Jump to content

Recommended Posts

So i got this virus the other night. I dont know how i got it but it attacked fast. At first it didn't seem like a very serious virus, but after it started closing down programs and whatnot, i realized it was a big one. It eventually made my computer blue screen, and then attempted to reboot my computer using the AV security system. i did an immediate emergency power off (holding the power button) and rebooted it into safemode.

Now, prior to this, my internet worked fine until the virus closed it down. I still had connection atleast, i just could'nt open the program. So after I ran my computer in safe mode, i ran super-anti spyware and malwarebytes anti-malware and deleted the virus(es). I ran the virus scans multiple times after rebooting to double and tripple check if the viruses were gone, and they were.

However, when i went to go back on the internet, it didn't work. My connection said "Limited Connectivity" and when i checked the status of it, it was stuck at "identifying". I did some research and come across people saying it could have been my proxy server, so i went into firefox and fixed that. it was still off in IE however, so there was nothing to change for that browser. This ended up not solving the problem.

THEN i read that it changes your HOSTS file, so i went in and did that. Because i was browsing on my phone, i couldnt copy the print in the file, so i entered it in manually exactly as it appeared. That didn't work.

I really don't know what else to do. My internet doesn't work in safemode with networking either. I could download combofix and whatnot on this computer and put it onto a usb and load it on the troubled computer, but i don't see what good that will do because the virus is gone. i just can't connect to the damn internet.

I would REALLY appreciate some advice as to how to get my internet to start working again. And I could really use it asap as i use my laptop for school.

so to recap:

I got the virus

deleted the virus

rebooted computer

internet didn't work in normal or safemode with networking

stumped on what to do

P.S.... i REAAAALLLLY hate viruses. I don't know why but i've been getting hit with these viruses the past few nights, but i was able to get rid of them. this one put up a much tougher fight however.

i tried downloading dds (on this computer im on now) and the link doesnt work, so i cant really provide you with a scan, unless you can provide me with another link.

well i got it to work. heres the log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24

Run by Matthew at 0:17:07 on 2011-11-19

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2046.1434 [GMT -8:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Windows\system32\SearchIndexer.exe

C:\Users\Matthew\AppData\Local\Facebook\Update\FacebookUpdate.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Nero\Update\NASvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [EPSON NX410 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifca.exe /fu "c:\windows\temp\E_S9866.tmp" /EF "HKCU"

uRun: [PlayNC Launcher]

uRun: [EPSON NX410 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifca.exe /fu "c:\windows\temp\E_SA3F3.tmp" /EF "HKCU"

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [Facebook Update] "c:\users\matthew\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [Akamai NetSession Interface] c:\users\matthew\appdata\local\akamai\netsession_win.exe

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [LanzarP2006] "c:\users\matthew\appdata\local\temp\p2006tmp\Install.exe" /SETUP:"/l0x0009"

mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [NBAgent] "c:\program files\nero\nero 10\nero backitup\NBAgent.exe" /WinStart

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: EnableLinkedConnections = 1 (0x1)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{5A171A3E-8CC4-4792-A673-D531B4C38BAB}\2375942554235303 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{5A171A3E-8CC4-4792-A673-D531B4C38BAB}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1 68.105.28.12 68.105.29.12 68.105.28.11

TCP: Interfaces\{5A171A3E-8CC4-4792-A673-D531B4C38BAB}\4656661657C647 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{5A171A3E-8CC4-4792-A673-D531B4C38BAB}\95F657E676341647D27657563747 : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\ild90rp5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://sandiego.craigslist.org/search/sss?query=240sx&catAbb=cto&srchType=T&minAsk=&maxAsk=&hasPic=1

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\matthew\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\windows\system32\wat\npWatWeb.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-3-29 598312]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-4 1343400]

.

=============== Created Last 30 ================

.

2011-11-17 08:31:19 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9bb7dd3d-4c06-49cc-b8d3-3908fda7d245}\offreg.dll

2011-11-17 07:46:00 -------- d-----w- c:\users\matthew\appdata\local\Adobe

2011-11-16 11:13:42 -------- d-----w- c:\users\matthew\appdata\roaming\DEE13

2011-11-16 11:13:26 96256 ----a-w- c:\users\matthew\appdata\roaming\microsoft\fba8\7E43.tmp

2011-11-16 11:13:07 -------- d-----w- c:\users\matthew\appdata\roaming\R9hYXwjUVlBzNc1

2011-11-16 11:13:07 -------- d-----w- c:\users\matthew\appdata\roaming\qvD2obF4pGsJdKf

2011-11-16 11:08:18 96256 ----a-w- c:\users\matthew\appdata\roaming\microsoft\fba8\708D.tmp

2011-11-16 11:07:40 -------- d-----w- c:\users\matthew\appdata\roaming\SA1ivD2on4m5Q

2011-11-16 11:07:39 -------- d-----w- c:\users\matthew\appdata\roaming\jgRZqhYXwUeOtPy

2011-11-16 10:58:25 -------- d-----w- c:\users\matthew\appdata\roaming\888DE

2011-11-16 10:58:09 -------- d-----w- c:\users\matthew\appdata\roaming\OllOONttxP

2011-11-16 10:58:09 -------- d-----w- c:\users\matthew\appdata\roaming\JuuucSS1ibD3nGa

2011-11-16 10:58:01 -------- d-----w- c:\users\matthew\appdata\roaming\PIBBttzPNyc

2011-11-16 10:58:00 -------- d-----w- c:\users\matthew\appdata\roaming\GhhYYXwwkU

2011-11-16 10:58:00 -------- d-----w- c:\users\matthew\appdata\roaming\C0yyccS1ivD3nFa

2011-11-15 11:19:21 -------- d-----w- c:\users\matthew\appdata\local\Microsoft Games

2011-11-14 09:46:57 -------- d-----w- c:\users\matthew\appdata\local\ElevatedDiagnostics

2011-11-13 11:13:58 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9bb7dd3d-4c06-49cc-b8d3-3908fda7d245}\mpengine.dll

2011-11-13 07:18:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-10 06:08:31 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-10 06:08:30 708608 ----a-w- c:\program files\common files\system\wab32.dll

2011-11-10 06:08:29 2339840 ----a-w- c:\windows\system32\win32k.sys

2011-10-29 05:15:57 -------- d-----w- c:\users\matthew\appdata\roaming\Azureus

2011-10-29 05:14:49 -------- d-----w- c:\users\matthew\FrostWire

2011-10-29 05:14:47 -------- d-----w- c:\users\matthew\.frostwire5

2011-10-29 05:13:21 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-29 05:13:21 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-10-29 05:11:08 -------- d-----w- c:\program files\FrostWire 5

.

==================== Find3M ====================

.

2011-10-14 21:40:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll

2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-08-27 04:43:07 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-08-27 04:43:06 233472 ----a-w- c:\windows\system32\oleacc.dll

.

============= FINISH: 0:18:31.87 ===============

Anyone?...

Bump....

Hellooooooo? I found out that I was still infected by a rootkit called zero access. I have since then removed it, but the internet connection problem still exists. Ive tried tdsskiller, winsockxpfix, and esetsirefefremover. Ive also tried resetting my tcp and ip since that was what was infected, but that didn't work.

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 11-11-27.02 - Matthew 11/27/2011 21:36:28.4.2 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2046.1331 [GMT -8:00]

Running from: F:\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))

.

.

2011-11-28 05:44 . 2011-11-28 05:44 -------- d-----w- c:\users\Mcx1-MATT\AppData\Local\temp

2011-11-28 05:44 . 2011-11-28 05:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-16 11:13 . 2011-11-16 11:13 -------- d-----w- c:\users\Matthew\AppData\Roaming\DEE13

2011-11-16 11:13 . 2011-11-16 11:13 96256 ----a-w- c:\users\Matthew\AppData\Roaming\Microsoft\FBA8\7E43.tmp

2011-11-16 11:13 . 2011-11-16 11:13 -------- d-----w- c:\users\Matthew\AppData\Roaming\R9hYXwjUVlBzNc1

2011-11-16 11:13 . 2011-11-16 11:13 -------- d-----w- c:\users\Matthew\AppData\Roaming\qvD2obF4pGsJdKf

2011-11-16 11:08 . 2011-11-16 11:08 96256 ----a-w- c:\users\Matthew\AppData\Roaming\Microsoft\FBA8\708D.tmp

2011-11-16 11:07 . 2011-11-16 11:07 -------- d-----w- c:\users\Matthew\AppData\Roaming\SA1ivD2on4m5Q

2011-11-16 11:07 . 2011-11-16 11:07 -------- d-----w- c:\users\Matthew\AppData\Roaming\jgRZqhYXwUeOtPy

2011-11-16 10:58 . 2011-11-16 11:07 -------- d-----w- c:\users\Matthew\AppData\Roaming\888DE

2011-11-16 10:58 . 2011-11-16 10:58 -------- d-----w- c:\users\Matthew\AppData\Roaming\OllOONttxP

2011-11-16 10:58 . 2011-11-16 10:58 -------- d-----w- c:\users\Matthew\AppData\Roaming\JuuucSS1ibD3nGa

2011-11-16 10:58 . 2011-11-16 10:58 -------- d-----w- c:\users\Matthew\AppData\Roaming\PIBBttzPNyc

2011-11-16 10:58 . 2011-11-16 11:39 -------- d-----w- c:\users\Matthew\AppData\Roaming\GhhYYXwwkU

2011-11-16 10:58 . 2011-11-16 10:58 -------- d-----w- c:\users\Matthew\AppData\Roaming\C0yyccS1ivD3nFa

2011-11-15 11:19 . 2011-11-15 11:23 -------- d-----w- c:\users\Matthew\AppData\Local\Microsoft Games

2011-11-14 09:46 . 2011-11-17 07:00 -------- d-----w- c:\users\Matthew\AppData\Local\ElevatedDiagnostics

2011-11-13 11:13 . 2011-10-18 09:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9BB7DD3D-4C06-49CC-B8D3-3908FDA7D245}\mpengine.dll

2011-11-13 07:18 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-10 06:08 . 2011-09-29 15:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-10 06:08 . 2011-10-01 04:43 708608 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-10 06:08 . 2011-09-29 04:20 2339840 ----a-w- c:\windows\system32\win32k.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-29 05:13 . 2011-10-29 05:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-14 21:40 . 2011-06-30 06:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 04:32 . 2011-10-03 04:32 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll

2011-10-03 04:32 . 2011-10-03 04:32 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll

2011-10-03 04:32 . 2011-10-03 04:32 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2011-10-03 04:32 . 2011-10-03 04:32 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll

2011-09-16 07:46 . 2011-03-29 01:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-09-01 02:35 . 2011-10-14 17:30 1798144 ----a-w- c:\windows\system32\jscript9.dll

2011-09-01 02:28 . 2011-10-14 17:30 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-09-01 02:22 . 2011-10-14 17:30 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-11-11 01:00 . 2011-05-03 04:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2008-12-24 1540288]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2011-11-14 10:27 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-04 1343400]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\ild90rp5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://sandiego.craigslist.org/search/sss?query=240sx&catAbb=cto&srchType=T&minAsk=&maxAsk=&hasPic=1

FF - prefs.js: network.proxy.type - 0

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-11-27 21:45:57

ComboFix-quarantined-files.txt 2011-11-28 05:45

ComboFix2.txt 2011-11-25 11:11

ComboFix3.txt 2011-11-22 11:26

ComboFix4.txt 2011-11-22 10:27

.

Pre-Run: 4,402,675,712 bytes free

Post-Run: 4,352,135,168 bytes free

.

- - End Of File - - 1461AC6FCF66C20B8FF2F04B5C6C1EBF

and the computer behaves perfectly fine. the only problem is that the internet doesnt work.

Link to post
Share on other sites

here we go. did it wrong the last post haha

Query Services version 2

...

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DHCP Client

DEPENDENCIES : NSI

: Tdx

: Afd

SERVICE_START_NAME : NT Authority\LocalService

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

START_TYPE : 0 BOOT_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : \SystemRoot\System32\drivers\tcpip.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 3

DISPLAY_NAME : TCP/IP Protocol Driver

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : System32\DRIVERS\netbt.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 87

DISPLAY_NAME : NetBT

DEPENDENCIES : Tdx

: tcpip

SERVICE_START_NAME :

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\netbios.sys

LOAD_ORDER_GROUP : NetBIOSGroup

TAG : 2

DISPLAY_NAME : NetBIOS Interface

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : TCP/IP NetBIOS Helper

DEPENDENCIES : NetBT

: Afd

SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tdx

: nsi

SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 1160

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: PolicyAgent

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IPsec Policy Agent

DEPENDENCIES : Tcpip

: bfe

SERVICE_START_NAME : NT Authority\NetworkService

SERVICE_NAME: PolicyAgent

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

WIN32_EXIT_CODE : 1077 (0x435)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: lanmanserver

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Server

DEPENDENCIES : SamSS

: Srv

SERVICE_START_NAME : LocalSystem

SERVICE_NAME: lanmanserver

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

WIN32_EXIT_CODE : 1068 (0x42c)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: RPCSS

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k rpcss

LOAD_ORDER_GROUP : COM Infrastructure

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC)

DEPENDENCIES : RpcEptMapper

: DcomLaunch

SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: RPCSS

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 756

FLAGS :

NetworkDetails2.txt

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ipsec.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ipsec.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 30.07.11 by jpshortstuff

Log created at 17:17 on 28/11/2011 by Matthew

Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"

No files found.

-= EOF =-

Link to post
Share on other sites

Are you showing Hidden Files and Folders?

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Link to post
Share on other sites

Lets try just ipsec

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ipsec


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.