TechSpot

Internet not working after AVG cleaned out Netbt.sys

Solved
By Fudd0828
Jun 3, 2012
  1. Hi
    Im working on my bosses personal Dell PC that picked up a virus or Trojan Horse Cyrptic.aqlw, as normal I started in safe mode and did a scan with AVG 2012 free which was set to automatically fix issues. After all was done I tried to update windows and other programs but was stopped when I couldnt connect to internet. I have tried to all other threads to fix issue but not working.
    The PC is running Windows Xp Pro SP3 Please help.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    Please download Farbar Service Scanner Download Link and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center/Action Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
  3. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Okay I followed your instructions and here are the results.

    Farbar Service Scanner Version: 27-05-2012
    Ran by Justin (administrator) on 03-06-2012 at 18:43:28
    Running from "E:\"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    NetBt Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open NetBt registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open NetBt registry key. The service key does not exist.


    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error: Google IP is unreachable
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
    Attempt to access Yahoo.com returned error: Other errors


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.


    Windows Autoupdate Disabled Policy:
    ============================

    RpcSs Service is not running. Checking service configuration:
    The start type of RpcSs service is OK.
    The ImagePath of RpcSs service is OK.


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2003-07-16 09:32] - [2008-04-13 12:21] - 0162816 ____A (ExCresSoft) BE982652CF7972307F50CE35871EC7B8

    ATTENTION!=====> C:\WINDOWS\system32\Drivers\netbt.sys IS INFECTED AND SHOULD BE REPLACED.

    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit


    **** End of log ****
     
  4. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    We have a problem with infected netbt.sys file and several registry keys missing.

    Let's see if Combofix will be able to correct the issue.\

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Hi I followed every step but combofix is stuck on file deletion it did complete 50 + steps then deleted files then started to delete folders and has been on that for several hours almost overnight. I was wondering what to do, should I restart PC in safe mode or keep waiting. It did say something about "zeroaccess"
     
  6. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Go ahead. Restart in safe mode and try again.
     
  7. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Okay I did all you recommended and then restarted PC and got a blue screen with a :
    STOP: 0x0000007E (0x0000005, 0xBA4B915E, 0xBA50B864, 0xBA50B560)
    kdcom.dll - Address BA4B915E base at BA4B80000, DateStamp 4f175656

    I have uploaded the combofix log.txt file
     

    Attached Files:

    • log.txt
      File size:
      17 KB
      Views:
      0
  8. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Please observe forum rules.
    All logs have to be pasted in not attached.
     
  9. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Sorry okay here it is

    ComboFix 12-06-03.05 - Justin 06/04/2012 13:02:54.2.1 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2757 [GMT -7:00]
    Running from: c:\documents and settings\Justin\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\$NtUninstallKB13336$\3169080694
    .
    ---- Previous Run -------
    .
    c:\documents and settings\Justin\My Documents\~WRL0003.tmp
    c:\windows\$NtUninstallKB13336$
    c:\windows\$NtUninstallKB13336$\4011186957\@
    c:\windows\$NtUninstallKB13336$\4011186957\bckfg.tmp
    c:\windows\$NtUninstallKB13336$\4011186957\cfg.ini
    c:\windows\$NtUninstallKB13336$\4011186957\Desktop.ini
    c:\windows\$NtUninstallKB13336$\4011186957\keywords
    c:\windows\$NtUninstallKB13336$\4011186957\kwrd.dll
    c:\windows\$NtUninstallKB13336$\4011186957\L\empgkigz
    c:\windows\$NtUninstallKB13336$\4011186957\lsflt7.ver
    c:\windows\$NtUninstallKB13336$\4011186957\oemid
    c:\windows\$NtUninstallKB13336$\4011186957\U\00000001.@
    c:\windows\$NtUninstallKB13336$\4011186957\U\00000002.@
    c:\windows\$NtUninstallKB13336$\4011186957\U\00000004.@
    c:\windows\$NtUninstallKB13336$\4011186957\U\80000000.@
    c:\windows\$NtUninstallKB13336$\4011186957\U\80000004.@
    c:\windows\$NtUninstallKB13336$\4011186957\U\80000032.@
    c:\windows\$NtUninstallKB13336$\4011186957\version
    c:\windows\system32\Cache
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\42b3ef1e576aa6a0.fb
    c:\windows\system32\Cache\56cb0fbfe83b25a5.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\9513ecb41e631c95.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\Packet.dll
    c:\windows\system32\wpcap.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Legacy_RAYSAT3_4_6_18SERVER
    -------\Legacy_SERVICE
    -------\Service_NPF
    -------\Service_raysat3_4_6_18server
    -------\Service_service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-04 to 2012-06-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-04 19:48 . 2012-06-04 19:48--------d-----w-c:\documents and settings\All Users\Application Data\AVG Secure Search
    2012-06-04 19:47 . 2012-06-04 19:47--------d-----w-c:\documents and settings\Justin\Application Data\AVG Secure Search
    2012-06-04 19:47 . 2012-06-04 19:47--------d-----w-c:\program files\Common Files\AVG Secure Search
    2012-06-04 19:47 . 2012-06-04 19:47--------d-----w-c:\program files\AVG Secure Search
    2012-06-04 19:46 . 2012-06-04 19:46--------d-----w-c:\windows\system32\drivers\AVG
    2012-06-04 19:45 . 2012-06-04 19:45--------d-----w-c:\windows\LastGood.Tmp
    2012-05-31 06:41 . 2012-05-31 06:43--------d-----w-c:\windows\system32\NtmsData
    2012-05-31 05:21 . 2012-05-31 05:21--------d-----w-c:\documents and settings\Justin\Application Data\Windows Search
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-18 01:09 . 2012-04-18 01:09664----a-w-c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
    2012-04-14 01:22 . 2012-04-14 01:22418464----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-04-14 01:22 . 2012-03-22 01:5770304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-06-04 19:471811296----a-w-c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-06-04 1811296]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-17 2402512]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "\\GDC2.gdc.local\EPSON Stylus C86 Series/ERICPA"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" [2003-11-25 99840]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-25 2416480]
    "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-06-04 939872]
    .
    c:\documents and settings\warranty\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-12-23 2330624]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2010-06-10 00:1687424----a-w-c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2465215518-1757617005-1003324922-1580\Scripts\Logon\0\0]
    "Script"=Map Public Drive.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2465215518-1757617005-1003324922-1771\Scripts\Logon\0\0]
    "Script"=Map Public Drive.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2465215518-1757617005-1003324922-4178\Scripts\Logon\0\0]
    "Script"=Map Public Drive.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2465215518-1757617005-1003324922-4410\Scripts\Logon\0\0]
    "Script"=Map Public Drive.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2465215518-1757617005-1003324922-5715\Scripts\Logon\0\0]
    "Script"=Map Public Drive.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2465215518-1757617005-1003324922-5800\Scripts\Logon\0\0]
    "Script"=Map Public Drive.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2465215518-1757617005-1003324922-5929\Scripts\Logon\0\0]
    "Script"=Map Public Drive.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    .
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 295248]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 230608]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 7:25 AM 4433248]
    S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 7:09 AM 192776]
    S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 2:13 PM 38144]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 10:31 AM 135664]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/25/2011 5:58 PM 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [6/4/2012 12:47 PM 909152]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/13/2012 6:22 PM 253088]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 2:14 AM 134608]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 2:14 AM 24272]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 7:21 AM 16720]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 10:31 AM 135664]
    S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 4:12 PM 341504]
    S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 2:14 AM 23120]
    S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 32592]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - AVGIDSAGENT
    *NewlyCreated* - AVGIDSDRIVER
    *NewlyCreated* - AVGIDSFILTER
    *NewlyCreated* - AVGIDSSHIM
    *NewlyCreated* - AVGTDIX
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    se27unic
    dlaifs_m
    SGHIDI
    mcrdsvc
    usb_rndisx
    msmframework
    RivaTuner32
    L1e
    LMouFilt
    bthenum
    se44mdm
    LVPrcMon
    dnserver32
    acs
    wmp54gsvc
    iaimfp2
    nimcrpcsu
    dxdebug
    dvd_2K
    dlaudfam
    cicssfs.scmmc223
    vpcvmm
    digictrl
    nic1394
    cdmservice
    truecrypt
    CTEXFIFX.DLL
    Alpham2
    iolodmv
    NETw4v32
    wg5n
    CTDevice_Srv
    igateway
    aliadwdm
    HssDrv
    nsengine
    pinnaclesys.mediaserver
    fetnd5bv
    vpcbus
    obvious
    SaiH040B
    Nsynas32
    TPM
    pageserver
    dtsagntsvc
    issvc
    ctsfm2k
    symproxysvc
    ha20x2k
    Ndismeetro
    fcprintservice
    ec2007service
    s3savagenb
    AcronisOSSReinstallSvc
    ZuneBusEnum
    superproserver
    rsvchost
    DCFS2K
    omniserv
    SABProcEnum
    servidor
    tbaspi
    USBModem
    DivisCTP
    wap3gx
    Dell1100_FUService
    tcpip6
    thkeys
    SecureStorageService
    remotelyanywhere
    umwdf
    maya70docserver
    DMICall
    naimagent32
    btnetfilter
    automate6
    SE2Bbus
    hap17v2k
    starwindservice
    Usb20Scan
    raysatxsi5_0server
    szserver
    nhcDriverDevice
    netmnt
    tga
    SE2Bmdm
    digisptiservice
    symidsco
    PcdrNt
    SNP2UVC
    AFGMp50
    CTEDSPSY.DLL
    lxcccustomerconnect
    stacsv
    pcampr5
    ROB_V
    VX1000
    crystaloutputfileserver
    acermemusagecheckservice
    NTIDrvr
    hmonitor
    EMCFILT
    eloggersvc6
    vstor2-ws60
    aexnsclienttransport
    db2
    FET5X86V
    symantecantibotagent
    x10nets
    adpu320
    dntus26
    ccpwdsvc
    EPOWER
    SaiU040B
    netsvc
    Sk99202k
    vvoice
    MSCamSvc
    iirsp
    grmnusb
    tosrfnds
    s3psddr
    rca
    sprtsvc_ddoctorv2
    s3twistr
    kodakccs
    NMSAccessU
    AGV
    dklogger
    elaunidr
    retrowdsvc
    mssql$microsoftbcm
    CdaD10BA
    nsm1serd
    mdvrmng
    mfeavfk
    HSFHWICH
    addfiltr
    tabletservice
    pepifilter
    z800mdfl
    OEM02Dev
    erecoveryservice
    LMS
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    TermService
    wuauserv
    BITS
    ShellHWDetection
    helpsvc
    xmlprov
    wscsvc
    WmdmPmSN
    napagent
    hkmsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 01:22]
    .
    2012-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 20:34]
    .
    2012-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 17:31]
    .
    2012-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 17:31]
    .
    2012-06-04 c:\windows\Tasks\User_Feed_Synchronization-{8A3459F9-14E8-4158-ACAA-18BF359ED386}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?ilc=1
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
    TCP: Interfaces\{9D105FAA-3EF2-43AA-8AC1-1C71D603FC0B}: NameServer = 4.2.2.2
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKCU-Run-dcfdbccfdct - (no file)
    HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
    HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
    HKU-Default-Run-nlsiso - c:\documents and settings\Justin\Application Data\nlsiso.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-04 13:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500AAJS-75M0A0 rev.02.03E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A3672C6
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(416)
    c:\windows\system32\WININET.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'lsass.exe'(476)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(1628)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2012-06-04 13:29:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-04 20:29
    .
    Pre-Run: 229,726,814,208 bytes free
    Post-Run: 229,691,957,248 bytes free
    .
    - - End Of File - - CDBDA466397C4E403A29C7C3292BC694
     
  10. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Very well.
    Combofix cleaned some stuff so things should be easier now.

    Download OTL to your Desktop.

    Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Use the following settings:

    • Click the NONE button
    • Under Custom Scans/Fixes paste:
    Code:
    /md5start
    netbt.sys
    /md5stop
    
    • Finally hit Run Scan and wait for the log to open.
    • Please post the content of the log into your next reply.
     
  11. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Can I run in safe mode cuz thats the only way I got the PC to restart
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Did you try to start normally after Combofix?
    If you still can't go ahead with safe mode.
     
  13. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Yeah I could only get it to restart in sfae mode cuz in normal I got a blue screen which I noted in the previous post, her are the results from OTL

    OTL logfile created on: 6/4/2012 2:06:30 PM - Run 1
    OTL by OldTimer - Version 3.2.46.0 Folder = C:\Documents and Settings\Justin\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.73 Gb Available Physical Memory | 91.01% Memory free
    4.84 Gb Paging File | 4.77 Gb Available in Paging File | 98.54% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.82 Gb Total Space | 213.96 Gb Free Space | 91.90% Space Free | Partition Type: NTFS

    Computer Name: DESKTOP | User Name: Justin | Logged in as Administrator.
    Boot Mode: SafeMode | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

    ========== Custom Scans ==========

    < MD5 for: NETBT.SYS >
    [2004/08/03 23:14:37 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
    [2008/04/13 12:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\Documents and Settings\Justin\Desktop\netbt.sys
    [2008/04/13 12:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\ServicePackFiles\i386\netbt.sys
    [2008/04/13 12:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\drivers\netbt.sys

    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Those look legit.

    Re-run OTL with the very same settings but with this code:

    Code:
    /md5start
    kdcom.dll
    /md5stop
     
  15. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Here is the results

    OTL logfile created on: 6/4/2012 2:21:12 PM - Run 1
    OTL by OldTimer - Version 3.2.46.0 Folder = C:\Documents and Settings\Justin\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.70 Gb Available Physical Memory | 90.14% Memory free
    4.84 Gb Paging File | 4.77 Gb Available in Paging File | 98.41% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.82 Gb Total Space | 213.96 Gb Free Space | 91.90% Space Free | Partition Type: NTFS

    Computer Name: DESKTOP | User Name: Justin | Logged in as Administrator.
    Boot Mode: SafeMode | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

    ========== Custom Scans ==========

    < MD5 for: KDCOM.DLL >
    [2003/07/16 09:26:10 | 000,007,040 | ---- | M] (Microsoft Corporation) MD5=945FBB881AE927A44DFD96440F2F4F44 -- C:\WINDOWS\system32\dllcache\kdcom.dll
    [2003/07/16 09:26:10 | 000,007,040 | ---- | M] (Microsoft Corporation) MD5=945FBB881AE927A44DFD96440F2F4F44 -- C:\WINDOWS\system32\kdcom.dll

    < End of report >
     
  16. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Those files look fine as well.

    Post new FSS log.
     
  17. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Here is the latest FSS

    Farbar Service Scanner Version: 27-05-2012
    Ran by Justin (administrator) on 04-06-2012 at 16:00:45
    Running from "C:\Documents and Settings\Justin\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Nerwork
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error: Google IP is offline
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error: Yahoo IP is offline
    Attempt to access Yahoo.com returned error: Other errors


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
    The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".


    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit


    **** End of log ****
     
  18. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    That looks pretty good.

    Restart computer in safe mode with networking and see if you can connect.
     
  19. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    I started in both safe and normal and still no internet
     
  20. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    What do you mean in safe and normal?
    I though you couldn't start computer in normal mode.
     
  21. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    I meant that I still get blue screen in normal and in safe mode no internet did I do something wrong?
     
  22. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Aside from BSOD is your computer operable in normal mode?
    Are you getting BSOD in safe mode as well?
    If so when?
     
  23. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    I cant get past BSOD in normal right before login.
    I dont get the BSOD in Safe mode.
     
  24. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    OK.
    One more time.
    I want you to restart computer in Safe Mode with Networking (NOT Safe mode) and see if you can connect.
     
  25. Fudd0828

    Fudd0828 TS Rookie Topic Starter Posts: 49

    Network lan is connected but cannot get on internet.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.