Pretty sure I have Rootkit.ZeroAccess on my computer

Solved
By Syreynna
Jun 25, 2012
  1. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    I think OTL might have crashed. It has been on "killing processess. DO NOT INTERRUPT..." for about 15 minutes. Or should it be doing this :p
  2. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Run the fix from safe mode.
  3. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    OTL is running in safe mode but it has been sitting at " processing O34 - HKLM BootExecute: (˜¶‰) " for a little less than 2 hours. I'll be gone for a few hours but I'll leave it like it is currently and hope it finishes.
  4. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Remove that line from my script and try again.
  5. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    It's stuck on the line of code after the one you had me remove.
  6. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Remove all three O34 lines and try again.
  7. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    All processes killed
    ========== OTL ==========
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{DE9C389F-3316-41A7-809B-AA305ED9D922} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE9C389F-3316-41A7-809B-AA305ED9D922}\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{DE9C389F-3316-41A7-809B-AA305ED9D922} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE9C389F-3316-41A7-809B-AA305ED9D922}\ not found.
    Registry value HKEY_USERS\S-1-5-21-762019420-644879084-276493692-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ not found.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ not found.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ not found.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ not found.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ not found.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ not found.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ not found.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ not found.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ not found.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ not found.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ not found.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ not found.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ not found.
    Starting removal of ActiveX control {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Admin1
    ->Temp folder emptied: 1701 bytes
    ->Temporary Internet Files folder emptied: 339093 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 9061416 bytes
    ->Flash cache emptied: 57236 bytes

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33036 bytes
    ->Flash cache emptied: 56475 bytes

    User: GJNA&T
    ->Temp folder emptied: 127681258 bytes
    ->Temporary Internet Files folder emptied: 68942671 bytes
    ->Java cache emptied: 5796565 bytes
    ->Google Chrome cache emptied: 286584898 bytes
    ->Flash cache emptied: 1925365 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 5289170 bytes
    ->Flash cache emptied: 10425 bytes

    User: NetworkService
    ->Temp folder emptied: 22338 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 4625 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2563691 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 24892 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 485.00 mb


    [EMPTYJAVA]

    User: Admin1
    ->Java cache emptied: 0 bytes

    User: Administrator

    User: All Users

    User: Default User

    User: GJNA&T
    ->Java cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: UpdatusUser

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Admin1
    ->Flash cache emptied: 0 bytes

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: GJNA&T
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    User: UpdatusUser
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07042012_222508

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  8. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 2 x86
    Out of date service pack!!
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Microsoft Security Essentials
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 22
    Java(TM) 6 Update 33
    Java(TM) 6 Update 3
    Java(TM) 6 Update 7
    Java 2 Runtime Environment, SE v1.4.2_03
    Out of date Java installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````


    Farbar Service Scanner Version: 02-07-2012
    Ran by Admin1 (administrator) on 04-07-2012 at 22:36:54
    Running from "C:\Documents and Settings\Admin1\Desktop"
    Microsoft Windows XP Service Pack 2 (X86)
    Boot Mode: Minimal
    ****************************************************************
    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.
    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.
    NetBt Service is not running. Checking service configuration:
    The start type of NetBt service is OK.
    The ImagePath of NetBt service is OK.
    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.
    IpSec Service is not running. Checking service configuration:
    The start type of IpSec service is OK.
    The ImagePath of IpSec service is OK.
    Connection Status:
    ==============
    Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
    LAN connected.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error: Other errors
    Attempt to access Yahoo.com returned error: Other errors
    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.
    netman Service is not running. Checking service configuration:
    The start type of netman service is OK.
    The ImagePath of netman service is OK.
    The ServiceDll of netman service is OK.
    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Firewall Disabled Policy:
    ==================
    System Restore:
    ============
    System Restore Disabled Policy:
    ========================
    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.
    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
    The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".
    Windows Autoupdate Disabled Policy:
    ============================
    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C
    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF
    C:\WINDOWS\system32\netman.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565
    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
    C:\WINDOWS\system32\srsvc.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838
    C:\WINDOWS\system32\Drivers\sr.sys
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24
    C:\WINDOWS\system32\wscsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A
    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
    C:\WINDOWS\system32\wuauserv.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8
    C:\WINDOWS\system32\qmgr.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA
    C:\WINDOWS\system32\es.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0243200 ____A (Microsoft Corporation) ACD36A2DD7D1E9D8A060AA651DC07E63
    C:\WINDOWS\system32\cryptsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B
    C:\WINDOWS\system32\svchost.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
    C:\WINDOWS\system32\rpcss.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680
    C:\WINDOWS\system32\services.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
    Extra List:
    =======
    Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
    0x080000000400000001000000020000000300000008000000050000000600000007000000
    IpSec Tag value is correct.
    **** End of log ****
  9. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    FSS log looks strange.
    Did you run it from safe mode?
    If so you have to re-run it from normal mode.
  10. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    yeah, forgot to ask about that. re running atm. does it need to be able to connect to the internet? ive got it disabled atm as well.
  11. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    Farbar Service Scanner Version: 02-07-2012
    Ran by Admin1 (administrator) on 04-07-2012 at 22:52:38
    Running from "C:\Documents and Settings\Admin1\Desktop"
    Microsoft Windows XP Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error: Google IP is unreachable
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
    Attempt to access Yahoo.com returned error: Other errors


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

    C:\WINDOWS\system32\netman.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\srsvc.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

    C:\WINDOWS\system32\Drivers\sr.sys
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

    C:\WINDOWS\system32\wscsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\wuauserv.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

    C:\WINDOWS\system32\qmgr.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

    C:\WINDOWS\system32\es.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0243200 ____A (Microsoft Corporation) ACD36A2DD7D1E9D8A060AA651DC07E63

    C:\WINDOWS\system32\cryptsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

    C:\WINDOWS\system32\svchost.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

    C:\WINDOWS\system32\services.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


    Extra List:
    =======
    Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
    0x080000000400000001000000020000000300000008000000050000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****
     
  12. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    ...and Eset...
  13. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

  14. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Sorry :)
    My fault.

    Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    =============================================================================

    Now, reconnect to the internet.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      NOTE. If Eset doesn't find any threats it'll NOT produce any log.

    Then post new FSS log.
  15. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    Np :)
    TFC freezes the computer in normal mode when it tries to stop running processes. I ran it before in safe mode and it ran fine. Tried to run it in normal mode, when I re ran FSS, but when it tries to end processes it freezes the computer.
  16. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    If you ran it already from safe mode go ahead with Eset scan.
  17. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    Eset scan didn't find anything so no log for that.

    Farbar Service Scanner Version: 02-07-2012
    Ran by Admin1 (administrator) on 05-07-2012 at 02:38:25
    Running from "C:\Documents and Settings\Admin1\Desktop"
    Microsoft Windows XP Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of winmgmt. The value does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

    C:\WINDOWS\system32\netman.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\srsvc.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

    C:\WINDOWS\system32\Drivers\sr.sys
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

    C:\WINDOWS\system32\wscsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\wuauserv.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

    C:\WINDOWS\system32\qmgr.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

    C:\WINDOWS\system32\es.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0243200 ____A (Microsoft Corporation) ACD36A2DD7D1E9D8A060AA651DC07E63

    C:\WINDOWS\system32\cryptsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

    C:\WINDOWS\system32\svchost.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

    C:\WINDOWS\system32\services.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


    Extra List:
    =======
    Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
    0x080000000400000001000000020000000300000008000000050000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****
  18. Broni

    Broni Malware Annihilator Posts: 46,373   +252

  19. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    Farbar Service Scanner Version: 02-07-2012
    Ran by Admin1 (administrator) on 05-07-2012 at 15:49:27
    Running from "C:\Documents and Settings\Admin1\Desktop"
    Microsoft Windows XP Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

    C:\WINDOWS\system32\netman.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\srsvc.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

    C:\WINDOWS\system32\Drivers\sr.sys
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

    C:\WINDOWS\system32\wscsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2005-08-16 06:37] - [2004-08-04 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\wuauserv.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

    C:\WINDOWS\system32\qmgr.dll
    [2005-08-16 06:40] - [2004-08-04 08:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

    C:\WINDOWS\system32\es.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0243200 ____A (Microsoft Corporation) ACD36A2DD7D1E9D8A060AA651DC07E63

    C:\WINDOWS\system32\cryptsvc.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

    C:\WINDOWS\system32\svchost.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

    C:\WINDOWS\system32\services.exe
    [2004-08-04 08:00] - [2004-08-04 08:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


    Extra List:
    =======
    Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
    0x080000000400000001000000020000000300000008000000050000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****
  20. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    I'm now trying to uninstall MSE, but it won't even let me do that because MSE isn't supported by service pack 2. Every time I try to run updates from the windows update site to get service pack 3 I just get their "website has encountered a problem and cannot display the page you are trying to view. [error number: 0x8024400A]'. Other than that the windows firewall now seems to be working fine.
  21. Broni

    Broni Malware Annihilator Posts: 46,373   +252

  22. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    It has been done! :) :) Everything seems to be working.
  23. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    Way to go!! [​IMG]
    Good luck and stay safe :)
  24. Syreynna

    Syreynna Newcomer, in training Topic Starter Posts: 74

    Way to go you! Thank you very very very much! I shall be donating to you for sure for your huge amount of help! :)
  25. Broni

    Broni Malware Annihilator Posts: 46,373   +252

    You're very welcome [​IMG]

    ...and thank you :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.