Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to access Internet after rootkit removal


  • This topic is locked This topic is locked
32 replies to this topic

#1 Don K K

Don K K

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 11 July 2012 - 11:52 AM

I am helping a friend who is unable to access the Internet with his computer. We have tried IE, Chrome, and Firefox, but with all three, the browser window opens, the window title changes to th eweb site name, the status bar shows updates such as "Web site found." or "connecting to IP address", but after some point the connection evidently times out, and we get "web page cannot be displayed." I have run Malware Bytes and Microsoft Security Essentials, but nothing was found. (I had to manually update both). I ran TDSSKiller and it did find an infection. Subsequent runs found nothing. I am beginning to think that there is still a rootkit, or some other malware that is hidden from Malware Bytes. Here is the DDS log.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Bill at 18:46:15 on 2012-07-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.155 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} - hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235576987612
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{8DB93102-3E82-493A-B435-CAFAF162BDBD} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bill\application data\mozilla\firefox\profiles\e5j4nr6x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\bill\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-7-1 54752]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\navnt\navapel.sys --> c:\program files\navnt\NAVAPEL.SYS [?]
S2 RPCM;Remote Procedure Manager(TPM);c:\program files\common files\microsoft shared\speech\csvde.exe --> c:\program files\common files\microsoft shared\speech\csvde.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-5 113120]
S3 NAVAP;NAVAP;\??\c:\program files\navnt\navap.sys --> c:\program files\navnt\NAVAP.sys [?]
S3 PORTMON;PORTMON;\??\c:\sys\portmsys.sys --> c:\sys\PORTMSYS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2012-07-10 20:31:07 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-07-10 20:10:04 0 ----a-w- c:\windows\system32\REN13.tmp
2012-07-10 20:10:04 0 ----a-w- c:\windows\system32\REN12.tmp
2012-07-10 19:11:02 88892788 ----a-w- c:\windows\PreSymantecRemoval.reg
2012-07-10 17:06:12 -------- d-----w- C:\drvrtmp
2012-07-06 00:07:22 -------- d-----w- c:\program files\Microsoft ATS
2012-07-05 19:01:06 -------- d-----w- c:\program files\ACW
2012-07-03 20:55:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-07-03 20:55:53 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-07-03 20:55:52 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-07-03 20:55:48 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-07-03 20:55:43 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-07-03 20:55:35 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2012-07-03 20:55:15 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-07-03 20:55:12 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-07-03 20:55:03 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-07-03 20:55:01 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2012-07-03 20:54:12 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2012-07-03 20:54:06 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2012-07-03 20:54:02 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2012-07-03 20:52:58 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2012-07-03 20:51:57 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2012-07-03 20:50:59 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2012-07-03 20:49:59 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2012-07-03 20:48:59 24660 ----a-w- c:\windows\system32\dllcache\spxupchk.dll
2012-07-03 20:47:59 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2012-07-03 20:46:52 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2012-07-03 20:45:57 75392 ----a-w- c:\windows\system32\dllcache\s3savmxm.sys
2012-07-03 20:44:57 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2012-07-03 20:43:57 35328 ----a-w- c:\windows\system32\dllcache\psisload.dll
2012-07-03 20:42:58 26153 ----a-w- c:\windows\system32\dllcache\pcmlm56.sys
2012-07-03 20:41:53 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2012-07-03 20:40:58 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2012-07-03 20:39:55 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2012-07-03 20:39:50 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2012-07-03 20:39:39 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2012-07-03 20:39:36 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2012-07-03 20:39:35 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2012-07-03 15:03:45 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2012-07-02 20:25:29 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8183c216-5d3e-4dd0-bc1a-522ed58f8d75}\mpengine.dll
2012-07-02 17:52:15 -------- d-----w- c:\program files\Trend Micro
2012-06-30 20:50:58 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-06-30 18:50:20 -------- d-----w- C:\Sys
2012-06-29 23:21:32 208896 ----a-w- c:\windows\MBR.exe
2012-06-29 23:21:31 98816 ----a-w- c:\windows\sed.exe
2012-06-29 23:21:31 518144 ----a-w- c:\windows\SWREG.exe
2012-06-29 23:21:31 256000 ----a-w- c:\windows\PEV.exe
2012-06-29 17:24:30 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2012-06-29 17:24:30 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
2012-06-29 17:24:29 -------- d-----w- c:\program files\MyDefrag v4.3.1
2012-06-29 16:06:07 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2012-06-29 16:06:04 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2012-06-29 16:04:59 26442 ----a-w- c:\windows\system32\dllcache\lanepic5.sys
2012-06-29 16:03:58 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2012-06-29 16:02:58 289887 ----a-w- c:\windows\system32\dllcache\hsf_fall.sys
2012-06-29 16:01:58 454912 ----a-w- c:\windows\system32\dllcache\fxusbase.sys
2012-06-29 16:00:59 61952 ----a-w- c:\windows\system32\dllcache\eqnloop.exe
2012-06-29 15:59:59 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll
2012-06-29 15:58:59 44032 ----a-w- c:\windows\system32\dllcache\cnusd.dll
2012-06-29 15:57:59 871388 ----a-w- c:\windows\system32\dllcache\bcmdm.sys
2012-06-29 15:26:20 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-06-29 15:21:47 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-29 14:52:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-29 14:52:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
============= FINISH: 18:48:38.21 ===============

I will attach attach.txt, ark.txt and the first TDSSKiller log that found the rootkit. I have screenshots of the browser window during its opening as well as the after the "webpage cannot be displayed" if that will help.

Thank you in advance for your time and help.
Don

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:54 AM

Posted 16 July 2012 - 11:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/460235 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 PM

Posted 16 July 2012 - 07:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 Don K K

Don K K
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 16 July 2012 - 11:42 PM

I am ready to follow your instructions.

Don

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 PM

Posted 17 July 2012 - 01:05 PM

TDSSKiller didn't find an infection but let's search for a rootkit

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#6 Don K K

Don K K
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 17 July 2012 - 03:05 PM

Here is the log:
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-17 13:11:32
-----------------------------
13:11:32.678 OS Version: Windows 5.1.2600 Service Pack 3
13:11:32.678 Number of processors: 2 586 0x304
13:11:32.678 ComputerName: BILLHOME UserName: Bill
13:11:34.724 Initialize success
13:12:33.318 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
13:12:33.334 Disk 0 Vendor: WDC_WD400BD-75JMC0 06.01C06 Size: 38146MB BusType: 3
13:12:33.381 Disk 0 MBR read successfully
13:12:33.396 Disk 0 MBR scan
13:12:33.396 Disk 0 unknown MBR code
13:12:33.396 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 47 MB offset 63
13:12:33.412 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 33918 MB offset 96390
13:12:33.443 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 4173 MB offset 69561450
13:12:33.459 Disk 0 scanning sectors +78108030
13:12:33.568 Disk 0 scanning C:\WINDOWS\system32\drivers
13:12:55.568 Service scanning
13:13:28.959 Modules scanning
13:13:57.349 Disk 0 trace - called modules:
13:13:57.365 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
13:13:57.396 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82fd2030]
13:13:57.396 3 CLASSPNP.SYS[f8678fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x82f4eb00]
13:13:57.396 Scan finished successfully
15:02:50.646 Disk 0 MBR has been saved successfully to "E:\Clients\Terry Bill\MBR.dat"
15:02:50.662 The log file has been saved successfully to "E:\Clients\Terry Bill\aswMBR.txt"

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 PM

Posted 17 July 2012 - 08:05 PM

That looks okay but we need to check for the reason why you have no internet. Often when a certain rootkit is removed it breaks your connection. Follow the reset of the chain that provides this connection here
Posted Image
m0le is a proud member of UNITE

#8 Don K K

Don K K
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 July 2012 - 10:22 AM

As you suggested, I ran Microsoft Fixit 50199 which resets the TCP/IP stack, then rebooted, but that did not fix the issue.

Don

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 PM

Posted 18 July 2012 - 02:26 PM

It was a long shot but worth a try.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by m0le, 18 July 2012 - 02:26 PM.
Apparently, I'm a shocking typist

Posted Image
m0le is a proud member of UNITE

#10 Don K K

Don K K
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 July 2012 - 05:05 PM

Here is the combofix log:

ComboFix 12-07-18.04 - Bill 07/18/2012 16:16:01.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.247 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\Comfix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\drvrtmp
c:\windows\iun6002.exe
c:\windows\settings.reg
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\gazeyuha.dll
c:\windows\system32\tifupeva.dll
c:\windows\system32\tmp.reg
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-10 20:31 . 2012-07-10 20:31 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-07-10 20:10 . 2012-07-10 20:10 0 ----a-w- c:\windows\system32\REN13.tmp
2012-07-10 20:10 . 2012-07-10 20:10 0 ----a-w- c:\windows\system32\REN12.tmp
2012-07-10 19:11 . 2012-07-10 19:11 88892788 ----a-w- c:\windows\PreSymantecRemoval.reg
2012-07-06 00:07 . 2012-07-06 00:07 -------- d-----w- c:\program files\Microsoft ATS
2012-07-05 19:01 . 2012-07-05 19:01 -------- d-----w- c:\program files\ACW
2012-07-03 20:48 . 2001-08-18 03:36 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2012-07-03 20:48 . 2001-08-18 03:36 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2012-07-03 20:46 . 2001-08-18 03:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2012-07-03 20:46 . 2001-08-18 03:36 57856 ----a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2012-07-03 20:44 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2012-07-03 20:41 . 2001-08-18 03:36 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2012-07-03 15:03 . 2012-07-03 15:03 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2012-07-02 17:52 . 2012-07-02 17:52 -------- d-----w- c:\program files\Trend Micro
2012-06-30 20:50 . 2012-06-30 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2012-06-30 18:50 . 2012-07-02 15:56 -------- d-----w- C:\Sys
2012-06-29 17:24 . 2010-05-21 17:11 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2012-06-29 17:24 . 2010-05-21 17:11 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
2012-06-29 17:24 . 2012-06-30 12:33 -------- d-----w- c:\program files\MyDefrag v4.3.1
2012-06-29 16:05 . 2001-08-18 03:36 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2012-06-29 16:03 . 2001-08-17 19:06 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2012-06-29 16:02 . 2001-08-17 18:28 289887 ----a-w- c:\windows\system32\dllcache\hsf_fall.sys
2012-06-29 16:01 . 2001-08-17 17:15 454912 ----a-w- c:\windows\system32\dllcache\fxusbase.sys
2012-06-29 16:00 . 2001-08-18 03:36 61952 ----a-w- c:\windows\system32\dllcache\eqnloop.exe
2012-06-29 15:59 . 2001-08-18 03:36 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll
2012-06-29 15:58 . 2001-08-18 03:36 44032 ----a-w- c:\windows\system32\dllcache\cnusd.dll
2012-06-29 15:57 . 2001-08-17 18:28 871388 ----a-w- c:\windows\system32\dllcache\bcmdm.sys
2012-06-29 15:45 . 2012-06-29 15:46 -------- d-----w- c:\documents and settings\Administrator
2012-06-29 15:26 . 2012-06-29 15:26 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-06-29 15:22 . 2012-06-29 15:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-06-29 14:52 . 2012-06-29 14:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-29 14:52 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-28 16:52 . 2012-07-05 14:49 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Bill\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2004-06-10 16:51 60928 ----a-w- c:\windows\SYSTEM32\P17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-05 04:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTOTAL Scheduler]
2004-11-29 15:11 614400 ----a-w- c:\win2000\Guru.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
S2 RPCM;Remote Procedure Manager(TPM);c:\program files\Common Files\Microsoft Shared\Speech\csvde.exe --> c:\program files\Common Files\Microsoft Shared\Speech\csvde.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\SYSTEM32\DRIVERS\motport.sys [6/18/2007 8:18 PM 23680]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/5/2012 9:49 AM 113120]
S3 PORTMON;PORTMON;\??\c:\sys\PORTMSYS.SYS --> c:\sys\PORTMSYS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2289605177-262565049-1813312083-1006Core.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:57]
.
2012-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2289605177-262565049-1813312083-1006UA.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:57]
.
2012-07-18 c:\windows\Tasks\User_Feed_Synchronization-{1B6E68B1-820C-4081-AA88-2FF094B84BA7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} - hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\e5j4nr6x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-Motive SmartBridge - c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
MSConfigStartUp-AIM - c:\progra~1\AIM\aim.exe
MSConfigStartUp-Aim6 - c:\program files\Common Files\AOL\Launch\AOLLaunch.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1135806133\ee\AOLSoftware.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-PlaxoUpdate - c:\program files\Plaxo\2.5.10.21\PlaxoHelper.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
MSConfigStartUp-YBrowser - c:\program files\Yahoo!\browser\ybrwicon.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-SBC Yahoo! DSL - c:\progra~1\Yahoo!\browser\unyb.exe
AddRemove-SBC Yahoo! Messenger - c:\progra~1\Yahoo!\MESSEN~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 16:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2289605177-262565049-1813312083-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2289605177-262565049-1813312083-1006\Software\SecuROM\License information*]
"datasecu"=hex:47,d9,25,a4,ae,d8,f2,a0,31,c1,94,2d,c7,28,29,93,60,dc,31,d0,11,
c6,1c,a2,37,1b,f6,db,71,80,79,d2,79,d8,11,93,f5,48,d4,61,80,b4,47,5e,7a,c8,\
"rkeysecu"=hex:4c,4a,c6,9c,27,91,9f,40,ed,68,e3,58,3b,02,c8,d3
.
Completion time: 2012-07-18 16:34:54
ComboFix-quarantined-files.txt 2012-07-18 21:34
ComboFix2.txt 2012-06-30 00:15
.
Pre-Run: 2,586,595,328 bytes free
Post-Run: 2,627,383,296 bytes free
.
- - End Of File - - 6CE13A4F7B51D0FA6068C74A0544DABB

I rebooted the machine, but it is still unable to access the Internet.

Don

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 PM

Posted 18 July 2012 - 05:37 PM

There were some nasty files in that deletion list.

Please run FSS so we can check the system now

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#12 Don K K

Don K K
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 July 2012 - 06:47 PM

Here is the FSS log:
Farbar Service Scanner Version: 08-07-2012
Ran by Bill (administrator) on 18-07-2012 at 18:44:59
Running from "C:\Documents and Settings\Bill\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
fssfltr(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A0000000400000001000000020000000300000008000000050000000600000007000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

Will not try Internet till I hear from you. Thanks for all your time and help.

Don

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 PM

Posted 18 July 2012 - 07:06 PM

It looks fine. Try to connect to the internet now. If the basic connection fails try the following:

Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.
After that, Reboot your computer.


After the reboot, we will reinstall TCP/IP
  • Go to Start the Settings and choose Network Connections
  • Right click on your normal connection icon, and choose Properties
  • Click the Install button
  • Choose Protocol then click Add
  • Click Have disk
  • In the drop down box, type in: C:\WINDOWS\INF and click OK
  • In the next dialog, click Internet Protocol (TCP/IP) then click OK
  • Click Close to leave the properties box
After that, Reboot your computer and see if you have regained your connection.
Posted Image
m0le is a proud member of UNITE

#14 Don K K

Don K K
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 19 July 2012 - 04:42 PM

I exported the 2 registry keys before deleting them, rebooted, reinstalled Internet Protocol, and rebooted again, and tried IE. Still the same problem. Chrome also is unable to access sites. Both exhibit similar symptoms. The window title of the browser window will change to the correct text, the tab will change, and the status bar will state that the browser is connecting to the company, (I try microsoft.com and cnn.com).

Don

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:54 PM

Posted 19 July 2012 - 04:58 PM

Please run OTL and see if there's something else going on here

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users