Jump to content

Can't connect to Internet after Combofix


Recommended Posts

Hello,

I used Combofix to remove a rootkit from my other PC, which seemed to work. However, now I cannot reconnect to the internet, despite trying to right click the network icon and clicking repair. Any help would be greatly appreciated. Here is my Combofix log:

ComboFix 11-12-10.01 - Jason Truong 12/10/2011 23:00:22.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.677 [GMT -5:00]

Running from: c:\documents and settings\Jason Truong\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Jason Truong\Application Data\Desktopicon

c:\documents and settings\Jason Truong\Application Data\Desktopicon\eBay.ico

c:\documents and settings\Jason Truong\Application Data\Desktopicon\uninst.exe

c:\documents and settings\Jason Truong\g2mdlhlpx.exe

c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\enebisyz.dll

c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\igonu._dl

c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\udixaxasym.dl

c:\documents and settings\Jason Truong\Local Settings\Temporary Internet Files\ugarof.lib

c:\documents and settings\Jason Truong\WINDOWS

c:\documents and settings\Jason Truong\WoW-2.1.3.6898-to-0.2.0.6932-enUS-patch.exe

c:\recycler\k-1-3542-4232123213-7676767-8888886

c:\windows\$NtUninstallKB20452$\3505168136\@

c:\windows\$NtUninstallKB20452$\3505168136\bckfg.tmp

c:\windows\$NtUninstallKB20452$\3505168136\cfg.ini

c:\windows\$NtUninstallKB20452$\3505168136\Desktop.ini

c:\windows\$NtUninstallKB20452$\3505168136\keywords

c:\windows\$NtUninstallKB20452$\3505168136\kwrd.dll

c:\windows\$NtUninstallKB20452$\3505168136\L\pdmzmplg

c:\windows\$NtUninstallKB20452$\3505168136\lsflt7.ver

c:\windows\$NtUninstallKB20452$\3505168136\U\00000001.@

c:\windows\$NtUninstallKB20452$\3505168136\U\00000002.@

c:\windows\$NtUninstallKB20452$\3505168136\U\00000004.@

c:\windows\$NtUninstallKB20452$\3505168136\U\80000000.@

c:\windows\$NtUninstallKB20452$\3505168136\U\80000004.@

c:\windows\$NtUninstallKB20452$\3505168136\U\80000032.@

c:\windows\$NtUninstallKB20452$\984829057

c:\windows\CSC\d6

c:\windows\emap.scr

c:\windows\kb913800.exe

c:\windows\system32\Settings

c:\windows\system32\Settings\Settings.ini

c:\windows\$NtUninstallKB20452$ . . . . Failed to delete

.

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-11 to 2011-12-11 )))))))))))))))))))))))))))))))

.

.

2011-12-11 04:15 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2011-12-11 01:23 . 2002-02-27 19:12 2600 ----a-w- C:\xp_exe_fix.reg

2011-12-11 01:21 . 2011-12-11 01:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-12-11 00:09 . 2011-12-11 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2011-11-20 23:35 . 2011-11-20 23:35 -------- d-----w- c:\program files\iPod

2011-11-20 23:35 . 2011-11-20 23:36 -------- d-----w- c:\program files\iTunes

2011-11-20 23:30 . 2011-11-20 23:30 -------- d-----w- c:\program files\Bonjour

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2008-10-20 01:33 . 2008-10-20 01:33 12120 ----a-w- c:\program files\Common Files\imax.bin

2008-10-20 01:33 . 2008-10-20 01:33 10792 ----a-w- c:\program files\Common Files\narupeluj.bat

2008-10-20 01:15 . 2008-10-20 01:15 11700 ----a-w- c:\program files\Common Files\menuba.vbs

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2011-11-11 05:12 . 2011-03-27 14:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-10-15 . 63999D0ABD8DABFD76A9C07F6E104868 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2005-03-10 . C29A5286E64D97385178452D5F307B98 . 295424 . . [5.1.2600.2627] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2004-08-10 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB895961$\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-05-30 3050392]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]

"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

.

c:\documents and settings\Jason Truong\Start Menu\Programs\Startup\

Registration Heroes of Might & Magic 5.LNK - c:\program files\Ubisoft\Heroes of Might and Magic V Collector Edition\registration\RegistrationReminder.exe [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-9-5 1466384]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-23 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\winagens32.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\AIM7\\aim.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:Blizzard Downloader

"3724:TCP"= 3724:TCP:Blizzard Downloader

"56798:TCP"= 56798:TCP:Pando Media Booster

"56798:UDP"= 56798:UDP:Pando Media Booster

"58603:TCP"= 58603:TCP:Pando Media Booster

"58603:UDP"= 58603:UDP:Pando Media Booster

"57385:TCP"= 57385:TCP:Pando Media Booster

"57385:UDP"= 57385:UDP:Pando Media Booster

"57960:TCP"= 57960:TCP:Pando Media Booster

"57960:UDP"= 57960:UDP:Pando Media Booster

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/1/2006 9:29 PM 721904]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/2/2009 9:38 AM 366152]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/27/2007 12:11 AM 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/2/2009 9:38 AM 22216]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 7:30 PM 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 7:30 PM 136176]

S3 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [?]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe" --> c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-06 00:30]

.

2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-06 00:30]

.

2011-12-06 c:\windows\Tasks\Norton Security Scan for Jason Truong.job

- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 15:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Free YouTube to MP3 Converter - c:\documents and settings\Jason Truong\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

Trusted Zone: musicmatch.com\online

TCP: Interfaces\{6103D6B9-5760-4CAC-B5CA-FC42E5BE6627}: NameServer = 195.62.37.19,192.168.1.1

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB

FF - ProfilePath - c:\documents and settings\Jason Truong\Application Data\Mozilla\Firefox\Profiles\9nld7l6g.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=09-05-2010&tb_mrud=09-05-2010

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.gmail.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=09-05-2010&tb_mrud=09-05-2010&query=

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe

HKLM-Run-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe

AddRemove-62289540-dc30-11dc-95ff-0800200c9a66_is1 - c:\program files\Turbine\Turbine Download Manager\UninstallTDM.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-EAX Unified (SHELL) - c:\program files\Creative Labs\EAX Unified (SHELL)\Uninst.isu

AddRemove-eBay Icon - c:\documents and settings\Jason Truong\Application Data\Desktopicon\uninst.exe

AddRemove-Heroes of Might and Magic II - c:\program files\Heroes2\DeIsL1.isu

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\ConverterUninstall.exe

AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\ConverterUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-10 23:20

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2355040189-2138677896-3045065138-1005\Software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=dword:00000000

.

[HKEY_USERS\S-1-5-21-2355040189-2138677896-3045065138-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A984A83-CC49-1910-4BFA-AC623461056E}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oaidhdjeplilinafcbemmhbpdmmkah"=hex:64,61,69,6e,65,68,66,66,00,85

"oaecfmfoenhfdbjlnoombjnpmgfeii"=hex:6a,61,69,6e,67,66,6b,6b,66,64,6c,6b,67,65,

62,6c,63,69,66,67,00,02

"nakdndkcdijkiefgjbejjahaebed"=hex:6a,61,69,6e,67,66,6b,6b,66,64,6c,6b,67,65,

62,6c,63,69,66,67,00,02

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(880)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3816)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\stsystra.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\dllhost.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\eHome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2011-12-10 23:26:02 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-11 04:25

.

Pre-Run: 9,721,253,888 bytes free

Post-Run: 10,547,294,208 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - C80F0F5F6EC777530250B0BE56840C34

Link to post
Share on other sites

  • 2 weeks later...
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.