RickWeaver

Help Please

46 posts in this topic

MrC,

I don't have a way to bypass the wireless easily. If you think the result would be different I can take this PC apart and move it downstairs and set it up close enough to my cable modem to connect straight to the modem.

I ran the files you asked me to and here are the results:

SystemLook 30.07.11 by jpshortstuff

Log created at 19:28 on 12/03/2012 by Administrator

Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys --a---- 138496 bytes [15:45 14/10/2011] [13:41 17/08/2011] F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a---- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a---- 138496 bytes [22:16 20/03/2009] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys -----c- 138496 bytes [13:57 18/05/2011] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys -----c- 138496 bytes [15:59 14/10/2011] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138112 bytes [22:43 20/03/2009] [05:49 14/04/2008] 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c- 138496 bytes [22:45 20/03/2009] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\system32\dllcache\afd.sys -----c- 138496 bytes [05:49 14/04/2008] [13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\system32\drivers\afd.sys --a---- 138496 bytes [05:49 14/04/2008] [14:40 11/03/2012] 1D495EE1D3A836801D1FD816FF4A93F9

-= EOF =-

Farbar Service Scanner Version: 01-03-2012

Ran by Administrator (administrator) on 12-03-2012 at 19:33:46

Running from "C:\Documents and Settings\Administrator\Desktop"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is OK.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys

[2008-04-14 00:49] - [2012-03-11 09:40] - 0138496 ____A () 1D495EE1D3A836801D1FD816FF4A93F9

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AegisP(10) Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)

0x0A0000000500000001000000020000000300000004000000080000000600000007000000090000000A000000

IpSec Tag value is correct.

**** End of log ****

Share this post


Link to post
Share on other sites

Using ComboFix:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

FCopy::

C:\WINDOWS\system32\dllcache\afd.sys | C:\WINDOWS\system32\drivers\afd.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Share this post


Link to post
Share on other sites

Still no internet and ComboFix found the RootKit Zero.Access again. Here is the ComboFix log:

ComboFix 12-03-10.02 - Administrator 03/12/2012 20:16:28.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1459 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\system32\dllcache\afd.sys --> c:\windows\system32\drivers\afd.sys

.

((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))

.

.

2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys

2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes

2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00

2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3

2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1

2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet

2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys

2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec

2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-03-13 01:15 . 2012-03-13 01:15 16384 c:\windows\Temp\Perflib_Perfdata_750.dat

- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll

- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll

+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]

R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ATKFUSService

ScanUSBEMPIA

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dogpile.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-12 20:24

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\

.

[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\

.

Completion time: 2012-03-12 20:25:36

ComboFix-quarantined-files.txt 2012-03-13 01:25

ComboFix2.txt 2012-03-12 23:40

ComboFix3.txt 2012-03-11 22:50

ComboFix4.txt 2012-03-11 18:15

ComboFix5.txt 2012-03-13 01:10

.

Pre-Run: 62,275,620,864 bytes free

Post-Run: 62,272,503,808 bytes free

.

- - End Of File - - E53A67D8DFF113E68AFF36194332BEF3

Share this post


Link to post
Share on other sites

I don't see anything in the log about the rootkit.

You did reboot the computer right?

-------------------

Run RogueKiller again, post the log.

--------------------

Run Farbar Service Scanner again and post the log.

MrC

Share this post


Link to post
Share on other sites

Everytime I've run ComboFix it has detected the RootKit Zero.Access and it Pops up an alert that it has to reboot the computer. I click the OK button and after a short time it alerts again that it is going to reboot the computer and then it restarts. When I select Administrator it comes up to my desktop with no icons and ComboFix.exe command console window open and runs the complete scan from the beginning and opens the log when it is finished.

Here are the logs:

RogueKiller V7.3.1 [03/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Administrator [Admin rights]

Mode: Scan -- Date: 03/12/2012 20:52:57

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75MSA3 +++++

--- User ---

[MBR] a456f312c0e435782971f94dba7cdfdf

[bSP] bec400d75a08f6cdd3306fcc22e6a067 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[8].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;

RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt

Farbar Service Scanner Version: 01-03-2012

Ran by Administrator (administrator) on 12-03-2012 at 20:53:48

Running from "C:\Documents and Settings\Administrator\Desktop"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is OK.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AegisP(10) Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)

0x0A0000000500000001000000020000000300000004000000080000000600000007000000090000000A000000

IpSec Tag value is correct.

**** End of log ****

Share this post


Link to post
Share on other sites

Go to Start > Run > copy and paste this in > services.msc > click OK

Make sure this service is running and set to Automatic.

Windows Firewall/Internet Connection Sharing (ICS)

-------------------------------------

Let me know, MrC

Share this post


Link to post
Share on other sites

Got this error

Could not start Windows Firewall/Internet Connection Sharing (ICS) service on local computer.

Error 10050: A socket operation encountered a dead network.

Share this post


Link to post
Share on other sites

Use SystemLook as before but use this code:

:reg

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess /s

Post back the log......MrC

Share this post


Link to post
Share on other sites

MrC

Here is the log:

SystemLook 30.07.11 by jpshortstuff

Log created at 21:43 on 12/03/2012 by Administrator

Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess]

"DependOnGroup"=" "

"DependOnService"="Netman WinMgmt"

"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."

"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"

"ErrorControl"= 0x0000000001 (1)

"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs"

"ObjectName"="LocalSystem"

"Start"= 0x0000000002 (2)

"Type"= 0x0000000020 (32)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch]

"Epoch"= 0x0000002cd5 (11477)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters]

"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System]

"clr_optimization_v4.0.30319_32-2"="V4.0|Action=Block|Dir=Out|App=C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|"

"clr_optimization_v4.0.30319_32-1"="V4.0|Action=Block|Dir=In|App=C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"5985:TCP"="5985:TCP:*:Disabled:Windows Remote Management "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Setup]

"ServiceUpgrade"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]

"All"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Enum]

"0"="Root\LEGACY_SHAREDACCESS\0000"

"Count"= 0x0000000001 (1)

"NextInstance"= 0x0000000001 (1)

-= EOF =-

Share this post


Link to post
Share on other sites

OK, it's late here.....I'll look this over and get back to you tomorrow.

MrC

Share this post


Link to post
Share on other sites

OK, bunch of things to try:

Check to see that these services are running and set to Automatic

wuauserv Service is not running. Checking service configuration: Automatic Updates <------service name

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration: Background Intelligent Transfer Service <----service name

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

-----------------------------------

Right click on My Computer > Properties > Hardware > Device Manager > View (on top) > Show Hidden devices

See if there's any alerts next to any of the devices.

Investigate any that are shown

-----------------------------------

Try to repair the connection again.

Click on the Start button.

Click on the Settings menu option.

Click on the Control Panel option.

When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.

You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.

click on the Repair menu option.

-------------------------------------

Go to Start > Control Panel, and choose Network Connections.

Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.

Click the Networking tab

Double-click on the Internet Protocol (TCP/IP) item.

Write down the settings in case you should need to change them back.

Select the radio button that says "Obtain DNS servers automatically".

Click OK twice to get out of the properties screen and restart your computer.

If not prompted to reboot go ahead and reboot manually.

----------------------------------

Go to Start > Run > type in CMD to open a command prompt.

Type in the following command in the command prompt and press Enter.

netsh int ip reset reset.log

Then also type the following command and hit enter.

netsh winsock reset catalog

Once that completes then restart the system and see then if you are able to get online

------------------------------------

Go to Start > Run then type: CMD into the run box

You will now see a black DOS-like screen.

Type the following at the command prompt:

IPconfig /release. (Note the space between the "g" and the slash / it needs to be there)

Hit enter Then type:

IPconfig /Renew (Note the space between the "g" and the slash / it needs to be there)

Hit enter

Let me know, MrC

Share this post


Link to post
Share on other sites

The wuauserv service was set to Automatic but was not running and would not start.

Same with the BITS Service.

There were no alerts on any devices in Device Manager.

I could not Repair the Network Connection

Both netsh commands ran successfully (no errors) I was instructed to Reboot the computer to complete the winsock reset.

After Restart:

I ran the IPconfig /release (comment was the IP address had already been released

Ran IPconfig /renew it completed with no comment

I do have Internet Access Now but I had an alert about cli.exe having a problem so I closed it. I can now update Windows McAfee and Malwarebytes. But will wait for your next instruction before doing so.

Thanks,

Rick

Share this post


Link to post
Share on other sites

Great thumbsup.gif

What part of the fix do you think did the trick?

-------------------------------------

cli.exe belongs to ATI Technologies:

http://www.systemloo...arch=cli.exe&s=

Here it is in your logs:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

We can disable it if necessary, I've attached a reg file to do that.

Just download and unzip it, right click on it and select merge.

---------------------------------------

For the BITS and Windows update problems......

Please download and run WUS_Fix.exe: http://users.telenet...ols/WUS_Fix.exe

This should restore the default registry settings related with BITS and Automatic updates.

You won't see much happen.

Reboot and run another "Farbar Service Scanner" scan and post the log.

MrC

Share this post


Link to post
Share on other sites

After running the 2 fixes I rebooted. I turned off System Restore because McAfee detected the RootKit Zero.Access in the System Restore Folder and I knew from a past experience that Turning System Restore Off deletes those files. So Far after the restart McAfee has not detected anything harmful trying to launch.

Here is the FSS log:

Farbar Service Scanner Version: 01-03-2012

Ran by Administrator (administrator) on 13-03-2012 at 13:44:42

Running from "C:\Documents and Settings\Administrator\Desktop"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

Srservice Service is not running. Checking service configuration:

The start type of Srservice service is OK.

The ImagePath of Srservice service is OK.

The ServiceDll of Srservice service is OK.

sr Service is not running. Checking service configuration:

The start type of sr service is set to Disabled. The default start type is Boot.

The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".

System Restore Disabled Policy:

========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR"=DWORD:1

Security Center:

============

Windows Update:

============

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AegisP(10) Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)

0x0A0000000500000001000000020000000300000004000000080000000600000007000000090000000A000000

IpSec Tag value is correct.

**** End of log ****

Share this post


Link to post
Share on other sites

OK....Looks Good!!

You can turn system restore back on now and create a restore point.

How are things running?? MrC

Share this post


Link to post
Share on other sites

MrC,

System Restore is Enabled and I have created a Restore Point.

I have installed Windows Updates and have updated McAfee and MalwareBytes Pro.

Everything appears to be good. I am going to perform a Full Scan with MalwareBytes and ih nothing is found I think we are finished with this problem,

I want to thank you for helping me with this. You have been a blessing.

Rick

Share this post


Link to post
Share on other sites

MrC,

MalwareBytes completed the Full Scan and found no Malicious objects. Everything seems to be acting normal now.

Thanks again for your help.

Share this post


Link to post
Share on other sites

OK Good

A little clean up to do.

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

----------------------------------

Your Java is out of date, older versions are vulnerable to malware.

Go to your control panels add/remove programs and uninstall:

Java™ 6 Update 24

Then download and install the latest version: Version 6 Update 31

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-----------------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.