Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Network Problems after Virus (may still be infected)


  • This topic is locked This topic is locked
95 replies to this topic

#1 guitarmee

guitarmee

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 27 November 2012 - 01:05 PM

First, here's a little background on this computer problem. I'm working on a Sony Vaio pcg-z1va. The initial problem was that it wouldn't boot. After I fixed that problem, I checked the hard drive to see if it was failing, but it is healthy. I figured the problem might have been virus-related so I ran MalwareBytes. It found Adware.Minibug (6 [instances]), Rogue.AV2009 (about 910), Rogue.MSAntiSpyware (4), Rogue.WinAntiSpyware (1), and Trojan.Agent (1). I ran it again until it showed no viruses (btw, I did use the latest definitions update). I then ran SUPERAntiSpyware which found Adware.SafeGuardProtect and Trojan.Agent/Gen-Sirefef. I also ran TDSSKiller. I had some networking problems so I updated the wireless card driver which fixed the problem. I installed Avast.

This brings me to the current problem. After rebooting avast gives me an error (avast! will not be able to protect mail/news (error 10050). Please check the the avast! service (AvastSvc.exe) is not blocked by your personal firewall). When I check the firewall I see that it isn't on even though it's set to "Automatic" in Services. Upon telling it to start it gives me an error (error 10050: A socket operation encountered a dead network). I get the same error for IPSEC Services. I get an error (error 1068: The dependency service or group failed to start) for NLA (Network Location Awareness) and DHCP Server.

When I had the internet working I ran Windows Update installing all available updates. I know the problem is with this computer (not the network) and I am nearly positive it is a virus-caused problem and not hardware. It has the same problem with wired and wireless. When it connects to the network (wired or wireless) it hangs forever "Acquiring IP Address". I have ran winsock repairs.

It think either the computer is still infected, or I am just dealing with damage from a virus.

Any help would be greatly appreciated.

Thanks.


I ran DDS and below is the text from the dds.txt file.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Michael Schultz at 10:37:41 on 2012-11-27
#Option MBR scan is disabled.
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.268 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - <orphaned>
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1353227936813
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{22816C03-A69E-45A6-80F8-048E75015AD6} : DHCPNameServer = 209.183.54.151 209.183.54.151
TCP: Interfaces\{D0EF24E6-AE05-435B-8AB4-57FA35CEEF16} : DHCPNameServer = 209.183.50.151 209.183.50.151
TCP: Interfaces\{F1BFF0A2-8C32-4FED-9E41-0BA0E13076AE} : DHCPNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = Error!
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-11-25 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-11-25 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-11-25 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-11-25 44808]
R3 oibtvcom;Bluetooth Virtual COM Port;c:\windows\system32\drivers\oivmvcom.sys [2003-8-22 279680]
R3 oivmctrl;VCOMM Device Controller;c:\windows\system32\drivers\oivmctrl.sys [2003-8-22 15616]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-8-22 71961]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cdc_ecm;LGE WirelessSA USB NDIS REVD Device Driver;c:\windows\system32\drivers\cdc_ecm.sys [2011-6-3 45568]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [2003-8-22 24618]
S3 HitachiBackupService;Hitachi Backup Service;c:\program files\hitachi\hitachi backup\HitachiBackupService.exe [2010-6-6 53760]
S3 lgcpo;LGE Configuration Policy Owner Service Install;c:\windows\system32\drivers\lgcpo.sys [2011-6-3 8832]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys --> c:\windows\system32\drivers\massfilter_hs.sys [?]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\ptumwbus.sys --> c:\windows\system32\drivers\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\ptumwcdf.sys --> c:\windows\system32\drivers\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\ptumwflt.sys --> c:\windows\system32\drivers\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\ptumwmdm.sys --> c:\windows\system32\drivers\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\ptumwnet.sys --> c:\windows\system32\drivers\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\ptumwvsp.sys --> c:\windows\system32\drivers\PTUMWVsp.sys [?]
S3 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2010-9-13 230768]
S3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2011-6-10 78720]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2011-6-10 201088]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2011-6-10 156544]
S3 UsbSADDiag;LGE WirelessSA USB Serial01 REVD Device;c:\windows\system32\drivers\lgusbddiag.sys [2011-6-3 22400]
S3 USBSADModem;LGE WirelessSA USB REVD Modem;c:\windows\system32\drivers\lgusbdmodem.sys [2011-6-3 27520]
S3 UsbSADObex;LGE WirelessSA USB Serial02 REVD Device;c:\windows\system32\drivers\lgusbdobex.sys [2011-6-3 22400]
S3 USBSANDIS;LGE WirelessSA USB NDIS Device Enumerator REVD Service;c:\windows\system32\drivers\dc_enum.sys [2011-6-3 58624]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-8-22 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys --> c:\windows\system32\drivers\zgwhsdiag.sys [?]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys --> c:\windows\system32\drivers\zgwhsmdm.sys [?]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys --> c:\windows\system32\drivers\zgwhsnmea.sys [?]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\mi1933~1\office10\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2012-11-26 04:16:21 -------- d-----w- c:\program files\WinDirStat
2012-11-25 16:31:55 265728 -c----w- c:\windows\system32\dllcache\http.sys
2012-11-25 16:18:40 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2012-11-25 16:18:40 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2012-11-25 15:53:26 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-11-25 15:51:17 41224 ----a-w- c:\windows\avastSS.scr
2012-11-25 08:51:17 -------- d-sha-r- C:\cmdcons
2012-11-25 08:17:59 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2012-11-25 08:16:59 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2012-11-25 08:15:54 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2012-11-25 08:14:55 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2012-11-24 22:43:25 1327320 ------w- c:\program files\msn\msncorefiles\install\msnsusii.exe
2012-11-24 22:43:24 884712 ------w- c:\program files\msn\msncorefiles\install\msn9components\digcore.exe
2012-11-24 22:43:22 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2012-11-24 22:43:21 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2012-11-24 22:43:21 86016 ------w- c:\program files\msn\msncorefiles\oobe\obepopc.dll
2012-11-24 22:43:21 77824 ------w- c:\program files\msn\msncorefiles\oobe\obemtllc.dll
2012-11-24 22:43:21 229376 ------w- c:\program files\msn\msncorefiles\oobe\obelog.dll
2012-11-24 07:33:32 -------- d-----w- c:\windows\system32\NtmsData
2012-11-23 07:18:19 -------- d-----w- c:\windows\ie8updates
2012-11-23 07:15:03 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-11-23 07:09:12 -------- d-----w- c:\documents and settings\michael schultz\local settings\application data\Sun
2012-11-23 06:57:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-11-23 06:57:21 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-11-23 06:57:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-11-23 06:57:19 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-11-23 06:55:19 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-11-23 06:50:52 -------- d-----w- c:\documents and settings\michael schultz\application data\SUPERAntiSpyware.com
2012-11-23 06:49:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-23 06:49:56 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-11-23 06:49:18 -------- d-----w- c:\program files\Glary Utilities
2012-11-23 06:48:57 -------- d-----w- c:\program files\VS Revo Group
2012-11-23 06:47:58 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-23 06:47:57 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-23 06:47:57 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-23 06:47:13 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-23 06:04:19 -------- d-----w- c:\program files\AutoInstall
2012-11-23 00:43:15 -------- d-sh--w- c:\documents and settings\michael schultz\PrivacIE
2012-11-22 23:53:58 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-22 23:48:57 -------- d-sh--w- c:\documents and settings\michael schultz\IETldCache
2012-11-22 22:19:03 -------- dc-h--w- c:\windows\ie8
2012-11-22 21:26:27 -------- d-----w- c:\windows\system32\winrm
2012-11-22 21:26:27 -------- d-----w- c:\windows\system32\GroupPolicy
2012-11-22 21:26:20 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-11-22 21:24:48 -------- d-----w- c:\program files\Windows Media Connect 2
2012-11-22 21:20:44 -------- d-----w- c:\windows\system32\LogFiles
2012-11-22 18:40:08 -------- d-----w- c:\program files\AVAST Software
2012-11-22 18:40:08 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-11-18 08:41:12 -------- d-----w- C:\Drivers
2012-11-18 06:54:47 -------- d-----w- c:\documents and settings\michael schultz\application data\GlarySoft
2012-11-18 05:07:54 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2012-11-18 05:06:59 130942 -c--a-w- c:\windows\system32\dllcache\ptserlv.sys
2012-11-18 05:05:57 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2012-11-18 05:04:58 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2012-11-18 05:03:59 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2012-11-18 05:02:57 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe
2012-11-18 05:01:57 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2012-11-18 05:00:56 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2012-11-18 04:59:59 3072 -c--a-w- c:\windows\system32\dllcache\cwbmidi.sys
2012-11-18 04:58:59 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2012-11-18 04:57:59 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2012-11-18 04:56:57 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-11-18 00:07:01 -------- d-----w- c:\program files\SpeedFan
2012-11-17 23:57:28 -------- d-----w- c:\program files\CCleaner
2012-11-17 23:55:31 -------- d-----w- c:\documents and settings\michael schultz\application data\Malwarebytes
2012-11-17 23:54:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-11-17 23:54:57 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-17 23:54:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-17 23:31:42 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2012-11-23 06:40:01 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-04-01 15:56:45 0 -c--a-w- c:\program files\GUM6F.tmp
.
============= FINISH: 10:39:47.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:42 AM

Posted 29 November 2012 - 03:15 PM

Greetings guitarmee and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:42 AM

Posted 29 November 2012 - 06:18 PM

Hi guitarmee,

Thank you for patiently waiting. We are going to run a few programs to address some entries that need to be removed and also provide us with some diagnostic information.

Please do this for me.


===================================================


ComboFix

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.

Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image



Click on Yes, to continue scanning for malware.

Please Note: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    Posted Image
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    Posted Image
  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


Farbar's Service Scanner

--------------------

Please download Farbar Service Scanner, save it to your desktop, and run it.

  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix log
  • aswMBR log
  • FSS log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 guitarmee

guitarmee
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 30 November 2012 - 01:15 AM

Thanks Gary, my name is Matt. I appreciate your time and assistance.

When I run ComboFix it hangs after creating a restore point. It says scanning for infected files ... scanning times may easily double, but it doesn't show stage 1, stage 2, etc.

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:42 AM

Posted 30 November 2012 - 09:23 AM

Hi Matt,

Nice to meet you.

I apologize for not posting the below the first time around. I modified my Combofix instructions but failed to post the new version for you. It gives additional steps in case Combofix does not run properly, which is not uncommon.

If you would please try a second time I would appreciate it. You can skip down to the information after Note #2.


===================================================


ComboFix

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.

Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image



Click on Yes, to continue scanning for malware.

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue[/list]

If Combofix fails to run properly using the above instructions please attempt the following:

  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix log
  • aswMBR log
  • FSS log
  • How is your computer running?

Edited by Oh My, 30 November 2012 - 09:25 AM.
aswMBR/FSS log request

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 guitarmee

guitarmee
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 30 November 2012 - 12:30 PM

I did step 2 and rkill worked (didn't need to rename it) but combofix (freshcopy.exe) is stuck in the same place as before (no stages showing). For some reason (I don't know if it's normal) when running combofix, the computer is using a tone of (most of) the page file. The page file is at 1.14 GB. The computer has 512MB of RAM. There's only about 4MB of free RAM. Grep.3xe is only using about 20-30MB and CF18011 is using 20KB. I don't know what's using all the RAM because in the task manager "show all processes" is selected and the total amount that each program is using is less than 30-40MB. The system cache is only 5MB. There are 16 processes running.

What is an FSS log?

Should I run aswMBR now, or after Combofix?

Here is the rkill log...

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/30/2012 09:25:01 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* AFD (AFD) is not Running.
Startup Type set to: System

* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic

* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic

* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Manual

* Network Connections (Netman) is not Running.
Startup Type set to: Automatic

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic

* Security Center (wuauserv) is not Running.
Startup Type set to: Automatic

* AFD (AFD) is not Running.
Startup Type set to: System

* IPSEC driver (IPSec) is not Running.
Startup Type set to: System

* NetBios over Tcpip (NetBT) is not Running.
Startup Type set to: System

* TCP/IP Protocol Driver (Tcpip) is not Running.
Startup Type set to: System

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\drivers\bthport.sys [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB951376\SP2QFE\bthport.sys : 272,128 : 04/14/2008 00:00 AM : fc50ce8c3ada692fbe82f1d4c8a4b70b [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB951376\SP3GDR\bthport.sys : 272,128 : 04/14/2008 00:30 AM : 8381fb906f05495f3d2045fbc9576cd5 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB951376\SP3QFE\bthport.sys : 272,128 : 04/14/2008 00:36 AM : f6cbbcc40f94eb8a88b1e826911ac795 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB951376-v2\SP2QFE\bthport.sys : 272,128 : 06/13/2008 00:52 AM : 956e7e86bb00e792c8ff3afb2f8e460d [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB951376-v2\SP3GDR\bthport.sys : 272,128 : 06/13/2008 00:05 AM : 662bfd909447dd9cc15b1a1c366583b4 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB951376-v2\SP3QFE\bthport.sys : 272,128 : 06/13/2008 00:27 AM : 51d05d5a8a7d93ab0b1a8d6a38db3ca4 [Pos Repl]
+-> C:\WINDOWS\$NtServicePackUninstall$\bthport.sys : 272,128 : 06/13/2008 00:10 AM : 95ef6f3f386d93ee1e4d9ca45a50252a [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\bthport.sys : 272,128 : 06/13/2008 00:05 AM : 662bfd909447dd9cc15b1a1c366583b4 [Pos Repl]
+-> C:\WINDOWS\ServicePackFiles\i386\bthport.sys : 273,024 : 04/13/2008 00:46 AM : 10b85171b90c449f8da71c2640b797e9 [Pos Repl]
+-> C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\bthport.sys : 272,128 : 06/13/2008 00:05 AM : 662bfd909447dd9cc15b1a1c366583b4 [Pos Repl]

* C:\WINDOWS\System32\drivers\mrxsmb.sys [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2511455\SP3QFE\mrxsmb.sys : 457,472 : 02/17/2011 00:19 AM : fb7dfd15d760ad339837a470f0e780d3 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB2536276\SP3QFE\mrxsmb.sys : 457,856 : 04/29/2011 00:47 AM : 8dd801e28eb76fda2a38907882a0036f [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB2536276-v2\SP3QFE\mrxsmb.sys : 457,856 : 07/15/2011 00:29 AM : fb2fccc70f7174c7bf64f48e96d3adf4 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB885835\SP2GDR\mrxsmb.sys : 448,128 : 10/27/2004 07:14 PM : c9d17daa82b917cf2fd6e4f595974934 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys : 448,128 : 10/27/2004 07:15 PM : a1be3cb080dcc0a8270d21e3ca3b7005 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB914389\SP2GDR\mrxsmb.sys : 453,120 : 05/05/2006 07:41 AM : 025af03ce51645c62f3b6907a7e2be5e [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB914389\SP2QFE\mrxsmb.sys : 454,400 : 05/05/2006 07:16 AM : 7412ce77c6fd823f8889b4df420c680b [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB957097\SP3QFE\mrxsmb.sys : 455,936 : 10/24/2008 07:41 AM : 7170ab42b51954def2781a4d1cce65f4 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB978251\SP3QFE\mrxsmb.sys : 456,832 : 12/04/2009 07:25 AM : 602549d1e8a622e5746991f6c56b21ca [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB980232\SP3QFE\mrxsmb.sys : 457,216 : 02/24/2010 07:57 AM : d09b9f0b9960dd41e73127b7814c115f [Pos Repl]
+-> C:\WINDOWS\$NtServicePackUninstall$\mrxsmb.sys : 453,120 : 05/05/2006 00:41 AM : 025af03ce51645c62f3b6907a7e2be5e [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\mrxsmb.sys : 456,320 : 07/15/2011 00:29 AM : 7d304a5eb4344ebeeab53a2fe3ffb9f0 [Pos Repl]
+-> C:\WINDOWS\ServicePackFiles\i386\mrxsmb.sys : 456,576 : 04/13/2008 01:17 PM : 68755f0ff16070178b54674fe5b847b0 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 11/30/2012 09:28:14 AM
Execution time: 0 hours(s), 3 minute(s), and 12 seconds(s)

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:42 AM

Posted 30 November 2012 - 04:18 PM

Hi Matt,

FSS is Farbar's Service Scanner from Post #3. Please run that and aswMBR. We will hold off on Combofix for now.

In addition I would like you to do the following for me please.


===================================================


Copying and Overwriting a File Using CMD

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type cmd, press Enter, and a black screen will appear
  • Individually copy and paste (pasting requires you right click and select paste) the following after the command prompt and then press Enter after each one

    copy C:\WINDOWS\ServicePackFiles\i386\bthport.sys C:\WINDOWS\System32\drivers\bthport.sys
    copy C:\WINDOWS\Driver Cache\i386\mrxsmb.sys C:\WINDOWS\System32\drivers\mrxsmb.sys

  • When asked if you want to overwrite the file hit the Y key and press Enter
  • You should receive a notification indicating 1 file(s) copied.
  • Type Exit then hit Enter
  • Reboot your computer

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FSS log
  • aswMBR log
  • Did files copy successfully?
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 guitarmee

guitarmee
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 01 December 2012 - 12:04 AM

I ran fss and aswmbr. I thought you might want to know for future reference that I had to type the second command prompt entry (to copy files) within quotation marks (I believe because of the space in "Driver Cache"). So, I typed, ["copy C:\WINDOWS\Driver Cache\i386\mrxsmb.sys" C:\WINDOWS\System32\drivers\mrxsmb.sys].

Here is the FSS log:

Farbar Service Scanner Version: 09-11-2012
Ran by Michael Schultz (administrator) on 30-11-2012 at 21:47:16
Running from "C:\Documents and Settings\Michael Schultz\desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
LAN connected.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is set to Auto. The default start type is 3.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.


Firewall Disabled Policy:
==================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(12) Gpc(6) IPSec(4) NetBT(5) PSched(7) RFCOMM(8) Tcpip(3)
0x0C000000040000000100000002000000030000000C00000005000000060000000700000008000000090000000A0000000B000000
IpSec Tag value is correct.

**** End of log ****



And here is the aswMBR log:

I ran fss and aswmbr. I thought you might want to know for future reference that I had to type the second command prompt entry (to copy files) within quotation marks (I believe because of the space in "Driver Cache"). So, I typed, ["copy C:\WINDOWS\Driver Cache\i386\mrxsmb.sys" C:\WINDOWS\System32\drivers\mrxsmb.sys].

Here is the FSS log:

Farbar Service Scanner Version: 09-11-2012
Ran by Michael Schultz (administrator) on 30-11-2012 at 21:47:16
Running from "C:\Documents and Settings\Michael Schultz\desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
LAN connected.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is set to Auto. The default start type is 3.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.


Firewall Disabled Policy:
==================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(12) Gpc(6) IPSec(4) NetBT(5) PSched(7) RFCOMM(8) Tcpip(3)
0x0C000000040000000100000002000000030000000C00000005000000060000000700000008000000090000000A0000000B000000
IpSec Tag value is correct.

**** End of log ****



And here is the aswMBR log:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-30 10:34:00
-----------------------------
10:34:00.093 OS Version: Windows 5.1.2600 Service Pack 3
10:34:00.093 Number of processors: 1 586 0x905
10:34:01.675 ComputerName: VALUED-AD2CA5CA UserName: Michael Schultz
10:34:19.711 Initialize success
10:34:45.188 AVAST engine defs: 12112501
12:03:38.326 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:03:38.877 Disk 0 Vendor: TOSHIBA_MK6021GAS GA024A Size: 57231MB BusType: 3
12:03:39.097 Disk 0 MBR read successfully
12:03:39.198 Disk 0 MBR scan
12:03:45.697 Disk 0 Windows XP default MBR code
12:03:45.797 Disk 0 Partition 1 00 12 Compaq diag NTFS 5130 MB offset 63
12:03:48.331 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 14307 MB offset 10506510
12:03:48.501 Disk 0 Partition - 00 0F Extended LBA 37793 MB offset 39809070
12:03:48.561 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 37793 MB offset 39809133
12:03:48.691 Disk 0 scanning sectors +117210240
12:03:49.953 Disk 0 scanning C:\WINDOWS\system32\drivers
12:04:57.320 Service scanning
12:06:13.259 Modules scanning
12:06:44.244 Disk 0 trace - called modules:
12:06:44.304 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
12:06:44.404 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f7dab8]
12:06:44.504 3 CLASSPNP.SYS[f8755fd7] -> nt!IofCallDriver -> \Device\00000084[0x82f519e8]
12:06:44.604 5 ACPI.sys[f86ac620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fda940]
12:06:46.817 AVAST engine scan C:\WINDOWS
12:07:13.876 AVAST engine scan C:\WINDOWS\system32
12:14:30.304 AVAST engine scan C:\WINDOWS\system32\drivers
12:14:58.695 AVAST engine scan C:\Documents and Settings\Michael Schultz
12:17:30.182 AVAST engine scan C:\Documents and Settings\All Users
12:18:31.741 Scan finished successfully
21:38:14.410 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael Schultz\Desktop\MBR.dat"
21:38:14.471 The log file has been saved successfully to "C:\Documents and Settings\Michael Schultz\Desktop\aswMBR.txt"

#9 guitarmee

guitarmee
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 01 December 2012 - 12:06 AM

Files copied successfully. The computer has the same problem... firewall won't start and network continually is "acquiring ip address". Attempting to manually start the firewall service gives the error about the dead network.

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:42 AM

Posted 01 December 2012 - 11:22 AM

Hi Matt,

You are absolutely right, I missed the space. Nice job! :)

Thank you for providing the information. Here is what I would like you to do for me.


===================================================


Modifying Service StartState

-------------------

  • Press the windows key Posted Image + r on your keyboard at the same time
  • Type cmd and press Enter
  • Type sc config Netman start= demand and press Enter
  • You should receive confirmation the command was successful
  • Reboot your computer and check your internet connection and firewall

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Any change?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 guitarmee

guitarmee
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 01 December 2012 - 12:56 PM

The command completed successfully. I restarted but the firewall still won't work.

I didn't mention it before, and I don't know if it helps to mention, but the network adapters don't show up in the system tray by the clock automatically like they are supposed to. I've been (ever since the beginning of this whole problem) having to right-click my network places and click properties. Then the wireless shows up in the tray and I can connect to my wireless network, but it never finishes acquiring and ip address.

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:42 AM

Posted 01 December 2012 - 01:22 PM

Hi Matt,

but it never finishes acquiring and ip address.


Is this still true even after the last command? Did the internet issue change at all, i.e. now you can stay connected?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 guitarmee

guitarmee
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 01 December 2012 - 02:54 PM

yes, it's still true. It won't get an ip address or start the firewall. The problem is the same.

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:42 AM

Posted 01 December 2012 - 05:50 PM

Hi Matt,

OK, let's run this program.


===================================================


Complete Internet Repair

--------------------

  • Please download comintrep.exe and save it to your desktop
  • Double click the icon and select Run
  • Click Extract
  • Double click the Complete Internet Repair folder on your desktop
  • Double click the CIntRep.exe icon
  • Place a checkmark next to the following entries:

    • Reset Internet Protocol (TCP/IP)
    • Repair Winsock (Reset Catalog)
    • Renew Internet Connections
    • Flush DNS Resolver Cache
    • Repair Internet Explorer 6.0.2900
    • Clear Windows Update History
    • Repair Windows / Automatic Updates
    • Repair SSL / HTTPS / Cryptography
    • Reset Windows Firewall Configuration
    • Restore the default hosts file
    • Repair Workgroup Computers view
  • Click Go!
  • Ignore any error messages for now
  • Click OK to reboot your computer
  • Check your internet access

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 guitarmee

guitarmee
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 02 December 2012 - 02:27 AM

I ran the program, and rebooted and it didn't fix the problem.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users