Jump to content


Photo

Browser Hijacked and Also Not Yet Virus Free


  • This topic is locked This topic is locked
48 replies to this topic

#1 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 12 January 2012 - 08:36 AM

Good Morning All,

As manager of a small network of computers at my business, ocassionally one or two of them get infected. This computer is in my warehouse. It was very badly infected yesterday, to the point where we could not work. I ran MalwareBytes and it found 20 infected files, but I still have a virus I'm sure and also my URLs are still being resdirected.

I cannot seem to locate the MBAM log that was created after I did the scan yesterday, but below is a fresh HijackThis Log.

I can run a new MalwareBytes Scan to produce a log. I will do that next.

Thanks for your help in advance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:30:12 AM, on 1/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM7\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Cafe.ApplicationEngine.Gui.exe
C:\Program Files\FedEx\ShipManager\BIN\ShipEngineService.exe
C:\Program Files\FedEx\ShipManager\BIN\TransEngineService.exe
C:\Program Files\FedEx\ShipManager\Bin\ReportProcessing.exe
C:\Program Files\FedEx\Integration\Assistant\IASE.exe
C:\UPS\WSTD\WorldShipTD.exe
C:\UPS\WSTD\upslnkmg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRA~1\FEDEX\SHIPMA~1\BIN\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRA~1\FEDEX\SHIPMA~1\BIN\IPClient.exe" -l
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.1.115...layerWeb11g.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = multibrands.local
O17 - HKLM\Software\..\Telephony: DomainName = multibrands.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{753C7936-07DE-4E05-B32F-9BC662E4E35C}: NameServer = 192.168.1.10,4.2.2.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = multibrands.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = multibrands.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: FedEx Administration Service (FedExAdminService) - Unknown owner - C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe
O23 - Service: FedEx Logging Service (FedExLoggingService) - FedEx Corporation - C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
O23 - Service: FedEx Shipnet Database Service (FedExShipnetDBService) - iAnywhere Solutions, Inc. - C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
O23 - Service: FedEx Shipping Engine (FedExShipService) - FedEx Corporation - C:\Program Files\FedEx\ShipManager\BIN\ShipEngineService.exe
O23 - Service: FedEx Transaction Engine (FedExTransactionService) - FedEx Corporation - C:\Program Files\FedEx\ShipManager\BIN\TransEngineService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10006 bytes

JoeFixes
JoeFixes
(But only if its Broke)

#2 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 12 January 2012 - 12:26 PM

I Found my MalwareBtes Logs. I am pasting 2 of them here now. One is from yesterday and then the second one is one I ran just this morning:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
warehouse :: WAREHOUSE3 [administrator]

1/11/2012 1:28:52 PM
mbam-log-2012-01-11 (13-28-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239896
Time elapsed: 38 minute(s), 23 second(s)

Memory Processes Detected: 1
C:\Documents and Settings\warehouse\Local Settings\Application Data\ygy.exe (Trojan.FakeMS) -> 2080 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKCR\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKCR\Interface\{04A38F6B-006F-4247-BA4C-02A139D5531C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKCR\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKCR\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA (Adware.TargetSaver) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Documents and Settings\warehouse\Local Settings\Application Data\ygy.exe" -a "%1" %* -> Quarantined and deleted successfully.

Registry Data Items Detected: 7
HKCR\.exe| (PUM.HijackExefiles) -> Bad: (oE) Good: (exefile) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\warehouse\Local Settings\Application Data\ygy.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\warehouse\Local Settings\Application Data\ygy.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\warehouse\Local Settings\Application Data\ygy.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Documents and Settings\warehouse\Local Settings\Application Data\ygy.exe (Trojan.FakeMS) -> Delete on reboot.
C:\Documents and Settings\Joe\Local Settings\Temp\tsinstall_4_0_3_1.exe (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\Local Settings\Temp\tsupdate_4_0_3_2.exe (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\Local Settings\Temp\tsupdate_4_0_3_3_C9.exe (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\Local Settings\Temp\tsupdate_4_0_3_4.exe (Adware.TargetSaver) -> Quarantined and deleted successfully.

(end)






Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.12.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
warehouse :: WAREHOUSE3 [administrator]

1/12/2012 8:36:54 AM
mbam-log-2012-01-12 (08-36-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252386
Time elapsed: 1 hour(s), 18 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Thanks


JoeFixes
JoeFixes
(But only if its Broke)

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 January 2012 - 05:51 AM

Hi,

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 13 January 2012 - 11:48 AM

Hi Jedi,

Thanks for your reply. I've been tryiing for the last 6 hours to run ComboFix successfully. The first 2 times I ran it, it found a rootkit infection but seemed to lock up. I keep an eye on the clock in the lower right hand corner and both times the clock didnt even progress even after more than an hour. So finally, I started up in SAFE MODE and ran COMBO FIX from there. It came up and said sometrhing along the idea of ROOT KIT INFECT ZEROACCESS FOUND IN IP STACK. THIS IS A PARTICULARLY NASTY INFECTION IF YOU HAVE TROUBLE GETTING BACK ON THE INTERNET AFTER COMBOFIX HAS COMPLETED, TRY REBOOTING THE COMPUTER.

Well anyway, it has been working now for almost 2 hours and it doesnt look like it is doing anything, but the clock is moving along so I know it hasn't locked up. Should I continue to let it sit until I get some kind of a response?


JoeFixes
JoeFixes
(But only if its Broke)

#5 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 13 January 2012 - 05:00 PM

Hi Again Jedi,

Well I was in crisis mode there for a while. I waited and waited for 4 hours but combofix would not finish while in safe mode. I was in a pinch for time because we needed to use the computer for work related things. So I restarted the computer and discovered that I can no longer access not only the internet but also can no longer access any of my local network connections.

I had to remove the computer from the network and go through the effort of setting up a new computer in its place.

I am bringing the infected computer home with me and will work on it over the weekend. If you can give me any suggestions on how to deal with COMBOFIX when it seemingly doesnt seem to be doing anythiing I would greatly appreciate it.


JoeFixes
JoeFixes
(But only if its Broke)

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 14 January 2012 - 04:10 AM

Hi again,

OK, let's put Combofix to one side for a while.

Run these two tools, you will need to download them to a flash drive and transfer them to the infected PC.

McAfee Rootkit Remover
(Instructions to run are on the page)
The tool is designed to automatically save the report in the same folder as the tool is placed, please post that report here.
Next:
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Next, try to run Combofix again, if it locks up just copy the reports from the first two tools here, if it completes post the Combofix log as well.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 14 January 2012 - 08:10 AM

Hi Jedi,

Thanks for your help. Ok. This is weird. I brought the infected computer homoe with me. I set it up last night and again tried to run COMBOFIX while in safe mode. Within the first 10-15 minutes it seemed to be progressing. It got to that blue screen that says, SCANNING USUALLY TAKES NO MORE THAN 10 MINUTES BUT BADLY INFECTED COMPUTERS CAN EASILY DOUBLE THAT. I let it stay there all night....13 hours. It didnt move. By the way I've attached a screen shot of one of the error messages that COMBOFIX displayed for me.

Posted Image

SO this morning when I say your new post about McAfee and TDSS, I went to work right away. But the McAfee tool says no threats are found! I'm wondering if while I let COMBOFIX run all night if it actually did some work?? I'm running TDSS right now, I will let you know in a few minutes what that one says.

Thank you

JoeFIxes
JoeFixes
(But only if its Broke)

#8 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 14 January 2012 - 08:18 AM

Jedi,

Both TDSS & McAfee found nothing. I am trying to run COMBOFIX again in regular mode, but it doesnt seem to run in regular mode, so I'm going to startup again in SAFE MODE.

Here are the CLEAN logs from both McAfee and TDSS:

2012/01/14 07:58:34.0406 3008 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2012/01/14 07:58:34.0468 3008 ================================================================================
2012/01/14 07:58:34.0468 3008 SystemInfo:
2012/01/14 07:58:34.0468 3008
2012/01/14 07:58:34.0468 3008 OS Version: 5.1.2600 ServicePack: 3.0
2012/01/14 07:58:34.0468 3008 Product type: Workstation
2012/01/14 07:58:34.0468 3008 ComputerName: WAREHOUSE3
2012/01/14 07:58:34.0468 3008 UserName: warehouse
2012/01/14 07:58:34.0468 3008 Windows directory: C:\WINDOWS
2012/01/14 07:58:34.0468 3008 System windows directory: C:\WINDOWS
2012/01/14 07:58:34.0468 3008 Processor architecture: Intel x86
2012/01/14 07:58:34.0468 3008 Number of processors: 1
2012/01/14 07:58:34.0468 3008 Page size: 0x1000
2012/01/14 07:58:34.0468 3008 Boot type: Normal boot
2012/01/14 07:58:34.0468 3008 ================================================================================
2012/01/14 07:58:34.0828 3008 Initialize success
2012/01/14 07:58:38.0421 3064 ================================================================================
2012/01/14 07:58:38.0421 3064 Scan started
2012/01/14 07:58:38.0421 3064 Mode: Manual;
2012/01/14 07:58:38.0421 3064 ================================================================================
2012/01/14 07:58:39.0578 3064 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
2012/01/14 07:58:39.0890 3064 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2012/01/14 07:58:40.0140 3064 ac97intc (b6920ae5566c42f09df44e70388be78a) C:\WINDOWS\system32\drivers\ac97ich4.sys
2012/01/14 07:58:40.0375 3064 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2012/01/14 07:58:40.0562 3064 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2012/01/14 07:58:40.0734 3064 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2012/01/14 07:58:40.0937 3064 aeaudio (b2886807ac2543da273765cef4d82d68) C:\WINDOWS\system32\drivers\aeaudio.sys
2012/01/14 07:58:41.0140 3064 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2012/01/14 07:58:41.0312 3064 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
2012/01/14 07:58:41.0531 3064 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2012/01/14 07:58:41.0765 3064 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2012/01/14 07:58:41.0953 3064 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2012/01/14 07:58:42.0125 3064 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2012/01/14 07:58:42.0312 3064 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2012/01/14 07:58:42.0500 3064 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2012/01/14 07:58:42.0734 3064 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2012/01/14 07:58:42.0906 3064 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2012/01/14 07:58:43.0062 3064 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2012/01/14 07:58:43.0250 3064 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2012/01/14 07:58:43.0453 3064 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2012/01/14 07:58:43.0640 3064 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2012/01/14 07:58:43.0843 3064 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2012/01/14 07:58:44.0218 3064 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2012/01/14 07:58:44.0421 3064 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
2012/01/14 07:58:44.0593 3064 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
2012/01/14 07:58:44.0781 3064 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
2012/01/14 07:58:44.0953 3064 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
2012/01/14 07:58:45.0109 3064 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
2012/01/14 07:58:45.0296 3064 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2012/01/14 07:58:45.0484 3064 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2012/01/14 07:58:45.0781 3064 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2012/01/14 07:58:45.0984 3064 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2012/01/14 07:58:46.0203 3064 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2012/01/14 07:58:46.0578 3064 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2012/01/14 07:58:46.0765 3064 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2012/01/14 07:58:46.0921 3064 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2012/01/14 07:58:47.0109 3064 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2012/01/14 07:58:47.0281 3064 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2012/01/14 07:58:47.0468 3064 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2012/01/14 07:58:47.0859 3064 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2012/01/14 07:58:48.0046 3064 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2012/01/14 07:58:48.0281 3064 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2012/01/14 07:58:48.0546 3064 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2012/01/14 07:58:48.0812 3064 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2012/01/14 07:58:49.0031 3064 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2012/01/14 07:58:49.0265 3064 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2012/01/14 07:58:49.0468 3064 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2012/01/14 07:58:49.0656 3064 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2012/01/14 07:58:49.0875 3064 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2012/01/14 07:58:50.0109 3064 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2012/01/14 07:58:50.0296 3064 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2012/01/14 07:58:50.0484 3064 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2012/01/14 07:58:50.0671 3064 EGATHDRV (3ef85cad624ea5a26984915ccebc9440) C:\WINDOWS\System32\EGATHDRV.SYS
2012/01/14 07:58:51.0000 3064 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2012/01/14 07:58:51.0218 3064 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2012/01/14 07:58:51.0484 3064 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2012/01/14 07:58:51.0656 3064 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2012/01/14 07:58:51.0843 3064 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2012/01/14 07:58:52.0093 3064 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2012/01/14 07:58:52.0281 3064 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2012/01/14 07:58:52.0484 3064 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2012/01/14 07:58:52.0703 3064 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2012/01/14 07:58:52.0937 3064 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2012/01/14 07:58:53.0171 3064 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2012/01/14 07:58:53.0546 3064 HSFHWBS2 (8deb80c9f1d61c00dcd3ea20c0b313af) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2012/01/14 07:58:53.0781 3064 HSF_DP (d99af37ffcfc145022a95bfb5054c437) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2012/01/14 07:58:54.0046 3064 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2012/01/14 07:58:54.0265 3064 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2012/01/14 07:58:54.0468 3064 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2012/01/14 07:58:54.0671 3064 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2012/01/14 07:58:54.0828 3064 ialm (c2236528c79953d677e33c4dd7772c86) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2012/01/14 07:58:55.0093 3064 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2012/01/14 07:58:55.0375 3064 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2012/01/14 07:58:55.0625 3064 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2012/01/14 07:58:55.0828 3064 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2012/01/14 07:58:56.0046 3064 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2012/01/14 07:58:56.0234 3064 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
2012/01/14 07:58:56.0453 3064 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2012/01/14 07:58:56.0625 3064 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2012/01/14 07:58:56.0843 3064 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2012/01/14 07:58:57.0046 3064 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2012/01/14 07:58:57.0218 3064 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2012/01/14 07:58:57.0406 3064 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2012/01/14 07:58:57.0671 3064 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2012/01/14 07:58:57.0937 3064 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2012/01/14 07:58:58.0140 3064 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2012/01/14 07:58:58.0359 3064 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2012/01/14 07:58:58.0765 3064 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2012/01/14 07:58:58.0984 3064 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2012/01/14 07:58:59.0312 3064 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2012/01/14 07:58:59.0546 3064 mdmxsdk (a1e9d936eac07ee9386e87bac1377fad) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2012/01/14 07:58:59.0968 3064 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2012/01/14 07:59:00.0250 3064 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2012/01/14 07:59:00.0437 3064 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2012/01/14 07:59:00.0656 3064 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2012/01/14 07:59:00.0843 3064 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2012/01/14 07:59:01.0046 3064 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2012/01/14 07:59:01.0265 3064 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2012/01/14 07:59:01.0484 3064 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2012/01/14 07:59:01.0750 3064 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2012/01/14 07:59:01.0921 3064 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2012/01/14 07:59:02.0140 3064 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2012/01/14 07:59:02.0328 3064 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2012/01/14 07:59:02.0593 3064 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2012/01/14 07:59:02.0765 3064 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2012/01/14 07:59:02.0953 3064 MxlW2k (19dd5c581eef70134ccef87d626f4417) C:\WINDOWS\system32\drivers\MxlW2k.sys
2012/01/14 07:59:03.0187 3064 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2012/01/14 07:59:03.0500 3064 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2012/01/14 07:59:03.0687 3064 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2012/01/14 07:59:03.0875 3064 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2012/01/14 07:59:04.0078 3064 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2012/01/14 07:59:04.0265 3064 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2012/01/14 07:59:04.0531 3064 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2012/01/14 07:59:04.0890 3064 NMSCFG (419f4d80fe7e34e2626c84b3c6035955) C:\WINDOWS\system32\drivers\NMSCFG.SYS
2012/01/14 07:59:05.0156 3064 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2012/01/14 07:59:05.0390 3064 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2012/01/14 07:59:05.0656 3064 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2012/01/14 07:59:05.0890 3064 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2012/01/14 07:59:06.0156 3064 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2012/01/14 07:59:06.0359 3064 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2012/01/14 07:59:06.0531 3064 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2012/01/14 07:59:06.0703 3064 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2012/01/14 07:59:06.0937 3064 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2012/01/14 07:59:07.0218 3064 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2012/01/14 07:59:07.0562 3064 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2012/01/14 07:59:07.0781 3064 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2012/01/14 07:59:08.0500 3064 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2012/01/14 07:59:08.0656 3064 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2012/01/14 07:59:08.0937 3064 PMEM (fa292805788528c083f416e151b60ab6) C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
2012/01/14 07:59:09.0203 3064 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2012/01/14 07:59:09.0484 3064 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2012/01/14 07:59:09.0687 3064 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2012/01/14 07:59:09.0875 3064 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2012/01/14 07:59:10.0062 3064 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2012/01/14 07:59:10.0250 3064 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2012/01/14 07:59:10.0453 3064 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2012/01/14 07:59:10.0640 3064 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2012/01/14 07:59:10.0828 3064 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2012/01/14 07:59:11.0015 3064 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2012/01/14 07:59:11.0234 3064 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2012/01/14 07:59:11.0484 3064 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2012/01/14 07:59:11.0781 3064 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2012/01/14 07:59:11.0968 3064 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2012/01/14 07:59:12.0187 3064 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2012/01/14 07:59:12.0421 3064 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2012/01/14 07:59:12.0609 3064 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2012/01/14 07:59:12.0796 3064 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2012/01/14 07:59:13.0156 3064 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2012/01/14 07:59:13.0390 3064 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2012/01/14 07:59:13.0578 3064 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2012/01/14 07:59:13.0859 3064 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2012/01/14 07:59:14.0234 3064 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2012/01/14 07:59:14.0468 3064 smwdm (675c3c4d6da71e6be31548150521b561) C:\WINDOWS\system32\drivers\smwdm.sys
2012/01/14 07:59:14.0718 3064 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2012/01/14 07:59:14.0906 3064 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2012/01/14 07:59:15.0187 3064 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2012/01/14 07:59:15.0406 3064 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2012/01/14 07:59:15.0671 3064 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2012/01/14 07:59:15.0859 3064 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2012/01/14 07:59:16.0093 3064 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2012/01/14 07:59:16.0328 3064 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2012/01/14 07:59:16.0546 3064 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2012/01/14 07:59:16.0750 3064 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2012/01/14 07:59:16.0906 3064 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2012/01/14 07:59:17.0140 3064 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2012/01/14 07:59:17.0375 3064 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2012/01/14 07:59:17.0562 3064 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2012/01/14 07:59:17.0781 3064 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2012/01/14 07:59:18.0031 3064 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2012/01/14 07:59:18.0328 3064 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2012/01/14 07:59:18.0546 3064 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2012/01/14 07:59:18.0812 3064 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2012/01/14 07:59:19.0046 3064 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2012/01/14 07:59:19.0250 3064 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2012/01/14 07:59:19.0437 3064 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2012/01/14 07:59:19.0625 3064 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2012/01/14 07:59:19.0796 3064 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2012/01/14 07:59:20.0015 3064 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2012/01/14 07:59:20.0203 3064 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2012/01/14 07:59:20.0421 3064 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2012/01/14 07:59:20.0609 3064 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2012/01/14 07:59:20.0875 3064 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2012/01/14 07:59:21.0062 3064 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2012/01/14 07:59:21.0328 3064 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2012/01/14 07:59:21.0703 3064 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2012/01/14 07:59:21.0937 3064 winachsf (350fd3019c4778b00ff5c8de7f441ec4) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2012/01/14 07:59:22.0343 3064 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2012/01/14 07:59:22.0546 3064 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2012/01/14 07:59:22.0765 3064 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2012/01/14 07:59:23.0015 3064 {6080A529-897E-4629-A488-ABA0C29B635E} (02cea7fc83b48d59732dcaee910334fa) C:\WINDOWS\system32\drivers\ialmsbw.sys
2012/01/14 07:59:23.0250 3064 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (68547ea3ab2fbdbee8e6aca9640996b6) C:\WINDOWS\system32\drivers\ialmkchw.sys
2012/01/14 07:59:23.0437 3064 ================================================================================
2012/01/14 07:59:23.0437 3064 Scan finished
2012/01/14 07:59:23.0437 3064 ================================================================================



[TimeStamp: 20120114075629]


Rootkit Remover v0.8.1

McAfee Labs.





Initializing...

Initialization complete!



Now Scanning...

Scan Result --> No trojan or viruses found!

Scan Finished





Press any key to exit.
JoeFixes
(But only if its Broke)

#9 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 14 January 2012 - 08:30 AM

Jedi,

This screen is what I get from COMBOFIX. It sits here and I no longer notice any activity on the hard drive. I got this last night also before I let it sit for 13 hours. I dont think it will progress.

Posted Image


JoeFixes
JoeFixes
(But only if its Broke)

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 14 January 2012 - 08:56 AM

Hi again,

OK, let's move on.

Go here:
http://public.avast....aswMBR.htm#fix0
and download aswMBR.
Transfer to the infected PC.
On the download page, follow the third set of instructions, How to fix ZeroAccess/Sirefef driver infection.

Let me know what it finds and post the log here.

Edit: Can you also check to see if Combofix produced a report at C:\ComboFix.txt.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 14 January 2012 - 09:57 PM

Hi Jedi,

Sorry for the delay....it was a busy day. I ran the aswMBR Scan. But it also did not find anything. Also, as of right now the computer is not hooked up to any form of wired or wireless access. SO i cant even be sure if the internet is working or not. But here is the log anyway. Please let me know what you think I should try next. THank you

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-14 21:31:08
-----------------------------
21:31:08.750 OS Version: Windows 5.1.2600 Service Pack 3
21:31:08.765 Number of processors: 1 586 0x207
21:31:08.765 ComputerName: WAREHOUSE3 UserName: jlopresti
21:31:10.109 Initialize success
21:31:10.453 AVAST engine defs: 12011201
21:31:19.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:31:19.984 Disk 0 Vendor: IC35L060AVV207-0 V22OA66A Size: 38162MB BusType: 3
21:31:20.015 Disk 0 MBR read successfully
21:31:20.015 Disk 0 MBR scan
21:31:20.015 Disk 0 unknown MBR code
21:31:20.031 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 36067 MB offset 63
21:31:20.046 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSWIN4.1 2094 MB offset 73866870
21:31:20.062 Disk 0 scanning sectors +78156225
21:31:20.109 Disk 0 scanning C:\WINDOWS\system32\drivers
21:31:39.203 Service scanning
21:31:40.937 Modules scanning
21:32:08.968 Disk 0 trace - called modules:
21:32:09.000 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:32:09.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f8aab8]
21:32:09.515 3 CLASSPNP.SYS[f75d6fd7] -> nt!IofCallDriver -> \Device\00000092[0x86fc61a8]
21:32:09.531 5 ACPI.sys[f74cd620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fa7d98]
21:32:10.062 AVAST engine scan C:\WINDOWS
21:32:51.078 AVAST engine scan C:\WINDOWS\system32
21:36:17.437 AVAST engine scan C:\WINDOWS\system32\drivers
21:36:43.453 AVAST engine scan C:\Documents and Settings\jlopresti
21:36:49.625 AVAST engine scan C:\Documents and Settings\All Users
21:46:23.953 Scan finished successfully
21:51:53.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jlopresti\My Documents\MBR.dat"
21:51:53.281 The log file has been saved successfully to "C:\Documents and Settings\jlopresti\My Documents\aswMBR.txt"
JoeFixes
(But only if its Broke)

#12 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 14 January 2012 - 10:55 PM

Jedi,

I tried connecting the infected computer to my home network but it will not connect. Something is still in there preventing connection to the internet. I am continuing to try the various tools you have suggested in hopes of some success, I am hoping I can get this computer back onine for Monday Morning. I will wait to hear from you.

JoeFixes
JoeFixes
(But only if its Broke)

#13 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 15 January 2012 - 08:14 AM

Hi again,

Run aswMBR again, and this time, when the scan has run, click on FixMBR and allow the program to run. Then reboot and scan again with aswMBR and post the log here.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#14 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 15 January 2012 - 09:17 AM

Good Morning Jedi,

I'll admit I'm starting to feel a bit useless. Nothing I am doing seems to be working. I started up aswMBR again (not in SFAE MODE...just regular) and I ran the FixMBR to which it responded it was repaired successfully. I then rebooted and ran the SCAN again. Here is that log:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-14 21:31:08
-----------------------------
21:31:08.750 OS Version: Windows 5.1.2600 Service Pack 3
21:31:08.765 Number of processors: 1 586 0x207
21:31:08.765 ComputerName: WAREHOUSE3 UserName: jlopresti
21:31:10.109 Initialize success
21:31:10.453 AVAST engine defs: 12011201
21:31:19.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:31:19.984 Disk 0 Vendor: IC35L060AVV207-0 V22OA66A Size: 38162MB BusType: 3
21:31:20.015 Disk 0 MBR read successfully
21:31:20.015 Disk 0 MBR scan
21:31:20.015 Disk 0 unknown MBR code
21:31:20.031 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 36067 MB offset 63
21:31:20.046 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSWIN4.1 2094 MB offset 73866870
21:31:20.062 Disk 0 scanning sectors +78156225
21:31:20.109 Disk 0 scanning C:\WINDOWS\system32\drivers
21:31:39.203 Service scanning
21:31:40.937 Modules scanning
21:32:08.968 Disk 0 trace - called modules:
21:32:09.000 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:32:09.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f8aab8]
21:32:09.515 3 CLASSPNP.SYS[f75d6fd7] -> nt!IofCallDriver -> \Device\00000092[0x86fc61a8]
21:32:09.531 5 ACPI.sys[f74cd620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fa7d98]
21:32:10.062 AVAST engine scan C:\WINDOWS
21:32:51.078 AVAST engine scan C:\WINDOWS\system32
21:36:17.437 AVAST engine scan C:\WINDOWS\system32\drivers
21:36:43.453 AVAST engine scan C:\Documents and Settings\jlopresti
21:36:49.625 AVAST engine scan C:\Documents and Settings\All Users
21:46:23.953 Scan finished successfully
21:51:53.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jlopresti\My Documents\MBR.dat"
21:51:53.281 The log file has been saved successfully to "C:\Documents and Settings\jlopresti\My Documents\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-15 08:53:54
-----------------------------
08:53:54.328 OS Version: Windows 5.1.2600 Service Pack 3
08:53:54.328 Number of processors: 1 586 0x207
08:53:54.328 ComputerName: WAREHOUSE3 UserName:
08:53:55.765 Initialize success
08:53:56.156 AVAST engine defs: 12011201
08:54:12.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:54:12.062 Disk 0 Vendor: IC35L060AVV207-0 V22OA66A Size: 38162MB BusType: 3
08:54:12.078 Disk 0 MBR read successfully
08:54:12.078 Disk 0 MBR scan
08:54:12.093 Disk 0 Windows XP default MBR code
08:54:12.093 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 36067 MB offset 63
08:54:12.125 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSWIN4.1 2094 MB offset 73866870
08:54:12.125 Disk 0 scanning sectors +78156225
08:54:12.187 Disk 0 scanning C:\WINDOWS\system32\drivers
08:54:35.453 Service scanning
08:54:38.546 Modules scanning
08:55:07.906 Disk 0 trace - called modules:
08:55:07.921 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
08:55:08.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b68ab8]
08:55:08.453 3 CLASSPNP.SYS[f7596fd7] -> nt!IofCallDriver -> \Device\00000092[0x86bc61b0]
08:55:08.468 5 ACPI.sys[f748d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86ba7d98]
08:55:08.984 AVAST engine scan C:\WINDOWS
08:55:52.843 AVAST engine scan C:\WINDOWS\system32
09:00:34.921 AVAST engine scan C:\WINDOWS\system32\drivers
09:01:01.000 AVAST engine scan C:\Documents and Settings\Administrator.WAREHOUSE3.001
09:01:07.187 AVAST engine scan C:\Documents and Settings\All Users
09:10:51.875 Scan finished successfully
09:11:16.890 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
09:11:16.937 The log file has been saved successfully to "E:\aswMBR.txt"


The "E" drive is my flash drive that I am using to transfer the files and programs.

Why is it that Combofix is the only program that seems to recognize the problem, but it is also the only program that will not finish successfully. Maybe that is no coincidence.

I'm glad to follow any suggestions.

JoeFixes
JoeFixes
(But only if its Broke)

#15 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 15 January 2012 - 10:05 AM

Hi again,

It might not look like we're getting anywhere, but we are. Note the difference between the last two logs:

#1 Disk 0 unknown MBR code
and
#2 Disk 0 Windows XP default MBR code

This infection writes to and infects the Master Boot Record, aswMBR reports that is fixed.

In Internet Explorer go to Tools => Internet Options = Connections Tab => Lan Settings and uncheck Use a proxy server and check Automatically detect settings.

In Firefox in Tools Menu => Options... => Advanced Tab => Network Tab => Connection => Settings. Select the Auto-detect proxy settings for this network option.

Next:

In the command box type netsh Winsock reset and hit Enter.

Reboot.

Bring up the command box again and type ipconfig /flushdns and hit Enter.

Reboot.

Bring up the command box again and type ipconfig /renew and hit Enter.

When you have done the above reboot and see if you have internet access.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#16 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 15 January 2012 - 10:25 AM

Hi Jedi,

Thanks for the reassurances. I started out aright but came across a problem with the /dnsflush switch. Please see below:

Posted Image

is there a way around this?

JoeFixes
JoeFixes
(But only if its Broke)

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 15 January 2012 - 11:18 AM

Hi again,

Bring up the command box again and type

Netsh winsock reset (Press Enter)
Netsh winsock catalog reset (Press Enter)
Netsh init ip reset (Press Enter)
Netsh flush dns (Press Enter)

Can you run those commands?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#18 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 15 January 2012 - 08:13 PM

Hi Jedi,

Again sorry for the delay. I'm not having a ot of luck with these commands. Please see the attached photo:

Posted Image

Is there another way I can do this?


JoeFIxes
JoeFixes
(But only if its Broke)

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 16 January 2012 - 06:28 AM

Hi again,

There's a tool I use which is sometimes successful:
http://www.tweaking....all_in_one.html
Download installer and install on the infected PC.

Open the program, go to step 4 and create a restore point, then go to step 5, choose custom mode, click unselect all then select:
Reset Registry Permissions
Reset File Permissions
Register System files
Remove policies set by infections
Repair Winsock & DNS Cache
Repair Proxy Settings
Set Windows Services to Default Startup

Click Start and allow the program to run.

Reboot and try the internet.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#20 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 16 January 2012 - 08:59 AM

Hi Jedi,

Ok. Back in the office, but I will take the computer with me wherever I need to be. No luck yet. I did run that program and still am not able to get back on line.

By the way, is the rootkit virus gone? Things seem to be running okay other than not being able to get online.

JoeFixes
JoeFixes
(But only if its Broke)

#21 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 17 January 2012 - 06:39 AM

Hi again,

By the way, is the rootkit virus gone?

I'm assuming so, there's no sign of it, but we'll know for sure when you get back on-line.

Can you check Control Panel > Network Connections and see if your connection is showing, and what it's status is? (Right-click and select Properties)

Also, can you post a new DDS log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#22 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 17 January 2012 - 09:34 AM

Good Morning Jedi,

Just wanted to say thank you again for sticking with me. We are getting into an area I know very little about and I am relying on your extensive knowledge.

You were right to check for the network connection. Its not there at all. Which would explain a lot. The trouble is, I don't know how to go about rebuilding the network connection. We are on a Windows Server Network with a local domain. I could get the IP addresses from another computer on the network. If you can direct me as to how to get started, I am sure we can do it together. I ran another TDSS log, I think thats the one you wanted....am I right?

2012/01/17 09:23:32.0453 2668 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2012/01/17 09:23:32.0578 2668 ================================================================================
2012/01/17 09:23:32.0578 2668 SystemInfo:
2012/01/17 09:23:32.0578 2668
2012/01/17 09:23:32.0578 2668 OS Version: 5.1.2600 ServicePack: 3.0
2012/01/17 09:23:32.0578 2668 Product type: Workstation
2012/01/17 09:23:32.0578 2668 ComputerName: WAREHOUSE3
2012/01/17 09:23:32.0578 2668 UserName: warehouse
2012/01/17 09:23:32.0578 2668 Windows directory: C:\WINDOWS
2012/01/17 09:23:32.0578 2668 System windows directory: C:\WINDOWS
2012/01/17 09:23:32.0578 2668 Processor architecture: Intel x86
2012/01/17 09:23:32.0578 2668 Number of processors: 1
2012/01/17 09:23:32.0578 2668 Page size: 0x1000
2012/01/17 09:23:32.0578 2668 Boot type: Normal boot
2012/01/17 09:23:32.0578 2668 ================================================================================
2012/01/17 09:23:32.0859 2668 Initialize success
2012/01/17 09:23:35.0687 0904 ================================================================================
2012/01/17 09:23:35.0687 0904 Scan started
2012/01/17 09:23:35.0687 0904 Mode: Manual;
2012/01/17 09:23:35.0687 0904 ================================================================================
2012/01/17 09:23:36.0406 0904 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
2012/01/17 09:23:36.0750 0904 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2012/01/17 09:23:36.0921 0904 ac97intc (b6920ae5566c42f09df44e70388be78a) C:\WINDOWS\system32\drivers\ac97ich4.sys
2012/01/17 09:23:37.0156 0904 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2012/01/17 09:23:37.0343 0904 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2012/01/17 09:23:37.0515 0904 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2012/01/17 09:23:37.0703 0904 aeaudio (b2886807ac2543da273765cef4d82d68) C:\WINDOWS\system32\drivers\aeaudio.sys
2012/01/17 09:23:37.0890 0904 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2012/01/17 09:23:38.0093 0904 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
2012/01/17 09:23:38.0234 0904 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2012/01/17 09:23:38.0406 0904 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2012/01/17 09:23:38.0562 0904 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2012/01/17 09:23:38.0781 0904 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2012/01/17 09:23:38.0953 0904 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2012/01/17 09:23:39.0156 0904 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2012/01/17 09:23:39.0359 0904 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2012/01/17 09:23:39.0515 0904 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2012/01/17 09:23:39.0687 0904 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2012/01/17 09:23:39.0875 0904 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2012/01/17 09:23:40.0093 0904 arusb(SMC) (a947ff19567c674c6f99369e3f1212bb) C:\WINDOWS\system32\DRIVERS\arusb.sys
2012/01/17 09:23:40.0281 0904 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2012/01/17 09:23:40.0437 0904 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2012/01/17 09:23:40.0609 0904 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2012/01/17 09:23:40.0859 0904 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2012/01/17 09:23:41.0031 0904 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
2012/01/17 09:23:41.0203 0904 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
2012/01/17 09:23:41.0390 0904 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
2012/01/17 09:23:41.0578 0904 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
2012/01/17 09:23:41.0765 0904 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
2012/01/17 09:23:41.0921 0904 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2012/01/17 09:23:42.0156 0904 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2012/01/17 09:23:42.0453 0904 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2012/01/17 09:23:42.0625 0904 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2012/01/17 09:23:42.0828 0904 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2012/01/17 09:23:43.0156 0904 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2012/01/17 09:23:43.0328 0904 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2012/01/17 09:23:43.0515 0904 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2012/01/17 09:23:43.0703 0904 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2012/01/17 09:23:43.0859 0904 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2012/01/17 09:23:44.0046 0904 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2012/01/17 09:23:44.0375 0904 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2012/01/17 09:23:44.0531 0904 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2012/01/17 09:23:44.0796 0904 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2012/01/17 09:23:45.0015 0904 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2012/01/17 09:23:45.0171 0904 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2012/01/17 09:23:45.0359 0904 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2012/01/17 09:23:45.0593 0904 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2012/01/17 09:23:45.0765 0904 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2012/01/17 09:23:45.0968 0904 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2012/01/17 09:23:46.0171 0904 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2012/01/17 09:23:46.0406 0904 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2012/01/17 09:23:46.0578 0904 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2012/01/17 09:23:46.0765 0904 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2012/01/17 09:23:46.0906 0904 EGATHDRV (3ef85cad624ea5a26984915ccebc9440) C:\WINDOWS\System32\EGATHDRV.SYS
2012/01/17 09:23:47.0140 0904 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2012/01/17 09:23:47.0343 0904 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2012/01/17 09:23:47.0578 0904 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2012/01/17 09:23:47.0796 0904 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2012/01/17 09:23:47.0984 0904 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2012/01/17 09:23:48.0171 0904 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2012/01/17 09:23:48.0343 0904 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2012/01/17 09:23:48.0531 0904 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2012/01/17 09:23:48.0828 0904 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2012/01/17 09:23:49.0046 0904 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2012/01/17 09:23:49.0265 0904 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2012/01/17 09:23:49.0562 0904 HSFHWBS2 (8deb80c9f1d61c00dcd3ea20c0b313af) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2012/01/17 09:23:49.0859 0904 HSF_DP (d99af37ffcfc145022a95bfb5054c437) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2012/01/17 09:23:50.0093 0904 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2012/01/17 09:23:50.0265 0904 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2012/01/17 09:23:50.0437 0904 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2012/01/17 09:23:50.0640 0904 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2012/01/17 09:23:50.0843 0904 ialm (c2236528c79953d677e33c4dd7772c86) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2012/01/17 09:23:51.0046 0904 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2012/01/17 09:23:51.0265 0904 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2012/01/17 09:23:51.0437 0904 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2012/01/17 09:23:51.0609 0904 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2012/01/17 09:23:51.0843 0904 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2012/01/17 09:23:52.0031 0904 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
2012/01/17 09:23:52.0203 0904 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2012/01/17 09:23:52.0406 0904 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2012/01/17 09:23:52.0593 0904 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2012/01/17 09:23:52.0812 0904 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2012/01/17 09:23:52.0968 0904 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2012/01/17 09:23:53.0187 0904 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2012/01/17 09:23:53.0421 0904 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2012/01/17 09:23:53.0593 0904 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2012/01/17 09:23:53.0828 0904 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2012/01/17 09:23:54.0000 0904 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2012/01/17 09:23:54.0421 0904 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2012/01/17 09:23:54.0625 0904 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2012/01/17 09:23:54.0937 0904 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2012/01/17 09:23:55.0171 0904 mdmxsdk (a1e9d936eac07ee9386e87bac1377fad) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2012/01/17 09:23:55.0406 0904 MFE_RR (5e42bb46baf442a6c4bf358c9903439d) C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\mfe_rr.sys
2012/01/17 09:23:55.0578 0904 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2012/01/17 09:23:55.0875 0904 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2012/01/17 09:23:56.0078 0904 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2012/01/17 09:23:56.0234 0904 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2012/01/17 09:23:56.0421 0904 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2012/01/17 09:23:56.0640 0904 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2012/01/17 09:23:56.0828 0904 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2012/01/17 09:23:57.0015 0904 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2012/01/17 09:23:57.0312 0904 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2012/01/17 09:23:57.0484 0904 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2012/01/17 09:23:57.0718 0904 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2012/01/17 09:23:57.0906 0904 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2012/01/17 09:23:58.0093 0904 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2012/01/17 09:23:58.0281 0904 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2012/01/17 09:23:58.0500 0904 MxlW2k (19dd5c581eef70134ccef87d626f4417) C:\WINDOWS\system32\drivers\MxlW2k.sys
2012/01/17 09:23:58.0703 0904 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2012/01/17 09:23:58.0921 0904 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2012/01/17 09:23:59.0093 0904 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2012/01/17 09:23:59.0296 0904 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2012/01/17 09:23:59.0468 0904 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2012/01/17 09:23:59.0687 0904 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2012/01/17 09:24:00.0046 0904 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2012/01/17 09:24:00.0343 0904 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2012/01/17 09:24:00.0593 0904 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2012/01/17 09:24:00.0828 0904 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2012/01/17 09:24:01.0125 0904 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2012/01/17 09:24:01.0375 0904 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2012/01/17 09:24:01.0562 0904 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2012/01/17 09:24:01.0765 0904 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2012/01/17 09:24:01.0984 0904 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2012/01/17 09:24:02.0171 0904 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2012/01/17 09:24:02.0343 0904 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2012/01/17 09:24:02.0671 0904 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2012/01/17 09:24:02.0859 0904 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2012/01/17 09:24:03.0562 0904 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2012/01/17 09:24:03.0812 0904 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2012/01/17 09:24:04.0062 0904 PMEM (fa292805788528c083f416e151b60ab6) C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
2012/01/17 09:24:04.0265 0904 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2012/01/17 09:24:04.0421 0904 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2012/01/17 09:24:04.0640 0904 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2012/01/17 09:24:04.0843 0904 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2012/01/17 09:24:05.0031 0904 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2012/01/17 09:24:05.0234 0904 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2012/01/17 09:24:05.0390 0904 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2012/01/17 09:24:05.0578 0904 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2012/01/17 09:24:05.0828 0904 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2012/01/17 09:24:06.0031 0904 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2012/01/17 09:24:06.0218 0904 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2012/01/17 09:24:06.0453 0904 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2012/01/17 09:24:06.0671 0904 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2012/01/17 09:24:06.0828 0904 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2012/01/17 09:24:07.0046 0904 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2012/01/17 09:24:07.0296 0904 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2012/01/17 09:24:07.0484 0904 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2012/01/17 09:24:07.0734 0904 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2012/01/17 09:24:08.0078 0904 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2012/01/17 09:24:08.0296 0904 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2012/01/17 09:24:08.0468 0904 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2012/01/17 09:24:08.0656 0904 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2012/01/17 09:24:09.0015 0904 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2012/01/17 09:24:09.0234 0904 smwdm (675c3c4d6da71e6be31548150521b561) C:\WINDOWS\system32\drivers\smwdm.sys
2012/01/17 09:24:09.0453 0904 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2012/01/17 09:24:09.0625 0904 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2012/01/17 09:24:09.0859 0904 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2012/01/17 09:24:10.0078 0904 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2012/01/17 09:24:10.0328 0904 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2012/01/17 09:24:10.0531 0904 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2012/01/17 09:24:10.0781 0904 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2012/01/17 09:24:10.0968 0904 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2012/01/17 09:24:11.0140 0904 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2012/01/17 09:24:11.0343 0904 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2012/01/17 09:24:11.0515 0904 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2012/01/17 09:24:11.0796 0904 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2012/01/17 09:24:12.0000 0904 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2012/01/17 09:24:12.0203 0904 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2012/01/17 09:24:12.0375 0904 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2012/01/17 09:24:12.0625 0904 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2012/01/17 09:24:12.0843 0904 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2012/01/17 09:24:13.0031 0904 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2012/01/17 09:24:13.0218 0904 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2012/01/17 09:24:13.0484 0904 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2012/01/17 09:24:13.0671 0904 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2012/01/17 09:24:13.0875 0904 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2012/01/17 09:24:14.0078 0904 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2012/01/17 09:24:14.0265 0904 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2012/01/17 09:24:14.0421 0904 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2012/01/17 09:24:14.0625 0904 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2012/01/17 09:24:14.0812 0904 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2012/01/17 09:24:15.0031 0904 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2012/01/17 09:24:15.0203 0904 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2012/01/17 09:24:15.0421 0904 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2012/01/17 09:24:15.0687 0904 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2012/01/17 09:24:16.0015 0904 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2012/01/17 09:24:16.0218 0904 winachsf (350fd3019c4778b00ff5c8de7f441ec4) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2012/01/17 09:24:16.0656 0904 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2012/01/17 09:24:16.0859 0904 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2012/01/17 09:24:17.0015 0904 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2012/01/17 09:24:17.0312 0904 {6080A529-897E-4629-A488-ABA0C29B635E} (02cea7fc83b48d59732dcaee910334fa) C:\WINDOWS\system32\drivers\ialmsbw.sys
2012/01/17 09:24:17.0515 0904 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (68547ea3ab2fbdbee8e6aca9640996b6) C:\WINDOWS\system32\drivers\ialmkchw.sys
2012/01/17 09:24:17.0890 0904 ================================================================================
2012/01/17 09:24:17.0890 0904 Scan finished
2012/01/17 09:24:17.0890 0904 ================================================================================



Thank you


JoeFixes
JoeFixes
(But only if its Broke)

#23 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 17 January 2012 - 12:47 PM

Jedi....Hi again. Just a quick update.

I installed a current driver for the network adapter. After doing that, I pointed to our local domain and also used the correct IP Addresses for our preferred DNS server. I've pretty much mirrored a well-working local machine. But i still cannot get online. Should I try those netsh commands again maybe?


JoeFixes
JoeFixes
(But only if its Broke)

#24 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 17 January 2012 - 04:52 PM

Hi again,

Before you do that, what is the status of your network connection? (Control Panel > Network Connections > Right-click on the connection -what is the status? If it's not showing as connected there's an option to repair the connection if it's not running. Try running the repair. Note any error notices and post them here.

Also, please download MbrScan from here:
My link
Transfer to problem PC. Click on Scan, it will only take a few seconds, then click report and post the report here.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#25 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 17 January 2012 - 05:07 PM

Jedi,

The network connection shows as "CONNECTED"

Posted Image

Also here is that MBRScan Log

MBRScan v1.0.6

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 15 Model 2 Stepping 7, GenuineIntel
BOOT           : Normal Boot
DATE           : 2012/01/17 (ISO 8601) at 17:00:08
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __IC35L060AVV207-0 (V22OA66A)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk1\DR5 __USB Flash Memory (PMAP)
BUS_TYPE       : (0x07)  USB
USE_PIO        : NO
MAX_TRANSFER   : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________

Device\Harddisk0\DR0	37.27 Go  [Fixed] ==> XP MBR Code

MBR_MD5   : 81E0097D37E5F5F2F01F36C6C00EA893
MBR_SHA1  : B382C062166DCC16D107FA1222E67C9C98FD4802

Device\Harddisk0\Partition1	35.22 Go  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	2.05 Go  	0x1C Hidden FAT32 [LBA] 
________________________________________________________________________________

Device\Harddisk1\DR5	7.57 Go  [Removable] ==> Unknown MBR Code

MBR_MD5   : 884647217D3241AE92FA660ED84FF006
MBR_SHA1  : 9BC6C2F3702AFC2782C630CEA7AA1418725D8E8B

Device\Harddisk1\Partition1	7.57 Go __ BOOTABLE __
________________________________________________________________________________


_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3.м.|P.P..|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ..PW.˽..
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u.....
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   ..It.8,t....
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   <.t.....
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.F.s*F..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t...u.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..!.s...
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   .>}Ut..~..t.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ...W.˿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   ...r#.$?...
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C..ֱ.B9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s....|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V..sQOtN2.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V...V.`UA
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.Uu0.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.B..aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2.V..aInva
0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta
0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin
0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst
0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera
0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....
0x00000180   81 3E FE 7D 55 AA 75 05 B8 00 7C 50 C3 BE 21 06   .>}Uu..|Pþ!.
0x00000190   EB 03 BE 43 06 E8 14 00 BE 5E 06 E8 0E 00 B4 10   .C...^....
0x000001A0   CD 16 CD 19 BB 07 00 B4 0E CD 10 C3 AC 3C 00 74   ......ì<.t
0x000001B0   05 E8 F0 FF EB F6 C3 00 CD CC CD CC 00 00 80 01   .......
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 37 1E 67 04 00 00   .....?...7.g...
0x000001D0   C1 FF 1C FE FF FF 76 1E 67 04 4B 73 41 00 00 00   ....v.g.KsA...
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U

_______MBR   \Device\Harddisk1\DR5  

0x00000000   FA BE 00 7C BF 00 7A B9 00 01 FC 0E 1F 0E 07 F3   .|.z......
0x00000010   A5 EA 16 7A 00 00 BB BE 7B 33 C9 80 3F 80 75 06   .z..{3.?.u.
0x00000020   FE C5 8B F3 EB 07 80 3F 00 75 02 FE C1 83 C3 10   ...?.u...
0x00000030   81 FB FE 7B 72 E5 83 F9 04 74 0B 81 F9 03 01 74   .{r..t....t
0x00000040   0A BB A5 7A EB 2C BB 87 7A EB 27 8B 4C 02 8B 14   .z,.z'.L...
0x00000050   B8 01 02 BB 00 7C CD 13 73 05 BB BC 7A EB 13 2E   ...|.s.z..
0x00000060   A1 FE 7D 3D 55 AA 74 05 BB BC 7A EB 05 EA 00 7C   }=Ut.z..|
0x00000070   00 00 2E 8A 07 3C 00 74 0C 53 BB 07 00 B4 0E CD   .....<.t.S...
0x00000080   10 5B 43 EB ED EB FE 4E 6F 20 62 6F 6F 74 61 62   .[CNo bootab
0x00000090   6C 65 20 70 61 72 74 69 74 6F 6E 20 69 6E 20 74   le partiton in t
0x000000A0   61 62 6C 65 00 49 6E 76 61 6C 69 64 20 50 61 72   able.Invalid Par
0x000000B0   74 69 74 6F 6E 20 74 61 62 6C 65 00 49 6E 76 61   titon table.Inva
0x000000C0   6C 69 64 20 6F 72 20 64 61 6D 61 67 65 64 20 42   lid or damaged B
0x000000D0   6F 6F 74 61 62 6C 65 20 70 61 72 74 69 74 69 6F   ootable partitio
0x000000E0   6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   n...............
0x000000F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000120   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000130   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01   ................
0x000001C0   0C 0F 0B 04 60 0C 80 1F 00 00 80 18 F2 00 00 00   ....`..........
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U


Thank you


JoeFixes
JoeFixes
(But only if its Broke)

#26 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 18 January 2012 - 10:35 AM

Hi again,

What happens when you right-click on that connection and select Repair? Can you try that and let me know? Note any messages from Windows and post them here.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#27 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 18 January 2012 - 11:12 AM

Hi Jedi

It won't repair. Here is the error message:

Posted Image

Thanks


JoeFixes
JoeFixes
(But only if its Broke)

#28 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 19 January 2012 - 02:54 PM

Hi again,

It's what I was expecting. There are various methods to fix this ranging from easy to difficult, so let's start with the MS way and reset TCP/IP:
http://support.micro...9357#letmefixit
Try the Fix it for me method first, and try the Let me fix it myself method if the autofix doesn't work.
After that, try the internet again. If you cannot connect try the Repair right-click option on the LAN connection again. Please note or get screenshots of any new error messages. If you get the same message as before just tell me.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#29 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 19 January 2012 - 03:20 PM

Hi Jedi,

The Auto-Fix method ran without any issues, but yielded no positive response. I also ran the manual method with the same results. I tried to repair the connection after both attempts but I got the same error message as above. Stil no ability to connect though.

Sorry for the bad news.
JoeFixes
(But only if its Broke)

#30 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 19 January 2012 - 04:49 PM

Hi again,

Right-click on the LAN icon again and select Properties. Clear the check next to TCP/IP Protocol and hit OK.
Reboot.
Right-click on the LAN icon again and select Properties. Add the check next to TCP/IP Protocol and hit OK.
Reboot.

Can you connect now?

(Note: I just ran through this on my XP box, and I lost my internet connection and recreated the exact error notice you got when I tried Repair. This was after I cleared the check and rebooted the first time. Adding the check again and rebooting again solved the error.)

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#31 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 19 January 2012 - 05:38 PM

Hi Jedi

Sadly I am not having the same luck you are having. I unchecked the box then rebooted. When it came up I noticed that the check mark was also missing from the Microsft Client and File Sharing as well as the TCP/IP. I checked all 3 and rebooted again. Still nothing. I tried to REPAIR, but got the same error message I had been getting. I also tried running an IPCONFIG from a CMD window but it said that request was not supported. Kind of like it didnt recognize the command. I was going to try to remove the network adapter and reinstall it, but it is built-in to the MB so that is not possible.

JoeFixes
JoeFixes
(But only if its Broke)

#32 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 20 January 2012 - 05:58 AM

Hi again,

OK, let's try replacing the tcpip.sys driver. You'll need the recovery console. If it's not installed on the sick PC you can access it from any XP install disk (apart from certain OEMs) or else Combofix can do it:
http://www.bleepingc...manual_recovery(See - 'If you use Windows XP and do not have the Windows CD')

Let me know if you have a disk or when you have the RC installed.

RC commands with XP disk are here:
http://lair360.co.uk...pip-sys-driver/
Second method. (Replacing ‘TCPIP.SYS’ from Microsoft Recovery Consol.)

If you don't have a disk and you can get the RC installed via Combofix you can access it via the boot menu (it will be listed along with your operating system, use the arrow up/down keys to select.

If you use this method you will first have to find a clean copy using Search > All files/folders. There should be a clean copy at C:\WINDOWS\ServicePackFiles\i386\tcpip.sys

Once you have verified the location open the RC and run the following commands:

Backup your ‘tcpip.sys’ files with this command and press ‘Enter.’
Copy C:\WINDOWS\system32\drivers\tcpip.sys C:\backup\tcpip.old

Replace with clean copy:

copy C:\WINDOWS\ServicePackFiles\i386\tcpip.sys C:\WINDOWS\system32\drivers\tcpip.sys

Create a restore point before you make any of these changes. The above command assumes you have a clean copy at C:\WINDOWS\ServicePackFiles\i386, if the location is different adjust the file path accordingly.

(You can uninstall/reinstall TCP/IP - though Microsoft says you can't, but it's a fairly drastic solution and I don't want to go there unless we have to. The ipconfig problem suggests a corrupt tcpip driver.)

Edit: There's an .iso of just the recovery console here, if it's easier for you to do that:
http://forums.pcpits...nsole-wo-xp-cd/
I haven't tried it but I believe it works.
jedi

Edited by jedi, 20 January 2012 - 09:18 AM.

jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#33 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 20 January 2012 - 10:36 AM

I have the Recovery Console installed. I know it is there. Let me try this and be back to you in a few.
JoeFixes
(But only if its Broke)

#34 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 20 January 2012 - 11:14 AM

Jedi,

I do want to scream, but I am restraining myself. What do i do in this case?

Posted Image


JoeFixes
JoeFixes
(But only if its Broke)

#35 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 21 January 2012 - 05:51 AM

Hi again,

Yes, I feel a bit like screaming too!

OK, try running these commands in the recovery console:

SET AllowWildCards = TRUE
SET AllowAllPaths = TRUE
SET AllowRemovableMedia = TRUE

Press enter after each line, then try the command again.

Also:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#36 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 23 January 2012 - 10:01 AM

Hi Jedi,

Well you always seem to have the answers! I'm so glad about that! This worked out also. By entering those commands I was then able to copy and replace the tcpip.sys file. After replacing the file I loaded windows normally and although there was still no connection I tried to repair the network connection and got the same error message.

Posted Image

I ran the FSS scanner. Maybe this log will tell you something we are not thinking about. I looked at it and was surprised by some of the results:

Farbar Service Scanner Version: 18-01-2012 01
Ran by warehouse (administrator) on 23-01-2012 at 09:43:39
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(10) Gpc(6) NetBT(5) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000500000006000000070000000800000009000000
Attention! IpSec Tag value should be 4Attention! IpSec Tag value is missing and it should be 4

**** End of log ****


Thank you JoeFixes
JoeFixes
(But only if its Broke)

#37 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 23 January 2012 - 06:07 PM

OK, that's useful.

Create a restore point.

Run HostsXpert on the infected machine, use the option Restore MS Hosts File, follow the prompts then exit the program.

Next, download the XP network registry key zip file from here:
http://www.smartestc...y-network-keys/
Extract the keys, transfer the legacy_wscsvc, ipsec and legacy_ipsec .reg files onto the infected machine and double-click on each in turn to merge them with the registry.

Next, download WinSock XP Fix and transfer to the infected machine. Open the program and click Fix. Allow the program to run then exit it.

Next, do Start > Run and type in services.msc and hit OK.

Navigate to the following services in turn, and check that they are started and the start-up type is set to automatic:

DHCP Client
DNS Client
TCP/IP NetBIOS Helper

If the start-up type is not set to automatic right-click on the service and select Properties, then use the start-up type drop down menu to select Automatic. If the service is stopped click on Start.
All three of these services should be set to Automatic and should be started.

Now try your internet connection again.

Please also scan again with FSS, with the same options as before, and post the report here.

(Note to others, these steps are designed for this specific computer only, attempting to use them on another computer could result in irreparable damage)

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#38 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 24 January 2012 - 09:37 AM

Jedi,

I agree....it seems like we have a good start here. I'm having some trouble with the registry keys. Take a look at the image below. One of the keys loaded fine, while the others did not.

Posted Image

Your suggestions would be very helpful.

Thanks

JoeFixes
JoeFixes
(But only if its Broke)

#39 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 25 January 2012 - 02:49 PM

Hi again,

Try the legacy_ipsec and legacy_wscsvc .reg files in Safe Mode. If legacy_ipsec is successful reboot into Normal Mode and carry on with the next steps, even if legacy_wscsvc.reg doesn't run, we can troubleshoot the Security Centre later.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#40 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 25 January 2012 - 03:37 PM

Hi Jedi,

I'm not having a lot of luck. I was not able to load the .reg files in safe mode. It gave me the same error messages as you saw up above. I did continue though and I ran the WinSock fix and it did say it was applied and then I did a reboot. In Services I was unable to start the DHCP Client. This is the error message I received:

Posted Image

I also ran a new FSS scan and here is that result:

Farbar Service Scanner Version: 18-01-2012 01
Ran by warehouse (administrator) on 25-01-2012 at 15:31:28
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(10) Gpc(6) IPSec(5) NetBT(5) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000500000006000000070000000800000009000000
Attention! IpSec Tag value should be 4

**** End of log ****
JoeFixes
(But only if its Broke)

#41 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 26 January 2012 - 06:29 AM

Hi again,



Do Start > Run and type services.msc and hit OK. Make sure the following services are running and set to startup type Automatic:

Application Layer Gateway Service
Network Connections
Network Location Awareness (NLA)
Plug and Play
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC)
Telephony

Next:
Find IPSEC Services, right-click, select Properties, stop the service and set to Disabled.

Open Notepad and copy and paste the following

net start dnscache
net start tcpip
netstart dhcp
ipconfig /release
ipconfig /flushdns
ipconfig /renew
netsh int ip reset resetlog.txt
netsh winsock reset

Do File tab, Save As, save as file type All Files from the dropdown menu, name it as FIXme.bat and save to desktop. double-click on the .bat file to run it.

Verify your localhost loopback is in place by following the steps here (checking the hosts file):
http://www.tech-pro....hosts-file.html

It should read 127.0.0.1 localhost.

Do Start > Run and type in cmd and hit ok.
Run the following command:

ping 127.0.0.1

Is it successful?

jedi

Edited by jedi, 02 February 2012 - 02:50 PM.
typo

jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#42 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 26 January 2012 - 03:02 PM

Hi Jedi

no...im not having a lot of luck. I did change the properties on the SERVICES to AUTOMATIC. Most were set to MANUAL except for 2 but they all say AUTOMATIC now. I created the batch file but there were several errors I noticed that were returned when it ran. I did modify the text you gave me slightly, but only to correct what I saw as being typos. The host file does say 127.0.0.1 localhost, but I was not able to successfully ping that IP address. When I try to ping the error message I get is:

UNABLE TO CONTACT IP DRIVER, ERROR CODE 2.

When the batch files runs, there are several errors. Some of them are:

AN INTERNAL ERROR OCCURRED; THE REQUEST IS NOT SUPPORTED
PLEASE CONTACT MICROSOFT PRODUCT SUPPORT SERVICES FOR FURTHER HELP
ADDITIONAL INFORMATION: UNABLE TO QUERY HOST NAME

What other information can I provide you with?

JoeFIxes
JoeFixes
(But only if its Broke)

#43 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 30 January 2012 - 04:24 AM

Hi again,

I've reviewed the topic, and as far as I can see every action we try to do points back to a corrupted TCP/IP. There are three viable options that I can think of.
First is to restore the PC to a point before the infection using System Restore. I'm doubtful whether this will work, but may be worth a try.
Second is to run a Repair-Install (Requires Windows XP install disk)
The third is to uninstall/reinstall TCP/IP.

The method to do this is shown here:
http://smokeys.wordp...p3-tcpip-stack/
Solution 2 - Hardcore method when nothing else is working.

The first part - manually editing Nettcpip.inf to enable the greyed out uninstall button, I have also seen done using Windows Enabler:
http://www.softpedia...s-Enabler.shtml
but can't find the relevant post. I wouldn't personally recommend Enabler, I've tested it and it seems a bit brutal, but if you'd rather use an automated method than edit Nettcppip I can see if I can find the original post about it.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#44 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 30 January 2012 - 09:58 AM

Jedi!

Can you believe this? System Restore did the trick! I reverted back to January 3 (far enough back since I could not remember when this problem started). After system restore completed I was immediately able to get on to the internet and my LAN. Is there anything else I should do to check for problems?


Joe
JoeFixes
(But only if its Broke)

#45 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 30 January 2012 - 10:36 AM

Jedi,

I'm nearly perfect. The funny thing is that prior to all of these problems. A few years ago I had a virus on this same computer. Not a bad one, not nearly as damaging as this one was. But anyway, ever since I cleared that virus, this computer has always had this error message pop up at startup. After we did all of our cleaning the message went away. But now since the system restore the message is back. I remember looking into it a few years ago and I also remember it not being a big deal. We've just ignored the message for years. But I thought I would show it to you and maybe you can show me the proper way to eliminate the message for good.

Posted Image

Thank you

Joe
JoeFixes
(But only if its Broke)

#46 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 30 January 2012 - 03:32 PM

Hi again,

Hah, well, sometimes the simple solution works! Excellent. :thumbup:

Ok, that WildTangent entry is trying to run the program at Startup, but the program doesn't exist, only the Startup entry. A HijackThis log should show the entry and it can be fixed from there.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#47 JoeFixes

JoeFixes

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 495 posts

Posted 30 January 2012 - 03:44 PM

Jedi,

I'm not sure I can begin to thank you enough. The easy solution here would have been a format and re-install, but there was too much company information that I did not want to lose, not to mention a variety of third party proprietary programs I would have had to find and reinstall. I am not in a position right now to send a donation. But I have every intention of doing so just as soon as I get a little bit of money in my pocket. I am going to put this machine back into service in the morning.

Joe
JoeFixes
(But only if its Broke)

#48 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 30 January 2012 - 04:43 PM

You're very welcome. :)

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#49 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 11 February 2012 - 07:25 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button