Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Root kit (latest rev) Need assistance desperately.


  • Please log in to reply
12 replies to this topic

#1 unwillingmark

unwillingmark

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 12 May 2012 - 03:37 PM

I have two new Dell systems and they both have Zero Access Root kits. The level of self preservation is amazing in the latest rev. Both systems have been re-installed, but the root kit will not allow me access to either boot sector.

Avira is the only scan that picks up when the code alters the executable code of every single security software I install. It says the infection is TR/Crypt.Ulpm.Gen. I have been able to clean prior machines with Zero Access, but no more. I need professional help, BIG TIME!! I have never seen anything like this before.

I need to clean both my Dell XPS laptop running Windows Ultimate and my Dell XPS running Windows Home.

I am ready when the next available slayer is available. Both machines are coming up in a version of Windows generated in the alternate file system. Everything is encrypted and most Windows system files that show are dynamically compiled and unsigned and being generated by the rootkit on the fly. I would like to focus on the laptop first. Attached is the DDS and OTL logs for it. This is a brand new clean Win 7 Ultimate Install. I have also installed the device drivers also.

Thank you in advance for your attention.

Bob

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:24 AM

Posted 14 May 2012 - 08:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

p.s.
To save you time I suggest you start a new topic for the other computer.
We do not provide advice for 2 computers in the same topic.

When you have posted post the link in this topic I will expedite the matter.

#3 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 14 May 2012 - 01:19 PM

Helio, and thank you for your assistance.

I ran TDDSKiller to get you a log and it denied TCIP services and ran Avast and got you an MBR.dat file and log, so I had to burn a CD and ferry it to my MacBook Pro to get it to you. Very weird... I inserted the CD into my MacBook and it froze my ESET for Mac after it read it (presumably the MBR of the CD). Now it will not allow me to scan the CD. It says it already has scanned them and will not scan them again. ...a pretty aggressive piece of code indeed.


TDDSkiller, of course, ran through the scan with no problems as did Avast.

I have included the zipped mbr for you as requested.

I will have my desktop request inserted into the cue in a few minutes.

Thanks much.

#4 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 14 May 2012 - 03:04 PM

Hi NASDAQ,

Here is the requested que link: 2nd System Link

Thanks much,

Bob

Edited by unwillingmark, 14 May 2012 - 03:04 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:24 AM

Posted 15 May 2012 - 07:43 AM

The logs are clean.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#6 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 15 May 2012 - 11:05 AM

Hi Nasdaq,

I ran Combofix, and the system rebooted. I now have Network connectivity it looks like, but of course I cannot click any application on my desktop because Combofix has removed all the symbolic links. Do you wan me to Task Manager -Restart? Im sending this from my iPad. When I get ability to post the combofix log, I will. What do you want me to do?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:24 AM

Posted 15 May 2012 - 01:25 PM

Restart once more.

I need to see the ComboFix log to find out what what removed.

If any good we can restore them...

#8 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 15 May 2012 - 03:28 PM

I lost my Internet connectivity after the second reboot after Combofix.

Here is the requested Combofix log. Sorry I had to zip it...size constraint

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:24 AM

Posted 16 May 2012 - 06:31 AM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • List content of Hosts
  • List IP Configuration
  • List Last 10 Event Viewer Errors
  • List Users, Partitions and Memory Size
Click Go and copy/paste the log (Result.txt) into your next post.

If still no internet access run this tool also.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#10 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 16 May 2012 - 10:59 AM

Here are the two logs:

MiniToolBox by Farbar Version: 18-01-2012
Ran by master1 (administrator) on 16-05-2012 at 11:03:08
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Intel® WiFi Link 1000 BGN = Wireless Network Connection (Connected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Hardware not present)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Hardware not present)
Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : GRAPHICS
Primary Dns Suffix . . . . . . . : Pallette1
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Pallette1

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 84-8F-69-BF-B1-F4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® WiFi Link 1000 BGN
Physical Address. . . . . . . . . : 74-E5-0B-E3-A1-18
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.9.41(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, May 16, 2012 11:01:20 AM
Lease Expires . . . . . . . . . . : Wednesday, May 16, 2012 12:01:20 PM
Default Gateway . . . . . . . . . : 192.168.9.1
DHCP Server . . . . . . . . . . . : 192.168.9.1
DNS Servers . . . . . . . . . . . : 192.168.9.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{705A91C2-025B-4FD7-B47D-826663B398A1}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{EBE5C1F8-A730-4776-9C2F-8DF57A697064}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3cb2:3232:3f57:f6d6(Preferred)
Link-local IPv6 Address . . . . . : fe80::3cb2:3232:3f57:f6d6%17(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.9.1

Name: google.com
Addresses: 74.125.134.138
74.125.134.139
74.125.134.100
74.125.134.101
74.125.134.102
74.125.134.113


Pinging google.com [74.125.134.138] with 32 bytes of data:
Reply from 74.125.134.138: bytes=32 time=39ms TTL=50
Reply from 74.125.134.138: bytes=32 time=34ms TTL=50

Ping statistics for 74.125.134.138:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 34ms, Maximum = 39ms, Average = 36ms
Server: UnKnown
Address: 192.168.9.1

Name: yahoo.com
Addresses: 98.139.183.24
209.191.122.70
72.30.38.140


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=408ms TTL=52
Reply from 98.139.183.24: bytes=32 time=377ms TTL=51

Ping statistics for 98.139.183.24:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 377ms, Maximum = 408ms, Average = 392ms
Server: UnKnown
Address: 192.168.9.1

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
15...84 8f 69 bf b1 f4 ......Realtek PCIe GBE Family Controller
11...74 e5 0b e3 a1 18 ......Intel® WiFi Link 1000 BGN
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.9.1 192.168.9.41 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.9.0 255.255.255.0 On-link 192.168.9.41 281
192.168.9.41 255.255.255.255 On-link 192.168.9.41 281
192.168.9.255 255.255.255.255 On-link 192.168.9.41 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.9.41 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.9.41 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
17 58 ::/0 On-link
1 306 ::1/128 On-link
17 58 2001::/32 On-link
17 306 2001:0:5ef5:79fb:3cb2:3232:3f57:f6d6/128
On-link
17 306 fe80::/64 On-link
17 306 fe80::3cb2:3232:3f57:f6d6/128
On-link
1 306 ff00::/8 On-link
17 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/16/2012 06:32:59 AM) (Source: Software Protection Platform Service) (User: )
Description: Acquisition of genuine ticket failed (hr=0x80072EE7) for template Id 66c92734-d682-4d71-983e-d6ec3f16059f

Error: (05/16/2012 06:32:59 AM) (Source: Software Protection Platform Service) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (05/16/2012 04:32:32 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/16/2012 04:31:42 AM) (Source: Application Error) (User: )
Description: Faulting application name: IAStorDataMgrSvc.exe, version: 10.1.2.1004, time stamp: 0x4d2e5bd1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x74056c9c
Faulting process id: 0x210
Faulting application start time: 0xIAStorDataMgrSvc.exe0
Faulting application path: IAStorDataMgrSvc.exe1
Faulting module path: IAStorDataMgrSvc.exe2
Report Id: IAStorDataMgrSvc.exe3

Error: (05/15/2012 01:50:19 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (05/15/2012 01:50:19 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (05/15/2012 01:40:18 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/15/2012 11:38:15 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/14/2012 01:36:29 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/14/2012 01:15:08 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (05/16/2012 04:35:33 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Internet Explorer 8 Compatibility View List for Windows 7 for x64-based Systems (KB2598845).

Error: (05/16/2012 04:35:33 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Windows 7 for x64-based Systems (KB2632503).

Error: (05/16/2012 04:35:33 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2544521).

Error: (05/16/2012 04:33:04 AM) (Source: Service Control Manager) (User: )
Description: The Windows Modules Installer service terminated with the following error:
%%16405

Error: (05/16/2012 04:31:43 AM) (Source: Service Control Manager) (User: )
Description: The Intel® Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).

Error: (05/15/2012 11:38:10 AM) (Source: Service Control Manager) (User: )
Description: The Windows Defender service terminated with the following error:
%%126

Error: (05/15/2012 11:37:16 AM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (05/15/2012 11:36:18 AM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (05/14/2012 04:56:00 AM) (Source: DCOM) (User: )
Description: 1084wuauserv{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (05/13/2012 09:03:00 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}


Microsoft Office Sessions:
=========================
Error: (05/16/2012 06:32:59 AM) (Source: Software Protection Platform Service)(User: )
Description: hr=0x80072EE766c92734-d682-4d71-983e-d6ec3f16059f

Error: (05/16/2012 06:32:59 AM) (Source: Software Protection Platform Service)(User: )
Description: hr=0x80072EE700010001(0x00000000, 06:32:59:118 - http://go.microsoft.com/fwlink/?LinkId=151642)
00020001(0x00000000, 06:32:59:118)
00030001(0x00000000, 06:32:59:118 - http://go.microsoft.com)
00030002(0x00000000, 06:32:59:118 - 0)
00040001(0x00000000, 06:32:59:118 - http://go.microsoft.com)
00040002(0x00000000, 06:32:59:118 - 1, <NULL>, <NULL>, <NULL>)
00040004(0x80072F94, 06:32:59:134 - <NULL>)
00040006(0x00000000, 06:32:59:134 - 1, http://go.microsoft.com, <NULL>, <local>)
00020005(0x00000000, 06:32:59:134 - 0)
00020007(0x80072EE7, 06:32:59:134)
00010002(0x80072EE7, 06:32:59:134 - <NULL>)
00010003(0x80072EE7, 06:32:59:134)

Error: (05/16/2012 04:32:32 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/16/2012 04:31:42 AM) (Source: Application Error)(User: )
Description: IAStorDataMgrSvc.exe10.1.2.10044d2e5bd1unknown0.0.0.000000000c000000574056c9c21001cd32c213a1b8cfC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exeunknown8fcb197f-9f31-11e1-88ab-848f69bfb1f4

Error: (05/15/2012 01:50:19 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/15/2012 01:50:19 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (05/15/2012 01:40:18 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/15/2012 11:38:15 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/14/2012 01:36:29 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/14/2012 01:15:08 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


========================= Memory info: ===================================

Percentage of memory in use: 19%
Total physical RAM: 8086.17 MB
Available physical RAM: 6529.98 MB
Total Pagefile: 16170.53 MB
Available Pagefile: 14571.1 MB
Total Virtual: 4095.88 MB
Available Virtual: 3976.34 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:698.44 GB) (Free:672.08 GB) NTFS
3 Drive e: () (Removable) (Total:7.45 GB) (Free:7.39 GB) NTFS

========================= Users: ========================================

User accounts for \\GRAPHICS

Administrator Guest master1


**** End of log ****


Farbar Service Scanner Version: 11-05-2012
Ran by master1 (administrator) on 16-05-2012 at 11:09:13
Running from "C:\Users\master1\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:24 AM

Posted 16 May 2012 - 12:50 PM

Fix Winsock Manually on Windows 7

1. Open up the command line utility and enter:
(open the run box, type cmd in the search box click ok.

The DOS PROMPT WILL BE SEEN.

type the following at the prompt and hit the Enter key after each entry..

netsh winsock reset

netsh winsock reset catalog

netsh int ip reset reset.log


p.s. I think your can copy and paste each line at the DOS prompt. Hit the enter key.

When all done type EXIT hit the enter key.

Restart the computer normally.

How is it now?

#12 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 17 May 2012 - 07:53 AM

Its working great. I installed thr rest of thr factory drivers from Dell and installed a fresh registered coppy of ESET Antivirus. Gonna put Malwarebytes on there for good measure too.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:24 AM

Posted 17 May 2012 - 08:13 AM

Glad we could help.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users