1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need advice after malware attack

Discussion in 'Virus & Other Malware Removal' started by LERN, Sep 22, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    After several malwares were caught by my AV I found out that my Firewall cannot be turned on. Cannot connect to my internet with my Ethernet cable plugged into my desktop straight from my router. Someone told me to use this program and I am unable to understand it but I am aware its not good...


    Farbar Service Scanner Version: 19-09-2012
    Ran by Owner (administrator) on 22-09-2012 at 19:01:27
    Running from "C:\Documents and Settings\Owner\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.

    IpSec Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open IpSec registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open IpSec registry key. The service key does not exist.


    Connection Status:
    ==============
    Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error: Other errors
    Attempt to access Yahoo.com returned error: Other errors


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    aswTdi(10) Avgtdix(9) Gpc(3) NetBT(6) PSched(7) Tcpip(4)
    0x0A00000005000000010000000200000003000000040000000A00000009000000060000000700000008000000
    ATTENTION!=====> IpSec Tag value should be 5. ATTENTION!=====> IpSec Tag value is missing and it should be 5.

    **** End of log ****

    Any advice would be helpful. System restore fails/missing my original cd so I can't reformat. :confused:
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,692
    The infection has deleted the ipsec service key in the registry.

    Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

    ***************************************************

    Download ComboFix from the following link:

    Link 1


    --------------------------------------------------------------------

    With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

    Note: If you have SP3, use the SP2 package.


    ---------------------------------------------------------------------

    Transfer all files you just downloaded, to the desktop of the infected computer.

    --------------------------------------------------------------------


    Disable your anti-Virus and anti-spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.


    [​IMG]

    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


      [​IMG]
    • At the next prompt, click 'Yes' to run the full ComboFix scan.
    • When the tool is finished, it will produce a report for you.
    Please post the C:\ComboFix.txt in your next reply.
     
  3. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    Okay this took all day to do because it had to reboot repeatedly..


    ComboFix 12-09-23.02 - Owner 09/23/2012 10:34:42.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.195 [GMT -8:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Service_MyWebSearchService
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-21 01:35 . 2004-06-12 00:33 290304 ----a-w- C:\subinacl.exe
    2012-09-21 01:32 . 2012-09-21 01:32 -------- d-----w- C:\RegBackup
    2012-09-21 01:15 . 2012-09-21 03:09 181064 ----a-w- c:\windows\PSEXESVC.EXE
    2012-09-21 01:14 . 2012-09-21 02:44 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{a8864317-e18b-4292-99d9-e6e65ab905d3}"= "c:\program files\Runescape\prxtbRun2.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{a8864317-e18b-4292-99d9-e6e65ab905d3}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a8864317-e18b-4292-99d9-e6e65ab905d3}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\Runescape\prxtbRun2.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{a8864317-e18b-4292-99d9-e6e65ab905d3}"= "c:\program files\Runescape\prxtbRun2.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{a8864317-e18b-4292-99d9-e6e65ab905d3}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{A8864317-E18B-4292-99D9-E6E65AB905D3}"= "c:\program files\Runescape\prxtbRun2.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{a8864317-e18b-4292-99d9-e6e65ab905d3}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-07 39408]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    "ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-1-24 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
    "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
    R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 9:49 AM 616408]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
    S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
    S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [1/24/2009 3:15 PM 13594]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-23 10:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(640)
    c:\windows\system32\l3codeca.acm
    c:\program files\CA\PPRT\bin\CACheck.dll
    c:\program files\CA\PPRT\bin\CAHook.dll
    c:\program files\CA\PPRT\bin\CAServer.dll
    .
    - - - - - - - > 'explorer.exe'(920)
    c:\windows\system32\WININET.dll
    c:\program files\CA\PPRT\bin\CACheck.dll
    c:\program files\CA\PPRT\bin\CAHook.dll
    c:\program files\CA\PPRT\bin\CAServer.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\l3codeca.acm
    .
    Completion time: 2012-09-23 10:50:01
    ComboFix-quarantined-files.txt 2012-09-23 18:49
    .
    Pre-Run: 65,870,598,144 bytes free
    Post-Run: 65,831,002,112 bytes free
    .
    - - End Of File - - 099A7F4FC1280C17A93990B43EEC7985
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,692
    Have you run ComboFix in the past? The report shows ComboFix has been run 5 times but I don't see the logs listed.

    Are there any other logs in this location? They would be named combofix2.txt, combofix3.txt, etc.

    C:\qoobox
     
  5. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    No but on a couple of tries ComboFix was done scanning everything went blank but the background and Combofix told me it had to reboot. It took awhile for it to give me the LOG. The log I posted the only one I got. Though it did tell me I had a ZeroAccess rootkit in my tcp/ip on the first try and it rebotted without giving me a log and delete the rootkit.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,692
    Are you able to connect now?
     
  7. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    No can't connect or turn my Window Firewall on. I don't know if this will be helpful. :(
    _______________________________________________

    Farbar Service Scanner Version: 19-09-2012
    Ran by Owner (administrator) on 23-09-2012 at 12:40:22
    Running from "C:\Documents and Settings\Owner\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.


    Connection Status:
    ==============
    Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error: Other errors
    Attempt to access Yahoo.com returned error: Other errors


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Avgtdix(9) Gpc(3) NetBT(6) PSched(7) Tcpip(4)
    0x09000000050000000100000002000000030000000400000009000000060000000700000008000000
    ATTENTION!=====> IpSec Tag value should be 5. ATTENTION!=====> IpSec Tag value is missing and it should be 5.

    **** End of log ****
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,692
    Go to Start - Run and copy and paste the following then click OK:

    regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec"

    You won't see anything happen and it will only take a second. You will find the report it creates at C:\look.txt. Please open it in Notepad and then copy and paste the report here.
     
  9. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
    "Type"=dword:00000001
    "Start"=dword:00000001
    "ErrorControl"=dword:00000001
    "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
    52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
    00,73,00,79,00,73,00,00,00
    "Group"="PNP_TDI"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
    "0"="Root\\LEGACY_IPSEC\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,692
    Some important parts are missing so we'll fix that. I'm attaching a FixLern.zip file. Save it to your desktop. Unzip it (extract the file) and double-click the FixLern.reg file and allow it to enter into the registry.

    Then reboot the machine and see if you can connect to the Internet.
     

    Attached Files:

  11. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    Yep firewall is turned back on and I can connect to the internet! Thanks for helping me!!!!!! :)(y)

    Farbar Service Scanner Version: 19-09-2012
    Ran by Owner (administrator) on 23-09-2012 at 15:51:40
    Running from "C:\Documents and Settings\Owner\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Avgtdix(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
    0x09000000050000000100000002000000030000000400000009000000060000000700000008000000
    IpSec Tag value is correct.

    **** End of log ****

    Again THANKS! :)
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,692
    You're welcome. Please stay with me though so we can check to see if there's anything else that needs attention.

    Download OTS.exe to your Desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus interferes with OTS, allow it to run.
    3. Double-click on OTS.exe to start the program.
    4. At the top put a check mark in the box beside "Scan All Users".
    5. Under the Additional Scans section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
    6. Now click the Run Scan button on the toolbar.
    7. Let it run unhindered until it finishes.
    8. When the scan is complete Notepad will open with the report file loaded in it.
    9. Save that notepad file.
    Use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  13. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    okay
     

    Attached Files:

    • OTS.Txt
      File size:
      90.4 KB
      Views:
      3
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,692
    Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.

    Code:
    [Kill All Processes]
    [Unregister Dlls]
    [Registry - Safe List]
    < Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
    YN -> HKEY_USERS\.DEFAULT\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    < Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
    YN -> HKEY_USERS\S-1-5-18\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    < FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
    YY -> HKLM\software\mozilla\Firefox\extensions\\[email protected] -> C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN
    < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-602162358-616249376-839522115-1003\] > -> HKEY_USERS\S-1-5-21-602162358-616249376-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> ShellBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    [Files/Folders - Created Within 30 Days]
    NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    [Files/Folders - Modified Within 30 Days]
    NY ->  4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    [Empty Temp Folders]
    [EmptyFlash]
    [EmptyJava]
    [Start Explorer]
    [Reboot] 
     
  15. LERN

    LERN Thread Starter

    Joined:
    Sep 22, 2012
    Messages:
    13
    I ran the code in ots but during the fix all my icons and start bar on the bottom of my screen vanished. opt was still open and I waited for it to stop running before I forced a shutdown. I rebooted and everything was fine but notepad did open up and said this


    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1070014