Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet connection after Trojan.Dropper?


  • This topic is locked This topic is locked
13 replies to this topic

#1 ArtVandalay7

ArtVandalay7

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 25 March 2012 - 07:21 PM

Hello!

I seem to have a major issue with one of my laptops. Looks like (via Malwarebytes) that I picked up a Trojan.Dropper virus which Microsoft Security Essentials said it found and cleaned in real time. Yet, now the computer will not connect to the internet. In the system tray icon it lists my home network and and status is "connected" yet no internet browsing is possible. I have tried numerous things to fix this from this forum and other internet sites but nothing seems to be working...help please! Thank you in advance!

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 PM

Posted 28 March 2012 - 09:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

If you still need help please download and run these tools.
You will need to download the programs to a CD or Flash driver using a good computer and save the files on the desktop of the problem computer.


Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Please post the logs for my review.

#3 ArtVandalay7

ArtVandalay7
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 March 2012 - 09:53 AM

Ok, here are the requested logs. Thanks!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by cdavis65 at 10:46:16 on 2012-03-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2806.2225 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\McAfee\Endpoint Encryption for PC\SbClientManager.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\Installer\MSI23C.tmp
C:\Program Files\Ekahau\Client\bin\Eclient.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RCSERV.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\USBDLM\USBDLM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://synapse.carolinas.org
uWindow Title = Microsoft Internet Explorer provided by Carolinas HealthCare System
uDefault_Page_URL = hxxp://synapse.carolinas.org
mDefault_Page_URL = hxxp://synapse.carolinas.org/
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [lcfep] "c:\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [EzPrint] "c:\program files\lexmark 3400 series\ezprint.exe"
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: Btn_Edit = 2 (0x2)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bestenroll.com\www
Trusted Zone: carolinas.org
Trusted Zone: carolinas.org\*
Trusted Zone: carolinas.org\apcsympw01
Trusted Zone: carolinas.org\bhcsymp
Trusted Zone: carolinas.org\bhcsympmsc01
Trusted Zone: carolinas.org\chsapps
Trusted Zone: carolinas.org\cmcsympw01
Trusted Zone: carolinas.org\dcr-gmed-ms-01
Trusted Zone: carolinas.org\dcr-gmed-ms-02
Trusted Zone: carolinas.org\dcr-gmedf-ms-01
Trusted Zone: carolinas.org\dcr-ipl-ms-01
Trusted Zone: carolinas.org\dcr-pvapp-2k-01
Trusted Zone: carolinas.org\dcr-pvapp-ms-01
Trusted Zone: carolinas.org\dcr-pvtst-2k-01
Trusted Zone: carolinas.org\dcr-pvtst-ms-01
Trusted Zone: carolinas.org\idxflow
Trusted Zone: carolinas.org\idxflowbr
Trusted Zone: carolinas.org\infosource
Trusted Zone: carolinas.org\iplannet
Trusted Zone: carolinas.org\Magic
Trusted Zone: carolinas.org\Magicreports
Trusted Zone: carolinas.org\Magicrpt
Trusted Zone: carolinas.org\Magictest
Trusted Zone: carolinas.org\Magictsd
Trusted Zone: carolinas.org\mmgsymp
Trusted Zone: carolinas.org\pvlsympmsc01
Trusted Zone: carolinas.org\sdexpress
Trusted Zone: carolinas.org\sdexpress2
Trusted Zone: carolinas.org\securemail
Trusted Zone: carolinas.org\synapse
Trusted Zone: carolinas.org\unvsympmsc01
Trusted Zone: carolinas.org\webapps
Trusted Zone: controltex.com\stc
Trusted Zone: dcr-pvapp-2k-01
Trusted Zone: dcr-pvapp-ms-01
Trusted Zone: dcr-pvtst-2k-01
Trusted Zone: dcr-pvtst-ms-01
Trusted Zone: infosource
Trusted Zone: omni-direct.com
Trusted Zone: scribe.com
Trusted Zone: scribe.com\transportal
Trusted Zone: sde
Trusted Zone: sdexpress
Trusted Zone: solucient.com\actionoi
Trusted Zone: solucient.com\actionoireporting
Trusted Zone: synapse
Trusted Zone: webex.com\accteam
Trusted Zone: winmt.com\edict
Trusted Zone: bestenroll.com\www
Trusted Zone: controltex.com\stc
Trusted Zone: omni-direct.com
Trusted Zone: scribe.com
Trusted Zone: scribe.com\transportal
Trusted Zone: solucient.com\actionoi
Trusted Zone: solucient.com\actionoireporting
Trusted Zone: webex.com\accteam
Trusted Zone: winmt.com\edict
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secureauth.carolinas.org/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{83BEB761-7C91-4B3A-B167-B35BA76A4CE6} : DhcpNameServer = 10.250.253.131 10.250.254.131 10.15.5.155
TCP: Interfaces\{A795D225-A4CA-41A5-9998-ADE412105F69} : DhcpNameServer = 10.250.253.131 10.250.254.131 10.15.5.155
TCP: Interfaces\{F0E38C90-3215-4A01-9381-180C842B62CA} : DhcpNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 TivoliAP
LSA: Notification Packages = SbNp scecli
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cdavis65\application data\mozilla\firefox\profiles\unx04swr.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2009-9-23 184888]
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2010-1-20 15416]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-5-18 461864]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2009-10-2 103760]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2009-11-14 23024]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-10-2 6496]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-6 89624]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl26cab2df;MpKsl26cab2df;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a5cab6a-731c-465d-9dcb-13b17c0cd254}\MpKsl26cab2df.sys [2012-3-29 29904]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2009-10-2 33328]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2009-10-2 34480]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2009-10-2 15248]
R1 TGRAB;Tivoli Remote Control Text Grabber;c:\windows\system32\tgrab.sys [2008-8-19 8288]
R2 DragonSvc;Dragon Service;c:\windows\installer\MSI23C.tmp [2011-5-18 247144]
R2 EClient;EClient;c:\program files\ekahau\client\bin\Eclient.exe [2007-5-24 73728]
R2 lcfd;Tivoli Endpoint;c:\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [2011-5-18 184320]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2011-8-31 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2011-8-31 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-8-31 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-5-18 148520]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-1-20 47104]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-1-20 48128]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-1-20 38400]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\mcafee\endpoint encryption for pc\SbClientManager.exe [2009-10-2 380988]
R2 TME10RC;Tivoli Remote Control Service;c:\windows\RCSERV.EXE [2011-5-19 77824]
R2 USBDLM;USBDLM;c:\program files\usbdlm\USBDLM.exe [2007-2-14 116224]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-1-20 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-5-18 228408]
R3 Eqnmirdd;Eqnmirdd;c:\windows\system32\drivers\Eqnmirdd.sys [2011-5-19 6172]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 KeyEx2;Tivoli Remote Control Keyboard Filter;c:\windows\system32\drivers\KEYEX2.SYS [2011-5-19 5837]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-5-18 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-5-18 59288]
R3 MouEx2;Tivoli Remote Control Pointer Filter;c:\windows\system32\drivers\MOUEX2.SYS [2011-5-19 4638]
S1 NEOFLTR_700_17925;Juniper Networks TDI Filter Driver (NEOFLTR_700_17925);c:\windows\system32\drivers\NEOFLTR_700_17925.SYS [2011-5-31 84336]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2004-8-4 14336]
S2 TRCTARGET;IBM Tivoli Remote Control - Target;c:\program files\ibm\tivoli\remote control\target\trc_base.exe [2008-8-19 344576]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\nmgul.sys --> c:\windows\system32\drivers\nmgul.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-5-18 87808]
.
=============== Created Last 30 ================
.
2012-03-29 14:43:37 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a5cab6a-731c-465d-9dcb-13b17c0cd254}\MpKsl26cab2df.sys
2012-03-25 20:17:38 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a5cab6a-731c-465d-9dcb-13b17c0cd254}\mpengine.dll
2012-03-25 20:16:23 -------- d-----w- c:\documents and settings\cdavis65\local settings\application data\PCHealth
2012-03-25 19:54:06 -------- d-----w- c:\windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
2012-03-24 21:35:30 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-03-24 20:55:14 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-20 19:44:57 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-20 19:44:57 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-11 14:52:23 -------- d-----w- c:\program files\iPod
2012-03-11 14:52:17 -------- d-----w- c:\program files\iTunes
2012-03-11 14:41:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-03-11 14:41:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-03-11 14:41:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-03-11 14:41:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-03-11 14:41:59 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-03-11 14:41:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-03-11 14:41:58 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-03-11 14:38:32 1409 ----a-w- c:\windows\QTFont.for
2012-03-01 15:21:48 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-03-01 15:21:48 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-03-01 15:21:48 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
.
==================== Find3M ====================
.
2012-02-23 13:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 15:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 15:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
============= FINISH: 10:47:15.09 ===============

Farbar Service Scanner Version: 01-03-2012
Ran by cdavis65 (administrator) on 29-03-2012 at 10:48:36
Running from "C:\Documents and Settings\cdavis65\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 08:00] - [2008-04-14 00:49] - 0075264 ____A () 9701A1D6C7F67FD5EF59E32BD28F54D3

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll
[2004-08-04 08:00] - [2008-04-14 05:41] - 0246272 ____A (Microsoft Corporation) 19A799805B24990867B00C120D300C3A

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) mfetdi2k(9) mfetdik(9) NEOFLTR_700_17925(9) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000009000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 PM

Posted 29 March 2012 - 01:24 PM

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key
*/*

If that fails to re establisht you internet continue.

Download LSPfix
Unzip the file to a folder on your desktop.
Double-click to run
Select: (Advanced) "I know what I'm doing"

Then click the FINISH button (important). Restart your computer.

How is it now?

#5 ArtVandalay7

ArtVandalay7
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 March 2012 - 03:52 PM

after trying the cmd directions, -> "Windows IP Configuration; An internal error occurred: the request is not supported; Please contact Microsoft Produce Support services for further help; Additional information: unable to query host name"

LSPfix done, computer restarted.

still says signal strength excellent and connected but no internet connection.

(also should mention it takes a much longer time for the computer to log on to Windows than previous to losing internet access...)

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 PM

Posted 30 March 2012 - 07:30 AM

Let look at this file. It may be corrupted.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    ipsec.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#7 ArtVandalay7

ArtVandalay7
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 01 April 2012 - 08:24 AM

Ok thanks, here it is...

SystemLook 30.07.11 by jpshortstuff
Log created at 09:20 on 01/04/2012 by cdavis65
(Limited User)

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys --a--c- 74752 bytes [13:15 30/08/2010] [12:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys --a---- 75264 bytes [13:16 30/08/2010] [04:49 14/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [12:00 04/08/2004] [04:49 14/04/2008] 9701A1D6C7F67FD5EF59E32BD28F54D3

-= EOF =-

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 PM

Posted 01 April 2012 - 09:38 AM

Boot to safe mode.

Copy the file in bold from this location
C:\WINDOWS\system32\drivers\ipsec.sys

To
C:\ ( the root folder)
===

Copy the file in bold from this location
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys

To this location to replace the current version.

C:\WINDOWS\system32\drivers\ipsec.sys

Restart the computer normally.

How is your internet connection now?

#9 ArtVandalay7

ArtVandalay7
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 01 April 2012 - 10:37 AM

when I attempt to boot into safe mode, it says "we apologize for the inconvenience, but Windows did not start successfully. A recent software or hardware change may have caused this, etc. etc. etc." What to do about that?

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 PM

Posted 01 April 2012 - 01:06 PM

Let try this.

Open Notepad, copy and paste the text below and "Save As" replace.bat
In the "Save as type" select: All Files

Copy C:\WINDOWS\system32\drivers\ipsec.sys c:\
Copy C:\WINDOWS\ServicePackFiles\i386\ipsec.sys C:\WINDOWS\system32\drivers\ipsec.sys


Right click on the replace.bat file and run as Administrator.

This will not take very long. If prompted to replace the file say Yes.
===

Restart the computer normally.

How is it now?

Are you able to Start the Computer in Safe Mode?
If not are you still getting the same error message?

#11 ArtVandalay7

ArtVandalay7
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 01 April 2012 - 05:59 PM

saved the file to my desktop. However, there is no "run as administrator" option (windows XP). there is just a very brief flashing of a black box when I try to open. I restarted the computer, started MUCH more quickly...however, no internet connection and still same error message when trying to boot to safe mode...

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 PM

Posted 02 April 2012 - 08:42 AM

Please start a new topic in this Networking forum
http://www.bleepingcomputer.com/forums/forum21.html

An expert in that field should be able to give you good advice.

Keep me posted.

#13 ArtVandalay7

ArtVandalay7
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 02 April 2012 - 11:47 PM

hey nasdaq:
the latest is they told me to have my work's IT dept. assist me. I posted this to try to fix this myself b/c I think this is secondary to incurring a virus...any other ideas?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 PM

Posted 03 April 2012 - 08:55 AM

This is the last thing I did not try.
Clean your arp cache.

http://www.tech-faq.com/clear-arp-cache.html

You will find your instructions under this section of the page.
How to Clear ARP Cache in Windows XP, Vista, and 2K

Good luck.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users