RickWeaver Posted March 13, 2012 Author ID:534373 Share Posted March 13, 2012 MrC,I don't have a way to bypass the wireless easily. If you think the result would be different I can take this PC apart and move it downstairs and set it up close enough to my cable modem to connect straight to the modem.I ran the files you asked me to and here are the results:SystemLook 30.07.11 by jpshortstuffLog created at 19:28 on 12/03/2012 by AdministratorAdministrator - Elevation successful========== filefind ==========Searching for "afd.sys"C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys --a---- 138496 bytes [15:45 14/10/2011] [13:41 17/08/2011] F6B7B1ECD7B41736BDB6FF4B092BCB79C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a---- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442AC:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a---- 138496 bytes [22:16 20/03/2009] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971CC:\WINDOWS\$NtUninstallKB2509553$\afd.sys -----c- 138496 bytes [13:57 18/05/2011] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7C:\WINDOWS\$NtUninstallKB2592799$\afd.sys -----c- 138496 bytes [15:59 14/10/2011] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138112 bytes [22:43 20/03/2009] [05:49 14/04/2008] 322D0E36693D6E24A2398BEE62A268CDC:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c- 138496 bytes [22:45 20/03/2009] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2CC:\WINDOWS\system32\dllcache\afd.sys -----c- 138496 bytes [05:49 14/04/2008] [13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9C:\WINDOWS\system32\drivers\afd.sys --a---- 138496 bytes [05:49 14/04/2008] [14:40 11/03/2012] 1D495EE1D3A836801D1FD816FF4A93F9-= EOF =-Farbar Service Scanner Version: 01-03-2012Ran by Administrator (administrator) on 12-03-2012 at 19:33:46Running from "C:\Documents and Settings\Administrator\Desktop"Microsoft Windows XP Professional Service Pack 3 (X86)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.There is no connection to network.Attempt to access Google IP returned error: Google IP is unreachableAttempt to access Yahoo IP returend error: Yahoo IP is unreachableWindows Firewall:=============sharedaccess Service is not running. Checking service configuration:The start type of sharedaccess service is OK.The ImagePath of sharedaccess service is OK.The ServiceDll of sharedaccess service is OK.Firewall Disabled Policy:==================System Restore:============System Restore Disabled Policy:========================Security Center:============Windows Update:============wuauserv Service is not running. Checking service configuration:The start type of wuauserv service is OK.The ImagePath of wuauserv service is OK.The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".BITS Service is not running. Checking service configuration:The start type of BITS service is OK.The ImagePath of BITS service is OK.The ServiceDll of BITS service is OK.File Check:========C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legitC:\WINDOWS\system32\Drivers\afd.sys[2008-04-14 00:49] - [2012-03-11 09:40] - 0138496 ____A () 1D495EE1D3A836801D1FD816FF4A93F9C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legitC:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legitC:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legitC:\WINDOWS\system32\dnsrslvr.dll => MD5 is legitC:\WINDOWS\system32\ipnathlp.dll => MD5 is legitC:\WINDOWS\system32\netman.dll => MD5 is legitC:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legitC:\WINDOWS\system32\srsvc.dll => MD5 is legitC:\WINDOWS\system32\Drivers\sr.sys => MD5 is legitC:\WINDOWS\system32\wscsvc.dll => MD5 is legitC:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legitC:\WINDOWS\system32\wuauserv.dll => MD5 is legitC:\WINDOWS\system32\qmgr.dll => MD5 is legitC:\WINDOWS\system32\es.dll => MD5 is legitC:\WINDOWS\system32\cryptsvc.dll => MD5 is legitC:\WINDOWS\system32\svchost.exe => MD5 is legitC:\WINDOWS\system32\rpcss.dll => MD5 is legitC:\WINDOWS\system32\services.exe => MD5 is legitExtra List:=======AegisP(10) Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)0x0A0000000500000001000000020000000300000004000000080000000600000007000000090000000A000000IpSec Tag value is correct.**** End of log **** Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534379 Share Posted March 13, 2012 Using ComboFix:1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:4. If ComboFix wants to update.....please allow it to.FCopy::C:\WINDOWS\system32\dllcache\afd.sys | C:\WINDOWS\system32\drivers\afd.sysSave this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeCAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.After reboot, (in case it asks to reboot)......Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534390 Share Posted March 13, 2012 Still no internet and ComboFix found the RootKit Zero.Access again. Here is the ComboFix log:ComboFix 12-03-10.02 - Administrator 03/12/2012 20:16:28.5.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1459 [GMT -5:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txtAV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))...--------------- FCopy ---------------.c:\windows\system32\dllcache\afd.sys --> c:\windows\system32\drivers\afd.sys.((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))..2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d002012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca32012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad12012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 ))))))))))))))))))))))))))))))))))))))))).+ 2012-03-13 01:15 . 2012-03-13 01:15 16384 c:\windows\Temp\Perflib_Perfdata_750.dat- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264].c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640].[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management.R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504].--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WINRM REG_MULTI_SZ WINRM.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsATKFUSServiceScanUSBEMPIA.Contents of the 'Scheduled Tasks' folder.2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.dogpile.com/IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-03-12 20:24Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\.[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (Administrator)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\.Completion time: 2012-03-12 20:25:36ComboFix-quarantined-files.txt 2012-03-13 01:25ComboFix2.txt 2012-03-12 23:40ComboFix3.txt 2012-03-11 22:50ComboFix4.txt 2012-03-11 18:15ComboFix5.txt 2012-03-13 01:10.Pre-Run: 62,275,620,864 bytes freePost-Run: 62,272,503,808 bytes free.- - End Of File - - E53A67D8DFF113E68AFF36194332BEF3 Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534397 Share Posted March 13, 2012 I don't see anything in the log about the rootkit.You did reboot the computer right? -------------------Run RogueKiller again, post the log.--------------------Run Farbar Service Scanner again and post the log.MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534399 Share Posted March 13, 2012 Everytime I've run ComboFix it has detected the RootKit Zero.Access and it Pops up an alert that it has to reboot the computer. I click the OK button and after a short time it alerts again that it is going to reboot the computer and then it restarts. When I select Administrator it comes up to my desktop with no icons and ComboFix.exe command console window open and runs the complete scan from the beginning and opens the log when it is finished.Here are the logs:RogueKiller V7.3.1 [03/10/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser: Administrator [Admin rights]Mode: Scan -- Date: 03/12/2012 20:52:57¤¤¤ Bad processes: 0 ¤¤¤¤¤¤ Registry Entries: 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver: [LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: WDC WD800JD-75MSA3 +++++--- User ---[MBR] a456f312c0e435782971f94dba7cdfdf[bSP] bec400d75a08f6cdd3306fcc22e6a067 : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[8].txt >>RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txtFarbar Service Scanner Version: 01-03-2012Ran by Administrator (administrator) on 12-03-2012 at 20:53:48Running from "C:\Documents and Settings\Administrator\Desktop"Microsoft Windows XP Professional Service Pack 3 (X86)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.There is no connection to network.Attempt to access Google IP returned error: Google IP is unreachableAttempt to access Yahoo IP returend error: Yahoo IP is unreachableWindows Firewall:=============sharedaccess Service is not running. Checking service configuration:The start type of sharedaccess service is OK.The ImagePath of sharedaccess service is OK.The ServiceDll of sharedaccess service is OK.Firewall Disabled Policy:==================System Restore:============System Restore Disabled Policy:========================Security Center:============Windows Update:============wuauserv Service is not running. Checking service configuration:The start type of wuauserv service is OK.The ImagePath of wuauserv service is OK.The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".BITS Service is not running. Checking service configuration:The start type of BITS service is OK.The ImagePath of BITS service is OK.The ServiceDll of BITS service is OK.File Check:========C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legitC:\WINDOWS\system32\Drivers\afd.sys => MD5 is legitC:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legitC:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legitC:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legitC:\WINDOWS\system32\dnsrslvr.dll => MD5 is legitC:\WINDOWS\system32\ipnathlp.dll => MD5 is legitC:\WINDOWS\system32\netman.dll => MD5 is legitC:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legitC:\WINDOWS\system32\srsvc.dll => MD5 is legitC:\WINDOWS\system32\Drivers\sr.sys => MD5 is legitC:\WINDOWS\system32\wscsvc.dll => MD5 is legitC:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legitC:\WINDOWS\system32\wuauserv.dll => MD5 is legitC:\WINDOWS\system32\qmgr.dll => MD5 is legitC:\WINDOWS\system32\es.dll => MD5 is legitC:\WINDOWS\system32\cryptsvc.dll => MD5 is legitC:\WINDOWS\system32\svchost.exe => MD5 is legitC:\WINDOWS\system32\rpcss.dll => MD5 is legitC:\WINDOWS\system32\services.exe => MD5 is legitExtra List:=======AegisP(10) Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)0x0A0000000500000001000000020000000300000004000000080000000600000007000000090000000A000000IpSec Tag value is correct.**** End of log **** Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534401 Share Posted March 13, 2012 Go to Start > Run > copy and paste this in > services.msc > click OKMake sure this service is running and set to Automatic.Windows Firewall/Internet Connection Sharing (ICS)-------------------------------------Let me know, MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534402 Share Posted March 13, 2012 Got this errorCould not start Windows Firewall/Internet Connection Sharing (ICS) service on local computer.Error 10050: A socket operation encountered a dead network. Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534404 Share Posted March 13, 2012 Use SystemLook as before but use this code::regHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess /sPost back the log......MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534406 Share Posted March 13, 2012 MrCHere is the log:SystemLook 30.07.11 by jpshortstuffLog created at 21:43 on 12/03/2012 by AdministratorAdministrator - Elevation successful========== reg ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess]"DependOnGroup"=" ""DependOnService"="Netman WinMgmt""Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.""DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)""ErrorControl"= 0x0000000001 (1)"ImagePath"="%SystemRoot%\System32\svchost.exe -k netsvcs""ObjectName"="LocalSystem""Start"= 0x0000000002 (2)"Type"= 0x0000000020 (32)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch]"Epoch"= 0x0000002cd5 (11477)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters]"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System]"clr_optimization_v4.0.30319_32-2"="V4.0|Action=Block|Dir=Out|App=C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|""clr_optimization_v4.0.30319_32-1"="V4.0|Action=Block|Dir=In|App=C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts](No values found)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]"5985:TCP"="5985:TCP:*:Disabled:Windows Remote Management "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Setup]"ServiceUpgrade"= 0x0000000001 (1)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]"All"= 0x0000000001 (1)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Enum]"0"="Root\LEGACY_SHAREDACCESS\0000""Count"= 0x0000000001 (1)"NextInstance"= 0x0000000001 (1)-= EOF =- Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534409 Share Posted March 13, 2012 OK, it's late here.....I'll look this over and get back to you tomorrow.MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534410 Share Posted March 13, 2012 Thanks, MrCRick Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534484 Share Posted March 13, 2012 OK, bunch of things to try:Check to see that these services are running and set to Automaticwuauserv Service is not running. Checking service configuration: Automatic Updates <------service nameThe start type of wuauserv service is OK.The ImagePath of wuauserv service is OK.The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".BITS Service is not running. Checking service configuration: Background Intelligent Transfer Service <----service nameThe start type of BITS service is OK.The ImagePath of BITS service is OK.The ServiceDll of BITS service is OK.-----------------------------------Right click on My Computer > Properties > Hardware > Device Manager > View (on top) > Show Hidden devicesSee if there's any alerts next to any of the devices.Investigate any that are shown-----------------------------------Try to repair the connection again.Click on the Start button.Click on the Settings menu option.Click on the Control Panel option.When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.click on the Repair menu option.-------------------------------------Go to Start > Control Panel, and choose Network Connections.Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.Click the Networking tabDouble-click on the Internet Protocol (TCP/IP) item.Write down the settings in case you should need to change them back.Select the radio button that says "Obtain DNS servers automatically".Click OK twice to get out of the properties screen and restart your computer.If not prompted to reboot go ahead and reboot manually.----------------------------------Go to Start > Run > type in CMD to open a command prompt.Type in the following command in the command prompt and press Enter.netsh int ip reset reset.logThen also type the following command and hit enter.netsh winsock reset catalogOnce that completes then restart the system and see then if you are able to get online------------------------------------Go to Start > Run then type: CMD into the run boxYou will now see a black DOS-like screen.Type the following at the command prompt:IPconfig /release. (Note the space between the "g" and the slash / it needs to be there)Hit enter Then type:IPconfig /Renew (Note the space between the "g" and the slash / it needs to be there)Hit enterLet me know, MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534492 Share Posted March 13, 2012 The wuauserv service was set to Automatic but was not running and would not start.Same with the BITS Service.There were no alerts on any devices in Device Manager.I could not Repair the Network ConnectionBoth netsh commands ran successfully (no errors) I was instructed to Reboot the computer to complete the winsock reset.After Restart:I ran the IPconfig /release (comment was the IP address had already been releasedRan IPconfig /renew it completed with no commentI do have Internet Access Now but I had an alert about cli.exe having a problem so I closed it. I can now update Windows McAfee and Malwarebytes. But will wait for your next instruction before doing so.Thanks,Rick Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534514 Share Posted March 13, 2012 Great What part of the fix do you think did the trick?-------------------------------------cli.exe belongs to ATI Technologies:http://www.systemloo...arch=cli.exe&s=Here it is in your logs:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]We can disable it if necessary, I've attached a reg file to do that.Just download and unzip it, right click on it and select merge.---------------------------------------For the BITS and Windows update problems......Please download and run WUS_Fix.exe: http://users.telenet...ols/WUS_Fix.exeThis should restore the default registry settings related with BITS and Automatic updates.You won't see much happen.Reboot and run another "Farbar Service Scanner" scan and post the log.MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534554 Share Posted March 13, 2012 After running the 2 fixes I rebooted. I turned off System Restore because McAfee detected the RootKit Zero.Access in the System Restore Folder and I knew from a past experience that Turning System Restore Off deletes those files. So Far after the restart McAfee has not detected anything harmful trying to launch.Here is the FSS log:Farbar Service Scanner Version: 01-03-2012Ran by Administrator (administrator) on 13-03-2012 at 13:44:42Running from "C:\Documents and Settings\Administrator\Desktop"Microsoft Windows XP Professional Service Pack 3 (X86)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.LAN connected.Google IP is accessible.Yahoo IP is accessible.Windows Firewall:=============Firewall Disabled Policy:==================System Restore:============Srservice Service is not running. Checking service configuration:The start type of Srservice service is OK.The ImagePath of Srservice service is OK.The ServiceDll of Srservice service is OK.sr Service is not running. Checking service configuration:The start type of sr service is set to Disabled. The default start type is Boot.The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".System Restore Disabled Policy:========================[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]"DisableSR"=DWORD:1Security Center:============Windows Update:============File Check:========C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legitC:\WINDOWS\system32\Drivers\afd.sys => MD5 is legitC:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legitC:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legitC:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legitC:\WINDOWS\system32\dnsrslvr.dll => MD5 is legitC:\WINDOWS\system32\ipnathlp.dll => MD5 is legitC:\WINDOWS\system32\netman.dll => MD5 is legitC:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legitC:\WINDOWS\system32\srsvc.dll => MD5 is legitC:\WINDOWS\system32\Drivers\sr.sys => MD5 is legitC:\WINDOWS\system32\wscsvc.dll => MD5 is legitC:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legitC:\WINDOWS\system32\wuauserv.dll => MD5 is legitC:\WINDOWS\system32\qmgr.dll => MD5 is legitC:\WINDOWS\system32\es.dll => MD5 is legitC:\WINDOWS\system32\cryptsvc.dll => MD5 is legitC:\WINDOWS\system32\svchost.exe => MD5 is legitC:\WINDOWS\system32\rpcss.dll => MD5 is legitC:\WINDOWS\system32\services.exe => MD5 is legitExtra List:=======AegisP(10) Gpc(3) IPSec(5) mfetdi2k(8) NetBT(6) PSched(7) Tcpip(4)0x0A0000000500000001000000020000000300000004000000080000000600000007000000090000000A000000IpSec Tag value is correct.**** End of log **** Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534557 Share Posted March 13, 2012 OK....Looks Good!!You can turn system restore back on now and create a restore point.How are things running?? MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534568 Share Posted March 13, 2012 MrC,System Restore is Enabled and I have created a Restore Point.I have installed Windows Updates and have updated McAfee and MalwareBytes Pro.Everything appears to be good. I am going to perform a Full Scan with MalwareBytes and ih nothing is found I think we are finished with this problem,I want to thank you for helping me with this. You have been a blessing.Rick Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534569 Share Posted March 13, 2012 OK, let me know.....MrC Link to post Share on other sites More sharing options...
RickWeaver Posted March 13, 2012 Author ID:534659 Share Posted March 13, 2012 MrC,MalwareBytes completed the Full Scan and found no Malicious objects. Everything seems to be acting normal now.Thanks again for your help. Link to post Share on other sites More sharing options...
MrCharlie Posted March 13, 2012 ID:534662 Share Posted March 13, 2012 OK GoodA little clean up to do.Please Uninstall ComboFix:Go to start > run and copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point---------------------------------Please download OTL from one of the links below:http://oldtimer.geekstogo.com/OTL.exehttp://oldtimer.geekstogo.com/OTL.comSave it to your desktop.Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)Any other programs or logs you can manually delete.----------------------------------Your Java is out of date, older versions are vulnerable to malware.Go to your control panels add/remove programs and uninstall:Java™ 6 Update 24Then download and install the latest version: Version 6 Update 31http://www.java.com/...load/manual.jsp <---latest versionhttp://www.java.com/...d/installed.jsp <---verify your Java-----------------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
LDTate Posted March 14, 2012 ID:534848 Share Posted March 14, 2012 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts