[Closed] Re: 800000(00/32/64).@ infection.

[pronkyou2]

After replacing services with ComboFix as per https://www.techspot.com/community/topics/800000-00-32-64-infection.181850/ It seems as though my Firewall fails to load now, and when trying to start it manually it produces an error. According to the event log, access is denied. Seemingly similar problems:

http://social.technet.microsoft.com...l/thread/f5ad176b-8877-4096-a8c7-77d1b309c6f2
http://www.techsupportforum.com/for...all-not-working-bfe-access-denied-635246.html

 

[pronkyou2]

I went ahead and gave "Everyone" full permissions to HKLM\System\CurrentControlSet\services "Shared Access" , "MpsSvc", and "BFE". I could start up my firewall after that, but all the settings were wiped. I wanted to make sure this was a safe course of action.

 

[pronkyou2]

And now it seems as though outbound firewall rules are not being abided (I blocked firefox to be sure).

 

[Broni]

Same computer as here: https://www.techspot.com/community/topics/800000-00-32-64-infection.181850/ ?

Why did you run Combofix on your own?

 

[pronkyou2]

Because it fixed the issue, and at the time I was trawling for answers not specific to this board or you. And I can't even be sure that it was ComboFix' fault, as we did put it through the rigours. What I know is that the changes I made to the registry permissions allowed it to start back up, but
1. I can't be sure that won't present a security issue.
2. All the old settings were removed, presumably because the default service settings that replaced it left it null, and it seems as though the firewall doesn't block specific programs that are entered anymore, just everything or nothing. Tried to block firefox as stated above and I could still connect.

FSS looks clean, I'll leave that to you.

Farbar Service Scanner Version: 09-06-2012
Ran by Jae (administrator) on 18-06-2012 at 13:59:40
Running from "C:\Users\Jae\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Broni]

You didn't answer my question:

Same computer as here: https://www.techspot.com/community/topics/800000-00-32-64-infection.181850/ ?

Never run Combofix on your own!

 

[pronkyou2]

I'm a derp... Of course Firefox wouldn't be affected by a program block, it's an internet browser and goes directly through port 80. I can block trillian just fine... There are some programs that are getting annoying to block as I forgot how I did it the first time so I'm just going to uninstall since I don't use them that much.

I'd still like to know if giving "Everyone" full permissions for those reg keys is a security risk, however. Not familiar with it.

Combofix comment: Again, you were not my first source, and now I know better, don't be unreasonable.

Also, yes, same computer, and no, I didn't realize that was a question, I thought it was a statement. Please practice better grammar (question mark is in an odd place).

 

[Broni]

Did you read my previous reply?

 

[pronkyou2]

Did you read my previous reply?

I edited after.

 

[Broni]

You edited what?
I won't reply until you answer my question.

 

[pronkyou2]

A repost for a sir:

"I'm a derp... Of course Firefox wouldn't be affected by a program block, it's an internet browser and goes directly through port 80. I can block trillian just fine... There are some programs that are getting annoying to block as I forgot how I did it the first time so I'm just going to uninstall since I don't use them that much.

I'd still like to know if giving "Everyone" full permissions for those reg keys is a security risk, however. Not familiar with it.

Combofix comment: Again, you were not my first source, and now I know better, don't be unreasonable.

Also, yes, same computer, and no, I didn't realize that was a question, I thought it was a statement. Please practice better grammar (question mark is in an odd place)."

 

[Broni]

Please practice better grammar (question mark is in an odd place)."

This topic is closed.