Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Firewall Corrupted?


  • This topic is locked This topic is locked
21 replies to this topic

#1 ZekeOhr

ZekeOhr

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 04 June 2012 - 03:08 PM

Continuing my session from here.

(Windows Firewall on the advanced tab:
"The network connection settings have become corrupted. To fix this click restore defaults...."
When I click on restore defaults it does nothing.
Also, the advanced tab of my Local Area Connection properties says, "Windows cannot display the properties of this connection. The Windows Management Instrumentation (WMI) information might be corrupted...."
OS: Windows XP SP3 )


Here is my DDS scan log:

*****************



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Work at 15:50:28 on 2012-06-04
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - No File
TB: {A8415B7A-F661-4D31-92D7-4398E50483DF} - No File
uRun: [AdobeBridge]
uRun: [Scan Buttons] c:\program files\newsoft\presto! pagemanager 7.15\Pmsb.exe
uRun: [Google Update] "c:\documents and settings\work\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [FreeAC] c:\program files\freealarmclock\FreeAlarmClock.exe -autorun
uRun: [FreeCT] c:\program files\freecountdowntimer\FreeCountdownTimer.exe -autorun
uRun: [ShowDesktop] c:\program files\show desktop\ShowDesktop.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
mRun: [LenovoAutoScrollUtility] c:\program files\lenovo\virtscrl\virtscrl.exe
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector10\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector10" updatewithcreateonce "software\cyberlink\powerdirector\10.0"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\work\startm~1\programs\startup\kaluach3.lnk - c:\program files\kaluach3\Kaluach3.exe
StartupFolder: c:\docume~1\work\startm~1\programs\startup\openwide.lnk - c:\program files\openwide\openwide.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\showde~1.lnk - c:\program files\show desktop\ShowDesktop.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoLogoff = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {2C2EBBAE-C3F7-47E5-9CFA-19C46D752DA1} - hxxp://192.168.0.6/WebCamX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280451793500
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280460564203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8E71338-2755-4D73-AB34-8A8958B7FC7F} - hxxp://192.168.1.32/WebCamX.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF991872-9158-4570-A7FF-E7DBB6A4B8E9} - hxxp://192.168.1.30/iqweb.ocx
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{43151F5E-56EF-400E-BC9A-637A31426C21} : DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{6F321D92-7B1C-4580-A70F-B5628A543F83} : DhcpNameServer = 167.206.245.130 167.206.245.129
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences pro\FencesMenu.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli psqlpwd c:\program files\thinkvantage fingerprint software\psqlpwd.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2101-05-21 15:43:56 -------- d-----w- C:\certs
2012-06-04 14:17:29 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38496a7f-d222-42da-9b4f-235b946a19f0}\mpengine.dll
2012-05-31 16:01:28 6737808 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-25 15:32:06 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-25 15:32:02 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-05-25 15:32:01 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-05-25 15:31:57 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-05-25 15:31:53 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-05-25 15:31:38 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2012-05-25 15:31:34 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-05-25 15:31:32 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-05-25 15:31:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-05-25 15:31:16 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2012-05-25 15:31:14 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2012-05-25 15:31:10 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2012-05-25 15:31:01 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2012-05-25 15:29:55 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2012-05-25 15:28:59 69632 ----a-w- c:\windows\system32\dllcache\umaxu12.dll
2012-05-25 15:27:56 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2012-05-25 15:26:56 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2012-05-25 15:25:58 24660 ----a-w- c:\windows\system32\dllcache\spxupchk.dll
2012-05-25 15:24:59 31744 ----a-w- c:\windows\system32\dllcache\smb6w.dll
2012-05-25 15:23:56 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2012-05-25 15:22:56 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2012-05-25 15:21:57 37563 ----a-w- c:\windows\system32\dllcache\rlnet5.sys
2012-05-25 15:20:57 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2012-05-25 15:19:59 31744 ----a-w- c:\windows\system32\dllcache\pagecnt.dll
2012-05-25 15:18:58 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2012-05-25 15:17:57 13664 ----a-w- c:\windows\system32\dllcache\n9i128.sys
2012-05-25 15:16:57 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2012-05-25 15:15:57 58368 ----a-w- c:\windows\system32\dllcache\m3091dc.dll
2012-05-25 15:14:57 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2012-05-25 15:13:58 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2012-05-25 15:12:57 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2012-05-25 15:11:57 2688 ----a-w- c:\windows\system32\dllcache\hidswvd.sys
2012-05-25 15:10:57 43520 ----a-w- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2012-05-25 15:09:56 19996 ----a-w- c:\windows\system32\dllcache\em556n4.sys
2012-05-25 15:08:59 614429 ----a-w- c:\windows\system32\dllcache\digiview.exe
2012-05-25 15:07:59 96256 ----a-w- c:\windows\system32\dllcache\ctlsb16.sys
2012-05-25 15:06:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-05-25 15:05:59 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2012-05-25 12:48:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-05-25 02:03:02 -------- d-----w- c:\windows\Microsoft Antimalware
2012-05-24 21:27:10 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-24 19:20:34 -------- d-----w- c:\documents and settings\work\application data\Malwarebytes
2012-05-24 19:20:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-24 19:20:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-24 19:20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-24 19:04:21 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-05-24 19:02:27 -------- d-----w- c:\program files\HitmanPro
2012-05-24 18:13:24 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-05-23 19:05:20 -------- d-----w- c:\documents and settings\all users\application data\ODIR
2012-05-23 19:05:05 -------- d-----w- c:\program files\ODIR
.
==================== Find3M ====================
.
2012-05-02 16:33:57 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-03 18:22:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-03 18:22:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 15:51:54.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 PM

Posted 08 June 2012 - 08:57 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ZekeOhr

ZekeOhr
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 11 June 2012 - 09:45 AM

Yes, ready and waiting!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 PM

Posted 11 June 2012 - 07:40 PM

I've took a look at the previous topic and can see malware related symptoms

The following steps involve registry editing. Please create new restore point before proceeding.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


Please go to Start and then Run, type regedit and click OK.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

Right-Click Root and select Permissions...

Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.

Click Apply and OK.

Download XP.zip file from here:

Unzip it.

You'll find several files inside.

Double-click legacy_wscsvc.reg and confirm the prompt.
Double-click wscsvc.reg and confirm the prompt.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

Restart computer.

Now post a new FSS log.
Posted Image
m0le is a proud member of UNITE

#5 ZekeOhr

ZekeOhr
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 12 June 2012 - 08:43 AM

Farbar Service Scanner Version: 27-05-2012
Ran by Work (administrator) on 12-06-2012 at 09:42:49
Running from "T:\Downloads from Chrome"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 PM

Posted 12 June 2012 - 06:38 PM

Your registry has been damaged and usually it would be safe to reinstall the firewall but we'll try a repairer just in case it's mendable first. The FSS log shows there is no registry problems with the Firewall so that's encouraging.

Download the Firewall Repairer from Tweaking.com

Run the program by pressing Start and when it's completed let me know if that has fixed it.
Posted Image
m0le is a proud member of UNITE

#7 ZekeOhr

ZekeOhr
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 13 June 2012 - 09:36 AM

Windows firewall is still showing the message as in attached photo. Also, I forgot to tell you that after running the two files (legacy_wscsvc.reg and wscsvc.reg), my windows security alert showed red on the system tray.

Thank you!

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 PM

Posted 14 June 2012 - 01:13 PM

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#9 ZekeOhr

ZekeOhr
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 14 June 2012 - 01:47 PM

Farbar Service Scanner Version: 27-05-2012
Ran by Work (administrator) on 14-06-2012 at 14:54:18
Running from "T:\Downloads from Chrome"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

Edited by ZekeOhr, 14 June 2012 - 01:54 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 PM

Posted 14 June 2012 - 05:07 PM

The FSS log shows no problems with the firewall which is really strange.

Try this:

Click Start and then click Run

Type CMD into the Search box and then click OK

Type rundll32 setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf within the command prompt and then press Enter

Type netsh firewall reset and then press Enter

Click Start and then click Control Panel

Double-click the Windows Firewall icon from the list displayed. You will be asked if you wish to restart the Windows Firewall service. Select Yes
Posted Image
m0le is a proud member of UNITE

#11 ZekeOhr

ZekeOhr
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 15 June 2012 - 10:05 AM

My command results:
C:\>rundll32 setupapi,InstallHinfSection Ndi-Steelhea
d 132 %windir%\inf\netrass.inf

C:\>netsh firewall reset

WARNING: Could not obtain host information from machine: [SWITCH]. Some commands
may not be available.
The specified module could not be found.

Ok.

------------------------------------------------

Then, when I opened the Windows Firewall service it didn't prompt me for anything. It was already on.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 PM

Posted 15 June 2012 - 07:16 PM

The firewall seems to be running but failing. We're going to have to check some settings

Go to Start - Run - type in services.msc and click OK.

Scroll down the list to the RPC (Remote Procedure Call) service and double click on it to open it. Let us know what the status is as well as the startup type please.
Posted Image
m0le is a proud member of UNITE

#13 ZekeOhr

ZekeOhr
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 18 June 2012 - 10:08 AM

Remote Procedure Call (RPC) = Started, Automatic

(Note: Remote Procedure Call (RPC) "Locator" = No started, Manual)

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:41 PM

Posted 18 June 2012 - 06:29 PM

That looks OK.

Go to Start, then Run and type in eventvwr.msc and click OK.

Look under both "application" and "system" for errors indicated in red. Double click each one to open it and then click on the icon that looks like two pieces of paper. This will copy it to the clipboard. Then copy and paste them here please.

Edited by m0le, 18 June 2012 - 06:30 PM.

Posted Image
m0le is a proud member of UNITE

#15 ZekeOhr

ZekeOhr
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 19 June 2012 - 09:55 AM

Event Type: Error
Event Source: SecurityCenter
Event Category: None
Event ID: 1802
Date: 6/18/2012
Time: 10:10:32 AM
User: N/A
Computer: SWITCH
Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7e 00 07 80 ~..€

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 28
Date: 6/18/2012
Time: 10:09:39 AM
User: N/A
Computer: SWITCH
Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: .NET Runtime Optimization Service
Event Category: None
Event ID: 1103
Date: 6/15/2012
Time: 10:35:23 AM
User: N/A
Computer: SWITCH
Description:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: SecurityCenter
Event Category: None
Event ID: 1802
Date: 6/15/2012
Time: 10:33:38 AM
User: N/A
Computer: SWITCH
Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7e 00 07 80 ~..€

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 28
Date: 6/15/2012
Time: 10:33:14 AM
User: N/A
Computer: SWITCH
Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: SecurityCenter
Event Category: None
Event ID: 1802
Date: 6/12/2012
Time: 9:33:29 AM
User: N/A
Computer: SWITCH
Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7e 00 07 80 ~..€




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users