TechSpot

[Closed] Re: 800000(00/32/64).@ infection.

By pronkyou2
Jun 18, 2012
Topic Status:
Not open for further replies.
  1. pronkyou2

    pronkyou2 TS Rookie Topic Starter Posts: 17

    I went ahead and gave "Everyone" full permissions to HKLM\System\CurrentControlSet\services "Shared Access" , "MpsSvc", and "BFE". I could start up my firewall after that, but all the settings were wiped. I wanted to make sure this was a safe course of action.
     
  2. pronkyou2

    pronkyou2 TS Rookie Topic Starter Posts: 17

    And now it seems as though outbound firewall rules are not being abided (I blocked firefox to be sure).
     
  3. Broni

    Broni Malware Annihilator Posts: 46,865   +254

  4. pronkyou2

    pronkyou2 TS Rookie Topic Starter Posts: 17

    Because it fixed the issue, and at the time I was trawling for answers not specific to this board or you. And I can't even be sure that it was ComboFix' fault, as we did put it through the rigours. What I know is that the changes I made to the registry permissions allowed it to start back up, but
    1. I can't be sure that won't present a security issue.
    2. All the old settings were removed, presumably because the default service settings that replaced it left it null, and it seems as though the firewall doesn't block specific programs that are entered anymore, just everything or nothing. Tried to block firefox as stated above and I could still connect.

    FSS looks clean, I'll leave that to you.

    Farbar Service Scanner Version: 09-06-2012
    Ran by Jae (administrator) on 18-06-2012 at 13:59:40
    Running from "C:\Users\Jae\Downloads"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  5. Broni

    Broni Malware Annihilator Posts: 46,865   +254

  6. pronkyou2

    pronkyou2 TS Rookie Topic Starter Posts: 17

    I'm a derp... Of course Firefox wouldn't be affected by a program block, it's an internet browser and goes directly through port 80. I can block trillian just fine... There are some programs that are getting annoying to block as I forgot how I did it the first time so I'm just going to uninstall since I don't use them that much.

    I'd still like to know if giving "Everyone" full permissions for those reg keys is a security risk, however. Not familiar with it.

    Combofix comment: Again, you were not my first source, and now I know better, don't be unreasonable.

    Also, yes, same computer, and no, I didn't realize that was a question, I thought it was a statement. Please practice better grammar (question mark is in an odd place).
     
  7. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Did you read my previous reply?
     
  8. pronkyou2

    pronkyou2 TS Rookie Topic Starter Posts: 17

    I edited after.
     
  9. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    You edited what?
    I won't reply until you answer my question.
     
  10. pronkyou2

    pronkyou2 TS Rookie Topic Starter Posts: 17

    A repost for a sir:

    "I'm a derp... Of course Firefox wouldn't be affected by a program block, it's an internet browser and goes directly through port 80. I can block trillian just fine... There are some programs that are getting annoying to block as I forgot how I did it the first time so I'm just going to uninstall since I don't use them that much.

    I'd still like to know if giving "Everyone" full permissions for those reg keys is a security risk, however. Not familiar with it.

    Combofix comment: Again, you were not my first source, and now I know better, don't be unreasonable.

    Also, yes, same computer, and no, I didn't realize that was a question, I thought it was a statement. Please practice better grammar (question mark is in an odd place)."
     
     
  11. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    This topic is closed.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.