TechSpot

[A] Fake Windows 2012 Anti-Virus removed?

By ComputerJoe22
Dec 30, 2011
  1. TESTING Since the forum will not let me post to another thread of the same name, Broni is assisting on that thread ...I'm brand new to this board and most likely have not been vetted yet.

    The OP was still having problems getting AFD.sys to stay in Windows\System32\drivers folder. This was causing problems with the loading of the firewall and MS client. I have the same problem and found that the malware modified the permissions so that even SYSTEM had none. I have changed the permissions on the drivers folder but am still having problems. I can copy another afd.sys without errors but when I go back to look it isn't there.

    Thought this information might help Broni, and myself, out
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Most likely your computer is still infected and the infection keeps removing that file.
     
  3. ComputerJoe22

    ComputerJoe22 TS Rookie Topic Starter

    I am 99% certain that all bugs have been purged. I've ran everything (Malwarebytes, superantispyware, MS File Scanner, ComboFix, ...) multiple times until they came clean.

    Well I've been able to copy AFD.sys from windows\winsxs subfolder and it remains in System32\drivers now. Been through takeown and setting administrator rights on entire Drivers folder. All in SAFE MODE.

    BUT if I run SFC, it fails at 87% and reports that it cannot fix AFD.sys as the last line. There appears to be 4 copies of AFD.sys in winsxs "x86..." folders.
    I've tried about every one of them but SFC still fails. I know it's failing on AFD but I have no idea why any more. It is also giving errors on two INF files that I edited to be able to remove then add TCP to the winsock stack but it continues past them. About to try and do a repair install but I haven't had a lot of luck doing this with Vista and Win7.

    ComboFix 11-12-30.02 - Joe 01/01/2012 20:49:06.10.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2936.2143 [GMT -5:00]
    Running from: c:\users\Joe\Desktop\Tool Box\AdvancedTools\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Joe\AppData\Local\temp
    2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-01-01 02:40 . 2008-01-21 02:23 118784 ----a-w- c:\windows\system32\drivers\E1G60I32.sys
    2012-01-01 02:40 . 2006-11-02 08:51 79360 ----a-w- c:\windows\system32\drivers\parport.sys
    2012-01-01 00:05 . 2009-04-11 04:47 273920 --s-a-r- c:\windows\system32\drivers\afd.sys
    2011-12-31 21:25 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
    2011-12-31 17:33 . 2011-12-31 17:33 956854 ----a-w- C:\protected.reg
    2011-12-30 17:13 . 2011-12-30 17:13 90992 ----a-w- C:\safenetwork.reg
    2011-12-30 16:35 . 2011-12-30 16:36 397188256 ----a-w- C:\safe4.reg
    2011-12-29 22:42 . 2011-12-30 15:53 -------- d-----w- c:\users\JPS
    2011-12-29 16:54 . 2011-12-29 16:54 397649062 ----a-w- C:\safe3.reg
    2011-12-28 14:11 . 2011-12-28 14:11 -------- d-----w- c:\windows\OPTIONS
    2011-12-28 14:11 . 2008-01-16 07:09 280576 ----a-w- c:\windows\system32\drivers\rtl8187Se.sys
    2011-12-28 14:11 . 2011-12-28 14:11 -------- d-----w- c:\program files\REALTEK Wireless LAN Driver
    2011-12-27 23:03 . 2011-12-27 23:03 -------- d-----w- c:\program files\Marvell
    2011-12-27 22:56 . 2011-12-27 22:56 -------- d-----w- c:\windows\system32\safe
    2011-12-27 22:38 . 2011-12-27 22:38 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-12-27 13:02 . 2011-12-27 19:08 -------- d-----w- c:\program files\CCleaner
    2011-12-27 00:24 . 2011-12-31 22:19 -------- d-----w- c:\windows\system32\drivers\bad
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-30 14:40 . 2011-05-20 11:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-12 145944]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-12 150040]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-12 170520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
    backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
    2011-01-13 15:21 1111040 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
    2010-06-07 21:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2006-12-23 22:05 143360 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 19:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmAudio]
    2008-08-05 15:22 2701880 ------w- c:\program files\CONEXANT\SmartAudio\SmAudio.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2011-11-11 17:35 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
    2010-06-07 21:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4176825988-320283645-1450970971-1000]
    "EnableNotifications"=dword:00000001
    "EnableNotificationsRef"=dword:00000001
    .
    R1 MpKsl2671112a;MpKsl2671112a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsl2671112a.sys [x]
    R1 MpKsl50cb6b42;MpKsl50cb6b42;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsl50cb6b42.sys [x]
    R1 MpKsl5ffb76fd;MpKsl5ffb76fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91C52F2C-DAE7-498A-B610-A3AD7A88B906}\MpKsl5ffb76fd.sys [x]
    R1 MpKsla061a7a7;MpKsla061a7a7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsla061a7a7.sys [x]
    R1 MpKslb158f7db;MpKslb158f7db;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslb158f7db.sys [x]
    R1 MpKslb1622944;MpKslb1622944;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslb1622944.sys [x]
    R1 MpKslbb6f469f;MpKslbb6f469f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslbb6f469f.sys [x]
    R1 MpKslc381c061;MpKslc381c061;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslc381c061.sys [x]
    R1 MpKsle70f5378;MpKsle70f5378;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsle70f5378.sys [x]
    R1 MpKslec8045aa;MpKslec8045aa;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslec8045aa.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 MHIKEY10;MHIKEY10;c:\windows\system32\Drivers\MHIKEY10.sys [2008-05-27 50560]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 gupdate1ca58cafd5c48f1;Google Update Service (gupdate1ca58cafd5c48f1);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 133104]
    R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 133104]
    R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-10-27 116608]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2008-01-21 21504]
    S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [x]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-30 112128]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]
    S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-07-15 51288]
    S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-06-12 43608]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    bthsvcs REG_MULTI_SZ BthServ
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 19:06]
    .
    2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 19:06]
    .
    2012-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4176825988-320283645-1450970971-1000Core.job
    - c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-18 17:15]
    .
    2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4176825988-320283645-1450970971-1000UA.job
    - c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-18 17:15]
    .
    2011-12-31 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-10-26 19:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: dishnetwork.com\retailer
    .
    .
    ------- File Associations -------
    .
    .txt=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-01 20:58
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Everyone)
    @Denied: (A) (Users)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(2324)
    c:\program files\Palm\PqiIcon.dll
    .
    Completion time: 2012-01-01 21:00:57
    ComboFix-quarantined-files.txt 2012-01-02 02:00
    ComboFix2.txt 2012-01-01 23:45
    ComboFix3.txt 2012-01-01 23:21
    ComboFix4.txt 2012-01-01 22:32
    ComboFix5.txt 2012-01-02 01:47
    .
    Pre-Run: 218,676,559,872 bytes free
    Post-Run: 218,609,639,424 bytes free
    .
    - - End Of File - - CA0F583B051E8895185ADA42F4796CDD




    --------------------------SFC /SCANNOW log --------------------------------------------
    EDITED OUT EVERYTHING BUT ERRORS

    2012-01-02 10:43:24, Info CSI 00000006 [SR] Verifying 100 (0x00000064) components
    2012-01-02 10:43:24, Info CSI 00000007 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:43:31, Info CSI 00000009 [SR] Verify complete
    2012-01-02 10:45:23, Info CSI 00000088 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:45:27, Info CSI 00000089 [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:28{14}]"cdosys.dll.mui" from store
    2012-01-02 10:45:29, Info CSI 0000008c [SR] Verify complete
    2012-01-02 10:45:35, Info CSI 00000093 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:45:42, Info CSI 0000009b [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:32{16}]"comdlg32.dll.mui" from store
    2012-01-02 10:45:43, Info CSI 0000009e [SR] Verify complete
    2012-01-02 10:47:04, Info CSI 000000ca [SR] Beginning Verify and Repair transaction
    2012-01-02 10:47:12, Info CSI 000000d3 [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:28{14}]"msimsg.dll.mui" from store
    2012-01-02 10:47:13, Info CSI 000000e0 [SR] Verify complete
    2012-01-02 10:47:47, Info CSI 00000104 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:47:50, Info CSI 00000105 [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:30{15}]"msprivs.dll.mui" from store
    2012-01-02 10:48:13, Info CSI 00000115 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:48:23, Info CSI 0000012f [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:26{13}]"mlang.dll.mui" from store
    2012-01-02 10:50:38, Info CSI 00000178 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:50:43, Info CSI 0000017a [SR] Repairing corrupted file [ml:520{260},l:36{18}]"\??\C:\Windows\Inf"\[l:24{12}]"nettcpip.inf" from store
    2012-01-02 10:50:43, Info CSI 0000017b [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:48{24}]"UIAutomationCore.dll.mui" from store
    2012-01-02 10:50:43, Info CSI 0000017d [SR] Repairing corrupted file [ml:520{260},l:36{18}]"\??\C:\Windows\Inf"\[l:20{10}]"netip6.inf" from store
    2012-01-02 10:50:43, Info CSI 0000017f [SR] Verify complete
    2012-01-02 10:50:43, Info CSI 00000180 [SR] Verifying 100 (0x00000064) components
    2012-01-02 10:50:43, Info CSI 00000181 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:50:50, Info CSI 00000183 [SR] Verify complete
    2012-01-02 10:50:50, Info CSI 00000184 [SR] Verifying 100 (0x00000064) components
    2012-01-02 10:50:50, Info CSI 00000185 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:50:56, Info CSI 00000187 [SR] Verify complete
    2012-01-02 10:50:57, Info CSI 00000188 [SR] Verifying 100 (0x00000064) components
    2012-01-02 10:50:57, Info CSI 00000189 [SR] Beginning Verify and Repair transaction
    2012-01-02 10:51:04, Info CSI 0000018d [SR] Verify complete
    2012-01-02 10:51:04, Info CSI 0000018e [SR] Verifying 100 (0x00000064) components
    2012-01-02 10:51:04, Info CSI 0000018f [SR] Beginning Verify and Repair transaction
    2012-01-02 10:51:06, Info CSI 00000190 [SR] Cannot repair member file [l:14{7}]"afd.sys" of Microsoft-Windows-Winsock-Core, Version = 6.0.6002.18457, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file cannot be checked
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
  5. ComputerJoe22

    ComputerJoe22 TS Rookie Topic Starter

    FSS log

    SORRY FOR THE DELAY, DID NOT EXPECT A QUICK REPLY.

    Farbar Service Scanner
    Ran by Joe (administrator) on 02-01-2012 at 16:47:59
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
    Checking LEGACY_afd: Attention! Unable to open LEGACY_afd\0000 registry key. The key does not exist.


    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is set to Disabled. The default start type is 3.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.
    Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2011-11-13 09:34] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

    C:\Windows\system32\wbem\WMIsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0162304 ____A (Microsoft Corporation) 6B2A1D0E80110E3D04E6863C6E62FD8A

    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2009-10-25 11:02] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

    C:\Windows\system32\es.dll
    [2009-10-25 11:02] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

    C:\Windows\system32\cryptsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You have several registry keys missing.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    Right-Click Root and select Permissions...
    Click Advanced.
    Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
    Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
    Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
    Click Apply and OK.

    Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    You'll find several files inside.
    Double-click LEGACY_AFD.reg and confirm the prompt.
    Download following file: http://www.filedropper.com/legacysdrsvc_2
    Double-click on it and confirm the prompt.
    Download following file: http://www.filedropper.com/legacybits_1
    Double-click on it and confirm the prompt.

    Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
    Restart computer and post new FSS log.
     
  7. ComputerJoe22

    ComputerJoe22 TS Rookie Topic Starter

    Trouble setting permissions on sub-keys
    Lots of them
    any short cuts?

    Found a MS util SubInAcl but I think it is not for Vista

    The LEGACY_BITS.reg download has 0 bytes...not much use.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    What do you mean?
    You need to set permissions on "Root" folder only.
    That will set permissions for any subfolders.
     
  9. ComputerJoe22

    ComputerJoe22 TS Rookie Topic Starter

    Setting Ownership on ROOT and checking apply to sub-containers returns a message "registry editor could on set owners on selected key or some of its subkeys." I have Ownership of root but there are hundreds or thousands of sub-keys. These A-holes are getting better at what they do. I have found premissions given to a non-existant user..."Trusted Installer" I think. Then I found some explicity assigned permissions on subkeys elsewhere that removed permissions from my user and Administrators that were given at the parent level..

    I was able to create sub keys for LEGACY_BITS, LEGACY_SDRSVC, and LEGACY_AFD.

    I was then able to add the reg files except for BITS. After downloading the file size was 0
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  11. ComputerJoe22

    ComputerJoe22 TS Rookie Topic Starter

    Yep, That got 'er.
    will put it in and get that fss log now

    Farbar Service Scanner
    Ran by Joe (administrator) on 02-01-2012 at 22:00:19
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is set to Disabled. The default start type is 3.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2011-11-13 09:34] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

    C:\Windows\system32\wbem\WMIsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0162304 ____A (Microsoft Corporation) 6B2A1D0E80110E3D04E6863C6E62FD8A

    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2009-10-25 11:02] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

    C:\Windows\system32\es.dll
    [2009-10-25 11:02] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

    C:\Windows\system32\cryptsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  12. ComputerJoe22

    ComputerJoe22 TS Rookie Topic Starter

    yaa hoo

    ok! I'm browsing the internet again and here is a fss log
    Windows update is finding updates but not able to install them.
    Something for tomorrow as this whole crash happened after getting ms updates. I think i may have screwed up by running ccleaner reg clean up after removing that fake security 2012 bug. That is where I lost the ability to boot, BSOD after BSOD. cOMPUTERS ARE A NEVER ENDING LEARNING EXPIRENCE.

    Time for this one to get some sleep.


    Farbar Service Scanner
    Ran by Joe (administrator) on 02-01-2012 at 22:42:15
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is set to Disabled. The default start type is 3.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2011-11-13 09:34] - [2011-09-20 16:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

    C:\Windows\system32\wbem\WMIsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0162304 ____A (Microsoft Corporation) 6B2A1D0E80110E3D04E6863C6E62FD8A

    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2009-10-25 11:02] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

    C:\Windows\system32\es.dll
    [2009-10-25 11:02] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

    C:\Windows\system32\cryptsvc.dll
    [2009-10-25 11:01] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good news :)
    The above looks good.

    Very possible.

    I also see you have system restore disabled.
    Any reason for it?
     
  14. ComputerJoe22

    ComputerJoe22 TS Rookie Topic Starter

    That's funny. I've been using system restore to get myself out of this pickel. Had to fall back on a Jan 2 restore point yesterday. Hmmm.

    Anyway Browsing works, firewall up and running, MS security Essientials re-installed and ran its scans BUT Windows Update is screwed! I was following MS advice and re-registered a pile of dll's and most failed with.file missing errors. Update will start and download files then crash out with a 80096001 error message.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Make sure you don't use any restore points from now on.

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...