswmon.sys
2012-03-07 00:01 . 2008-09-23 07:18 20696 ----a-w- f:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 23:58 . 2005-10-08 05:53 24920 ----a-w- f:\windows\system32\drivers\aavmker4.sys
2012-03-05 10:28 . 2011-07-08 20:43 414368 ----a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- f:\windows\system32\win32k.sys
2012-01-31 05:31 . 2011-04-06 19:11 205984 ----a-w- f:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2012-01-09 16:20 . 2005-10-07 19:31 139784 ----a-w- f:\windows\system32\drivers\rdpwd.sys
2012-03-15 09:34 . 2011-04-12 02:28 97208 ----a-w- f:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- f:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"nwiz"="f:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"avast"="f:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
f:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - f:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-9-4 450560]
Logitech SetPoint.lnk - f:\program files\Logitech\SetPoint\KEM.exe [2005-9-4 581632]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Java\\jdk1.5.0_05\\jre\\bin\\java.exe"=
"f:\\WINDOWS\\system32\\mmc.exe"=
"f:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"f:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Soldier of Fortune II - Double Helix GOLD\\SoF2MP.exe"=
"f:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"f:\\Diablo II\\Diablo II.exe"=
"f:\\Program Files\\Ascaron Entertainment\\Sacred Gold\\GameServer.exe"=
"f:\\Program Files\\Ascaron Entertainment\\Sacred Gold\\Sacred.exe"=
"f:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
.
R1 aswSnx;aswSnx;f:\windows\system32\drivers\aswSnx.sys [7/25/2011 7:52 PM 612184]
R1 aswSP;aswSP;f:\windows\system32\drivers\aswSP.sys [9/23/2008 3:18 AM 337880]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [9/23/2008 3:18 AM 20696]
R2 nvUpdatusService;NVIDIA Update Service Daemon;f:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/26/2011 2:58 PM 2214504]
R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\Viewpoint\Common\ViewpointService.exe [9/23/2008 3:48 AM 24652]
S1 SSHDRV85;SSHDRV85;\??\f:\windows\system32\drivers\SSHDRV85.sys --> f:\windows\system32\drivers\SSHDRV85.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 mbamchameleon;mbamchameleon;f:\windows\system32\drivers\mbamchameleon.sys [3/20/2012 12:38 AM 24064]
S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [3/20/2012 2:33 AM 40776]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;f:\windows\system32\drivers\RTL8192su.sys [1/6/2010 5:21 PM 599936]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-27 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-602609370-725345543-1004Core.job
- f:\documents and settings\Cactus John.RHOTHGAR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-28 01:50]
.
2012-03-28 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-602609370-725345543-1004UA.job
- f:\documents and settings\Cactus John.RHOTHGAR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-28 01:50]
.
2012-03-28 f:\windows\Tasks\OGALogon.job
- f:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
2012-03-28 f:\windows\Tasks\User_Feed_Synchronization-{262C7733-60F3-42D2-A951-CF5A88F6450E}.job
- f:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.*;direcwaysupport.com;192.168.0.1;<local>
IE: &eBay Search - f:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} - hxxp://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - f:\documents and settings\Cactus John.RHOTHGAR\Application Data\Mozilla\Firefox\Profiles\s6si45jh.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-LDM - \Program\BackWeb-8876480.exe
AddRemove-Macromedia Shockwave Player - f:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-PCFriendly - f:\program files\PCFriendly\inuninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - f:\program files\DivX\DivXCodecUninstall.exe
AddRemove-Google Chrome - f:\documents and settings\Cactus John.RHOTHGAR\Local Settings\Application Data\Google\Chrome\Application\17.0.963.65\Installer\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-28 17:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: USB2.0__ rev.____ -> Harddisk1\DR2 -> \Device\0000007b
.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3376)
f:\windows\system32\WININET.dll
f:\program files\Logitech\SetPoint\lgscroll.dll
f:\windows\system32\msi.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\AVAST Software\Avast\AvastSvc.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\system32\LxrJD31s.exe
f:\windows\system32\nvsvc32.exe
f:\program files\Windows Media Player\WMPNetwk.exe
f:\windows\system32\RunDLL32.exe
f:\program files\Logitech\SetPoint\KHALMNPR.EXE
f:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-28 17:44:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-28 21:44
.
Pre-Run: 124,168,990,720 bytes free
Post-Run: 125,015,638,016 bytes free
.
- - End Of File - - D1D4C482FAE70390D9E59FB04654DBDD

Edited by Cactus John, 28 March 2012 - 05:30 PM.


#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 29 March 2012 - 08:29 AM

Cactus John,

Let's try the wireless USB adapter after we've tried everything else first.


Please open MiniToolBox and FSS, and create new logs for each. Check off all the boxes for each (except for List Installed Programs and List Minidump Files for MiniToolBox).

Edited by jntkwx, 29 March 2012 - 08:42 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 Cactus John

Cactus John
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rumney, NH
  • Local time:07:10 AM

Posted 29 March 2012 - 04:02 PM

MiniToolBox by Farbar Version: 18-01-2012
Ran by Cactus John (administrator) on 29-03-2012 at 17:01:54
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration




========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Disconnected)
NVIDIA nForce Networking Controller = Local Area Connection (Disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 F:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 F:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 F:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 F:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 F:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 F:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 F:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 F:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (03/29/2012 04:57:18 PM) (Source: Service Control Manager) (User: )
Description: The Automatic Updates service terminated with the following error:
%%126

Error: (03/29/2012 04:57:18 PM) (Source: Service Control Manager) (User: )
Description: The X4HSX32 service failed to start due to the following error:
%%3

Error: (03/29/2012 02:00:36 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 480 minutes.
NtpClient has no source of accurate time.

Error: (03/29/2012 02:00:36 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (03/28/2012 10:00:36 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 240 minutes.
NtpClient has no source of accurate time.

Error: (03/28/2012 10:00:36 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (03/28/2012 08:00:36 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 120 minutes.
NtpClient has no source of accurate time.

Error: (03/28/2012 08:00:36 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (03/28/2012 07:00:36 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 60 minutes.
NtpClient has no source of accurate time.

Error: (03/28/2012 07:00:36 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)


Microsoft Office Sessions:
=========================

========================= Devices: ================================

Name: NVIDIA nForce Networking Controller
Description: NVIDIA nForce Networking Controller
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Nvidia
Service: NVENETFD
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 64%
Total physical RAM: 511.48 MB
Available physical RAM: 179.27 MB
Total Pagefile: 2478.57 MB
Available Pagefile: 2231.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.36 MB

========================= Partitions: =====================================

4 Drive f: () (Fixed) (Total:186.3 GB) (Free:116.54 GB) NTFS
5 Drive g: (NHD FLASH) (Fixed) (Total:0.12 GB) (Free:0.11 GB) FAT32

========================= Users: ========================================

User accounts for \\HROTHGAR

Administrator ASPNET Cactus John
Guest HelpAssistant SUPPORT_388945a0
UpdatusUser


**** End of log ****


Farbar Service Scanner Version: 01-03-2012
Ran by Cactus John (administrator) on 29-03-2012 at 17:01:27
Running from "F:\Documents and Settings\Cactus John.RHOTHGAR\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


File Check:
========
F:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
F:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
F:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
F:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
F:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
F:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
F:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
F:\WINDOWS\system32\netman.dll => MD5 is legit
F:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
F:\WINDOWS\system32\srsvc.dll => MD5 is legit
F:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
F:\WINDOWS\system32\wscsvc.dll => MD5 is legit
F:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
F:\WINDOWS\system32\wuauserv.dll => MD5 is legit
F:\WINDOWS\system32\qmgr.dll => MD5 is legit
F:\WINDOWS\system32\es.dll => MD5 is legit
F:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
F:\WINDOWS\system32\svchost.exe => MD5 is legit
F:\WINDOWS\system32\rpcss.dll => MD5 is legit
F:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(268435456) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(8)
0x0B000000050000000100000002000000030000000400000000000010060000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

#9 Cactus John

Cactus John
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rumney, NH
  • Local time:07:10 AM

Posted 29 March 2012 - 04:08 PM

With Ethernet card enabled!

MiniToolBox by Farbar Version: 18-01-2012
Ran by Cactus John (administrator) on 29-03-2012 at 17:06:27
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Disconnected)
NVIDIA nForce Networking Controller = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Hrothgar

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller

Physical Address. . . . . . . . . : 00-30-1B-B7-14-C1

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.7

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

NetBIOS over Tcpip. . . . . . . . : Disabled

Lease Obtained. . . . . . . . . . : Thursday, March 29, 2012 5:05:08 PM

Lease Expires . . . . . . . . . . : Friday, March 30, 2012 5:05:08 PM



Tunnel adapter Teredo Tunneling Pseudo-Interface:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : ?

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.226.201, 74.125.226.206, 74.125.226.192, 74.125.226.193
74.125.226.194, 74.125.226.195, 74.125.226.196, 74.125.226.197, 74.125.226.198
74.125.226.199, 74.125.226.200

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.38.140, 98.139.183.24, 209.191.122.70

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 30 1b b7 14 c1 ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.7 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.7 192.168.1.7 20
192.168.1.7 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.7 192.168.1.7 20
224.0.0.0 240.0.0.0 192.168.1.7 192.168.1.7 20
255.255.255.255 255.255.255.255 192.168.1.7 192.168.1.7 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 F:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 F:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 F:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 F:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 F:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 F:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 F:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 F:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (03/29/2012 05:05:11 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (03/29/2012 05:05:11 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (03/29/2012 04:57:18 PM) (Source: Service Control Manager) (User: )
Description: The Automatic Updates service terminated with the following error:
%%126

Error: (03/29/2012 04:57:18 PM) (Source: Service Control Manager) (User: )
Description: The X4HSX32 service failed to start due to the following error:
%%3

Error: (03/29/2012 02:00:36 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 480 minutes.
NtpClient has no source of accurate time.

Error: (03/29/2012 02:00:36 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (03/28/2012 10:00:36 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 240 minutes.
NtpClient has no source of accurate time.

Error: (03/28/2012 10:00:36 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (03/28/2012 08:00:36 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 120 minutes.
NtpClient has no source of accurate time.

Error: (03/28/2012 08:00:36 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)


Microsoft Office Sessions:
=========================

========================= Devices: ================================

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 66%
Total physical RAM: 511.48 MB
Available physical RAM: 173.25 MB
Total Pagefile: 2478.57 MB
Available Pagefile: 2233.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.36 MB

========================= Partitions: =====================================

4 Drive f: () (Fixed) (Total:186.3 GB) (Free:116.54 GB) NTFS
5 Drive g: (NHD FLASH) (Fixed) (Total:0.12 GB) (Free:0.11 GB) FAT32

========================= Users: ========================================

User accounts for \\HROTHGAR

Administrator ASPNET Cactus John
Guest HelpAssistant SUPPORT_388945a0
UpdatusUser


**** End of log ****

Farbar Service Scanner Version: 01-03-2012
Ran by Cactus John (administrator) on 29-03-2012 at 17:12:25
Running from "F:\Documents and Settings\Cactus John.RHOTHGAR\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


File Check:
========
F:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
F:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
F:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
F:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
F:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
F:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
F:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
F:\WINDOWS\system32\netman.dll => MD5 is legit
F:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
F:\WINDOWS\system32\srsvc.dll => MD5 is legit
F:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
F:\WINDOWS\system32\wscsvc.dll => MD5 is legit
F:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
F:\WINDOWS\system32\wuauserv.dll => MD5 is legit
F:\WINDOWS\system32\qmgr.dll => MD5 is legit
F:\WINDOWS\system32\es.dll => MD5 is legit
F:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
F:\WINDOWS\system32\svchost.exe => MD5 is legit
F:\WINDOWS\system32\rpcss.dll => MD5 is legit
F:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(268435456) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(8)
0x0B000000050000000100000002000000030000000400000000000010060000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

Edited by Cactus John, 29 March 2012 - 04:12 PM.


#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 30 March 2012 - 09:00 AM

Cactus John,

If you open your Internet browser, and type in http://208.43.87.2 does BleepingComputer's homepage load?


Go Start>Run, type in:
cmd
Click OK.

At Command Prompt, type in the following, and press Enter after each one:

netsh int ip reset reset.log

netsh winsock reset catalog

netsh int ipv4 reset reset.log

netsh int ipv6 reset reset.log

Restart your computer. Are you able to get on the Internet now?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 Cactus John

Cactus John
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rumney, NH
  • Local time:07:10 AM

Posted 30 March 2012 - 11:53 PM

So you are making headway with this, I am now able to repair the connection with no issues, no more failed to repair crap.

But stil no internet!

I took a screen shot of what it says when i try to go to the IP for bleeping computer

EDIT *** As you can see from the quick links i still have Myspace as a tab, i don't even have an account with, anyways, google chrome is my browser but it will not open, flashes in the task manager for a quick moment then disappears. firefox will open, but same error as IE

Attached File  broken internet.JPG   81.6KB   14 downloads

Edited by Cactus John, 30 March 2012 - 11:55 PM.


#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 31 March 2012 - 03:22 PM

Cactus John,

I think the Internet connection issue may actually have to do with a component of Avast the deals with the Internet connection. I'd like us to try uninstalling Avast and then restart your computer and see if that fixes the Internet connection problem.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 Cactus John

Cactus John
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rumney, NH
  • Local time:07:10 AM

Posted 01 April 2012 - 03:53 PM

wow, i just typed a big reply and when i posted it ... the errored! UGH!
TAKE 2!

deleted avast, and some other programs, spybot, adaware.

repaired the connection, and still nothing! BUT BUT! heres something odd, under network connection i have a new item i have never seen in all my pc usage years. "Internet Gateway" it was enabled, so i diabled it ... this killed my WHOLE house connection!

Under properties for Internet Gateway it says "this connection allows you to connect to the internet through a shared connection on another machine"

does this mean the other devices on my network use my pc as a gateway to the internet? are they at risk for the rootkit infection?

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 02 April 2012 - 05:15 PM

Cactus John,

Well that's odd. Let me ask a colleague about this, and I'll get back to you soon.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:10 AM

Posted 03 April 2012 - 11:30 AM

Cactus John,

I'm curious how you have your network set up. Usually, you have a modem (which may also act as a router), and then a router. The router is what connects the other computers on your network to the Internet (either wirelessly or wired). Is this how you have your network setup?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users