Computer infected by virus

Solved
By meadow
Oct 26, 2012
  1. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Update Adobe Flash Player
    Download for Internet Explorer: http://www.filehippo.com/download_flashplayer_ie_64/
    Download for [/b]Firefox, Opera and other Gecko-based browsers[/b]: http://www.filehippo.com/download_flashplayer_firefox_64/

    NOTE 1: Beginning with Adobe Flash Version 11.3, the universal installer includes the 32-bit and 64-bit versions of the Flash Player.
    NOTE 2: While installing make sure you UN-check any extra garbage which wants to install alongside.

    ============================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ==========================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ===========================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
  2. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Adobe Flash Version 11.3 seems not available any more. Always get HTTP404 error.
  3. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Which browser?
  4. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Both IE and non_IE are not working.
  5. Broni

    Broni Malware Annihilator Posts: 46,169   +251

  6. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Installed adobe flashplayer successfullly.
    try to run OTL to reset system restore on normal mode, computer just freezed, black screen, keyboard and monitor are not working. no log file was generated.
    reboot compute on safe mode and run OTL. Here is the log file:
    (Unable to start System Restore Service. Error code 10 )
    ----------------------------------------------------------------------------------------------------------

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.computer-name
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: user-name
    ->Temp folder emptied: 1500323 bytes
    ->Temporary Internet Files folder emptied: 29427470 bytes
    ->Java cache emptied: 1880 bytes
    ->Google Chrome cache emptied: 65543617 bytes
    ->Flash cache emptied: 492 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 37264 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5182783 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 97.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: Administrator.computer-name
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: user-name
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: Administrator.computer-name
    ->Java cache emptied: 0 bytes

    User: All Users

    User: Default User

    User: user-name
    ->Java cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Java Files Cleaned = 0.00 mb

    Unable to start System Restore Service. Error code 10

    OTL by OldTimer - Version 3.2.69.0 log created on 11192012_164756
    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\user-name\Local Settings\Temp\~DF30DD.tmp not found!
    File\Folder C:\Documents and Settings\user-name\Local Settings\Temp\~DF30E8.tmp not found!
    File\Folder C:\Documents and Settings\user-name\Local Settings\Temp\~DF3140.tmp not found!
    File\Folder C:\Documents and Settings\user-name\Local Settings\Temp\~DF314B.tmp not found!
    File\Folder C:\Documents and Settings\user-name\Local Settings\Temp\~DF324D.tmp not found!
    File\Folder C:\Documents and Settings\user-name\Local Settings\Temp\~DF3258.tmp not found!
    C:\Documents and Settings\user-name\Local Settings\Temporary Internet Files\Content.IE5\XB2SYNEL\ads[2].htm moved successfully.
    C:\Documents and Settings\user-name\Local Settings\Temporary Internet Files\Content.IE5\XB2SYNEL\page-3[1].htm moved successfully.
    C:\Documents and Settings\user-name\Local Settings\Temporary Internet Files\Content.IE5\XB2SYNEL\XexqN1a_o27MhVVdJFKAcA[2].eot moved successfully.
    C:\Documents and Settings\user-name\Local Settings\Temporary Internet Files\Content.IE5\R1TU81DI\comScore[1].htm moved successfully.
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
    -------------------------

    Thanks.
  7. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Yeah, system restore didn't get reset and I also see this in FSS log:
    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.

    Post new FSS log.
  8. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    After running "Start Repairs" for a while, the computer is lost again. No monitor signal, no response to mouse and keyboard. I had to push power button to turn it off. There are some files created by the process, but I don't know which one is useful.
    did I terminate it too soon? rerun it in safe mode?
    by the way, my version of window repairs has one more repair option: "repair window safe mode", I unchecked it.
  9. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Try to re-run it in normal mode.
  10. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Rerun in normal mode. this time, after ran for abount 3-5 minutes, computer restarted. once it is up, the winodw pop up, stats that the sytem has recovered from a seriouse error, the error report contains following:
    Error signature
    BCCode:100000ea BCP1:8A2D6DA0 BCP2:8A33FE30 BCP3:BA513CBC BCP4:00000001 OSVer:5_1_2600 SP:3_0 Product:256_1
  11. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I forgot to mentioned that when I reran window repairs, the message pop up to recommend to run set system restore point and back up registries. I clicked "yes" to do both.

    there are some log files generated by running window repairs, are there any one useful so I can post them here?
    Thanks.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Post new FSS log.
  13. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I don't have new FSS log, I only get one FSS.txt on my desktop, dated 11/14/2012, which I posted last week. Do you want me run FSS.exe again?

    after running window repair, I got this folder \Tweaking.com_Windows_Repair_Logs
    and has following files in it:
    Directory of C:\Tweaking.com_Windows_Repair_Logs
    11/21/2012 09:28 AM <DIR> .
    11/21/2012 09:28 AM <DIR> ..
    11/21/2012 09:26 AM 2 windows_repair_3bc89045f14503ce22d8a721_log.txt
    11/21/2012 09:26 AM 2 windows_repair_7b2c0d1d45f433a4cdbeee33_log.txt
    11/21/2012 09:26 AM 2 windows_repair_cmdcons_log.txt
    11/21/2012 09:27 AM 2 windows_repair_drivers_log.txt
    11/21/2012 09:27 AM 2 windows_repair_evn_log.txt
    11/21/2012 09:27 AM 2 windows_repair_found.000_log.txt
    11/21/2012 09:27 AM 2 windows_repair_hiberfil.sys_log.txt
    11/21/2012 09:26 AM 2 windows_repair_hkey_classes_root_log_1.txt
    11/21/2012 09:26 AM 2 windows_repair_hkey_classes_root_log_2.txt
    11/21/2012 09:26 AM 374 windows_repair_hkey_classes_root_log_3.txt
    11/21/2012 09:26 AM 374 windows_repair_hkey_classes_root_log_4.txt
    11/21/2012 09:25 AM 2 windows_repair_hkey_current_user_1_log.txt
    11/21/2012 09:25 AM 2 windows_repair_hkey_current_user_2_log.txt
    11/21/2012 09:25 AM 1,408 windows_repair_hkey_current_user_3_log.txt
    11/21/2012 09:25 AM 1,408 windows_repair_hkey_current_user_4_log.txt
    11/21/2012 09:26 AM 2 windows_repair_hkey_local_machine_1_log.txt
    11/21/2012 09:26 AM 2 windows_repair_hkey_local_machine_2_log.txt
    11/21/2012 09:26 AM 79,058 windows_repair_hkey_local_machine_3_log.txt
    11/21/2012 09:26 AM 79,058 windows_repair_hkey_local_machine_4_log.txt
    11/21/2012 09:27 AM 2 windows_repair_msocache_log.txt
    11/21/2012 09:28 AM 2 windows_repair_oracle_log.txt
    11/21/2012 09:28 AM 0 windows_repair_print drivers_log.txt
    11/21/2012 09:28 AM 2,855 _Windows_Repair_Log.txt
    23 File(s) 164,565 bytes

    any one useful?

    and there are some other files in different folders, they are mostly either not readable or no much infor in it.
  14. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Yes.
  15. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    FSS log:
    ----------------------------
    Farbar Service Scanner Version: 09-11-2012
    Ran by userid (administrator) on 21-11-2012 at 12:20:21
    Running from "C:\Documents and Settings\userid\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Attempt to access Google.com returned error: Google.com is offline
    Attempt to access Yahoo IP returned error. Yahoo IP is offline
    Attempt to access Yahoo.com returned error: Yahoo.com is offline

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    Extra List:
    =======
    DNE(10) Gpc(6) IPSec(4) NetBT(5) PSched(8) Tcpip(3)
    0x0A0000000400000001000000020000000300000007000000050000000600000008000000090000000A000000
    IpSec Tag value is correct.
    **** End of log ****
  16. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    When you ran Windows Repair Tool did you complete all steps, chkdsk and "system file checker" (step 2 and 3) included?
    Did those two find any issues
  17. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I ran step 2,3 & 4, before I first time ran windows repair. I didn't really catch the message. I saw something not consistent, then it was gone. Are there log file I can go back to find it?
    I only ran step 4 before I 2nd time ran windows repair.
  18. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Go ahead and re-run Windows Repair from safe mode.
     
  19. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    Should I run step 2, 3 & 4 then window repairs?
  20. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    I'd run all steps again.
  21. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    OK, will do it next Monday.
    Thank you very much. Have a nice Thanksgiving.
  22. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    Same to you :)
  23. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I reran step 2, 4, and repair step in safe mode.
    I also ran step 3 in safe mode first, but it ended right way, and gave the message as following:
    ---------------------------------------
    C:\Documents and Settings\user-id\Desktop>"C:\WINDOWS\system32\sfc" /scannow
    Windows File Protection could not initiate a scan of protected system files.
    The specific error code is 0x000006ba [The RPC server is unavailable.
    ].
    C:\Documents and Settings\user-id\Desktop>echo Please Restart Your Computer When
    System File Checker is Finished.
    Please Restart Your Computer When System File Checker is Finished.
    C:\Documents and Settings\useri-id\Desktop>pause
    Press any key to continue . . .
    ----------------------------------
    so I reran the step 3 in normal mode. and It took about 40 minutes to finished. and then continued to run step 4 in safemode.

    after finished step 2-4 and window repair step, I got the following log file
    ---------------------------------
    reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
    old REG_MULTI_SZ =
    SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
    SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain
    reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{110FD537-462F-440A-A807-6F48295D5511}\NameServerList
    old REG_MULTI_SZ =
    <empty>
    added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{196148A7-8C38-4911-8A22-BF10FCE74945}\NetbiosOptions
    added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{22ED7AF6-7F32-477D-B731-5D2C8D1AB817}\NetbiosOptions
    deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\DefaultGateway
    old REG_MULTI_SZ =
    <empty>
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\DefaultGatewayMetric
    old REG_MULTI_SZ =
    <empty>
    added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\DisableDynamicUpdate
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\EnableDhcp
    old REG_DWORD = 0
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\IpAutoconfigurationAddress
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\IpAutoconfigurationMask
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\IpAutoconfigurationSeed
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\Mtu
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\RawIpAllowedProtocols
    old REG_MULTI_SZ =
    0
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\TcpAllowedPorts
    old REG_MULTI_SZ =
    0
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{110FD537-462F-440A-A807-6F48295D5511}\UdpAllowedPorts
    old REG_MULTI_SZ =
    0
    added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9ACF5785-0FB6-41FE-9F2A-C74239757F17}\AddressType
    added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9ACF5785-0FB6-41FE-9F2A-C74239757F17}\DisableDynamicUpdate
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9ACF5785-0FB6-41FE-9F2A-C74239757F17}\RawIpAllowedProtocols
    old REG_MULTI_SZ =
    0
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9ACF5785-0FB6-41FE-9F2A-C74239757F17}\TcpAllowedPorts
    old REG_MULTI_SZ =
    0
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9ACF5785-0FB6-41FE-9F2A-C74239757F17}\UdpAllowedPorts
    old REG_MULTI_SZ =
    0
    added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\DisableDynamicUpdate
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\IpAutoconfigurationAddress
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\IpAutoconfigurationMask
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\IpAutoconfigurationSeed
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\Mtu
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\RawIpAllowedProtocols
    old REG_MULTI_SZ =
    0
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\TcpAllowedPorts
    old REG_MULTI_SZ =
    0
    reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}\UdpAllowedPorts
    old REG_MULTI_SZ =
    0
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
    added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
    deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
    reset Linkage\UpperBind for ROOT\NET\0000. bad value was:
    REG_MULTI_SZ =
    DNE
    reset Linkage\UpperBind for PCI\VEN_8086&DEV_10BD&SUBSYS_02111028&REV_02\3&172E68DD&0&C8. bad value was:
    REG_MULTI_SZ =
    DNE
    reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
    REG_MULTI_SZ =
    DNE
    <completed>
    -----------------------------------------------
    -
    once the computer restart ed, microsoft error reporting window pop up, stated that "some unexpected errors have happened to software you recently used. You werr not asked to send thesse erro reports at the time they occurred", the error reports were generated about the time I was running step 3 in normal mode. I saved the screen shot if it is usefule.
  24. meadow

    meadow Newcomer, in training Topic Starter Posts: 83

    I reran FSS.exe, here is the log:
    ---------------------------------------------------
    Farbar Service Scanner Version: 09-11-2012
    Ran by userid (administrator) on 26-11-2012 at 17:13:41
    Running from "C:\Documents and Settings\userid\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Attempt to access Google.com returned error: Google.com is offline
    Attempt to access Yahoo IP returned error. Yahoo IP is offline
    Attempt to access Yahoo.com returned error: Yahoo.com is offline

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit
    Extra List:
    =======
    DNE(10) Gpc(6) IPSec(4) NetBT(5) PSched(8) Tcpip(3)
    0x0A0000000400000001000000020000000300000007000000050000000600000008000000090000000A000000
    IpSec Tag value is correct.
    **** End of log ****

    It looks the same as before.
    Thanks.
  25. Broni

    Broni Malware Annihilator Posts: 46,169   +251

    See if you can...

    Turn system restore off.
    Restart computer.
    Turn system restore on.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.