Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Possible rootkit problem? [Closed]

Started by Brandon Jorgensen , Feb 15 2012 08:36 PM

  • This topic is locked This topic is locked

#16
Render
Posted 20 February 2012 - 03:20 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
From provided logs I can't see any rootkit activity.

It look like you have problems with network settings.

Please download attached file test.zip to your Desktop and unzip it. Attached File  test.zip   466bytes   134 downloads

Right click on test.bat file and chose Run as Administrator.

After some time Notepad window will open. Please select all content of it copy and paste it in your next reply please.
  • 0

Advertisements

#17
Brandon Jorgensen
Posted 20 February 2012 - 03:45 PM

Brandon Jorgensen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

No names in cache

Wireless Network Connection:
Node IpAddress: [192.168.0.2] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
BRANDON-HP <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
BRANDON-HP <20> UNIQUE Registered

Wireless Network Connection 2:
Node IpAddress: [0.0.0.0] Scope Id: []

No names in cache

Windows IP Configuration

Host Name . . . . . . . . . . . . : Brandon-HP
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : 60-D8-19-0C-C5-92
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Ralink RT5390 802.11b/g/n WiFi Adapter
Physical Address. . . . . . . . . : 60-D8-19-0C-C5-93
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::11df:25d7:e107:4044%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, February 20, 2012 2:48:15 PM
Lease Expires . . . . . . . . . . : Monday, February 20, 2012 4:18:20 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 325113881
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-34-5D-7A-10-1F-74-1D-AD-B2
DNS Servers . . . . . . . . . . . : 24.196.64.53
68.113.206.10
24.178.162.3
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 10-1F-74-1D-AD-B2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{A51B8F98-B9EC-44CC-A4C5-D6B8D0ABB6ED}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{3C58783B-195C-4B94-9371-C1DBE7B32D56}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging Yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=203ms TTL=45
Reply from 98.139.183.24: bytes=32 time=65ms TTL=45
Reply from 98.139.183.24: bytes=32 time=81ms TTL=45
Reply from 98.139.183.24: bytes=32 time=160ms TTL=45

Ping statistics for 98.139.183.24:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 65ms, Maximum = 203ms, Average = 127ms

Pinging Google.com [74.125.225.79] with 32 bytes of data:
Reply from 74.125.225.79: bytes=32 time=24ms TTL=53
Reply from 74.125.225.79: bytes=32 time=26ms TTL=53
Reply from 74.125.225.79: bytes=32 time=31ms TTL=53
Reply from 74.125.225.79: bytes=32 time=35ms TTL=53

Ping statistics for 74.125.225.79:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 24ms, Maximum = 35ms, Average = 29ms
These Windows services are started:

Adobe Acrobat Update Service
Akamai NetSession Interface
AMD External Events Utility
AMD FUEL Service
Andrea ST Filters Service
Application Experience
Application Information
Audio Service
CNG Key Isolation
COM+ Event System
Credential Manager
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Distributed Link Tracking Client
DNS Client
Easybits Services for Windows
Extensible Authentication Protocol
Function Discovery Provider Host
Function Discovery Resource Publication
Group Policy Client
HomeGroup Provider
HP Client Services
HP Connection Manager 4.0 Service
HP Quick Synchronization Service
HP Service
HP Software Framework Service
HPWMISVC
IconMan_R
MBAMService
Multimedia Class Scheduler
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Peer Name Resolution Protocol
Peer Networking Grouping
Peer Networking Identity Manager
Plug and Play
PnkBstrA
Power
Print Spooler
Program Compatibility Assistant Service
Remote Procedure Call (RPC)
RoxioNow Service
RPC Endpoint Mapper
SeaPort
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery
Steam Client Service
Superfetch
System Event Notification Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Themes
Trend Micro Solution Platform
TrueSuiteService
UPnP Device Host
User Profile Service
Windows Audio
Windows Audio Endpoint Builder
Windows Biometric Service
Windows Driver Foundation - User-mode Driver Framework
Windows Event Log
Windows Font Cache Service
Windows Image Acquisition (WIA)
Windows Live ID Sign-in Assistant
Windows Management Instrumentation
Windows Media Player Network Sharing Service
Windows Presentation Foundation Font Cache 3.0.0.0
Windows Search
Windows Update
WLAN AutoConfig
Workstation
Yahoo! Updater

The command completed successfully.

.
Afd
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Afd
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\system32\drivers\afd.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 0
DISPLAY_NAME : Ancillary Function Driver for Winsock
DEPENDENCIES :
SERVICE_START_NAME :

SERVICE_NAME: Afd
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
dhcp
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : NSI
: Tdx
: Afd
SERVICE_START_NAME : NT Authority\LocalService

SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 312
FLAGS :
Dnscache
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Dnscache
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tdx
: nsi
SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: Dnscache
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1764
FLAGS :
gpsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: gpsvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ProfSvc_Group
TAG : 0
DISPLAY_NAME : Group Policy Client
DEPENDENCIES : RPCSS
: Mup
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: gpsvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 576
FLAGS :
iphlpsvc
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

lanmanserver
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: lanmanserver
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES : SamSS
: Srv
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: lanmanserver
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 576
FLAGS :
Lmhosts
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Lmhosts
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: Lmhosts
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 312
FLAGS :
NetBIOS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NetBIOS
TYPE : 2 FILE_SYSTEM_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\netbios.sys
LOAD_ORDER_GROUP : NetBIOSGroup
TAG : 2
DISPLAY_NAME : NetBIOS Interface
DEPENDENCIES :
SERVICE_START_NAME :

SERVICE_NAME: NetBIOS
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
NetBT
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NetBT
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32\DRIVERS\netbt.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 87
DISPLAY_NAME : NetBT
DEPENDENCIES : Tdx
: tcpip
SERVICE_START_NAME :

SERVICE_NAME: NetBT
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
Netman
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Netman
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
: nsi
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Netman
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 452
FLAGS :
netprofm
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: netprofm
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network List Service
DEPENDENCIES : RpcSs
: nlasvc
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: netprofm
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1240
FLAGS :
NlaSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NlaSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness
DEPENDENCIES : NSI
: RpcSs
: TcpIp
SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: NlaSvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1764
FLAGS :
nsi
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: nsi
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Store Interface Service
DEPENDENCIES : nsiproxy
SERVICE_START_NAME : NT Authority\LocalService

SERVICE_NAME: nsi
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1240
FLAGS :
PolicyAgent
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: PolicyAgent
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPsec Policy Agent
DEPENDENCIES : Tcpip
: bfe
SERVICE_START_NAME : NT Authority\NetworkService

SERVICE_NAME: PolicyAgent
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1075 (0x433)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
RasMan
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: RasMan
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
: SstpSvc
SERVICE_START_NAME : localSystem

SERVICE_NAME: RasMan
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
RPCSS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: RPCSS
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES : RpcEptMapper
: DcomLaunch
SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: RPCSS
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 876
FLAGS :
SstpSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SstpSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secure Socket Tunneling Protocol Service
DEPENDENCIES :
SERVICE_START_NAME : NT Authority\LocalService

SERVICE_NAME: SstpSvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
TCPIP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: TCPIP
TYPE : 1 KERNEL_DRIVER
START_TYPE : 0 BOOT_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\tcpip.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 3
DISPLAY_NAME : TCP/IP Protocol Driver
DEPENDENCIES :
SERVICE_START_NAME :

SERVICE_NAME: TCPIP
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
WebClient
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :

Edited by Brandon Jorgensen, 20 February 2012 - 03:47 PM.

  • 0

#18
Render
Posted 20 February 2012 - 04:32 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. First thing is that Base Filtering Engine service is not running. Please follow these steps:

Download and Save the attached BFE64.zip file. Attached File  BFE64.zip   12.48KB   125 downloads

Right click on it and Extract All. This will create a folder called BFE64. Inside the folder will be two files. BFE64.reg and mpssvc.reg.

Right click on BFE64.reg and select MERGE. Allow it to merge into the registry. Report any errors you get.

Right click on mpssvc.reg and select MERGE. Allow it to merge into the registry. Report any errors you get.

Reboot.

NEXT...

Start, (All) Programs, Accessories then right click on Command Prompt and select Run As Administrator.

In Command Prompt type:

net start bfe


and press Enter.

We want it to say:
"The requested service has already been started

More help is available by typing NET HELPMSG 2182"

but it likely will say Access Denied. If you get Access Denied then:

Go into regedit, (Start, Search, regedit, doubleclick, Continue) navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
(Find HKEY_LOCAL_MACHINE\SYSTEM and click on the + in front of it. Find CurrentControlSet and click on its plus. Click on Services) then right click on Services and select Permissions then click Add.
Type in

NT Service\bfe

and click on Check Name. (It will change your typing to BFE ) OK. You should be back on the first Permissions page. Now select BFE on the permission page and click on the first box to the right of Full Control (Allow column). Then Apply. Reboot and do the

net start bfe

command again and see if BFE has already been started.

Start, (All) Programs, Accessories then right click on Command Prompt and select Run As Admin.
In Command Prompt type:

net start bfe

and press Enter.

(also check the mpssvc which is Windows Firewall)

net start mpssvc


  • 0

#19
Brandon Jorgensen
Posted 20 February 2012 - 04:48 PM

Brandon Jorgensen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
THANK YOU!!!!! Render you are awesome. they both say that they are already started.
  • 0

#20
Render
Posted 20 February 2012 - 04:53 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK.

We should proceed with general antimalware scan which can take quite a long time so please be patient.

Download Virus Removal Tool (VRT) from Here to your desktop
(You have to enter your e-mail address and click on Submit Form button. Please download latest English version of this tool)

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(Please be patient as this scan can take a few hours)
Posted Image

Allow VRT to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun VRT and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image
  • 0

#21
Render
Posted 23 February 2012 - 11:49 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Are you still with me?
  • 0

#22
Brandon Jorgensen
Posted 25 February 2012 - 02:21 PM

Brandon Jorgensen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Yeah, sorry busy with work and stuff. i didnt get any notices when the scan was running.

Attached Files


  • 0

#23
Render
Posted 26 February 2012 - 11:50 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
I see some malicious remnants there. Let's run Combofix:

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection
  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review

Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall.
  • 0

#24
Brandon Jorgensen
Posted 27 February 2012 - 01:42 PM

Brandon Jorgensen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
i disabled trend micro, but it said AVG was still running even though i uninstalled it days ago. deleted all traces of it that i could find in my program files and tried again. ran it again and it was still there, went ahead with it and it pretty much destroyed my computer, everything was non existing or marked for deletion. so i restored it to before i ran it and its back to normal. any suggestion as to how to completely get AVG off my computer so i can run this program without detrimental results?
  • 0

#25
Render
Posted 27 February 2012 - 02:21 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Can you please post combofix.txt log? You should find it on root of C: drive.

To remove AVG please try this:

Download AppRemover and run it.

Click Next >>
Posted Image

Ensure "Remove Security Application" is collected and click Next >>
Posted Image

AppRemover will scan all the security applications on your PC
Posted Image

Select Any AVG entries from the applications offered and click Next >> twice.
Posted Image

Follow any further on-screen instructions. If asked to reboot,please do so.

or with AVG Remover from here.
  • 0

Advertisements

#26
Brandon Jorgensen
Posted 27 February 2012 - 07:07 PM

Brandon Jorgensen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ive now tried on 3 seperate occasions to get the log your asking for. i can get it, but it says theres an illegal request for the registry keys and the application is nonexistent or marked for deletion. why does that scan keep messing up my computer?
  • 0

#27
Render
Posted 27 February 2012 - 08:56 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Try to restart your computer and then try again.
  • 0

#28
Render
Posted 15 March 2012 - 04:43 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Are you still with me?
  • 0

#29
Render
Posted 18 June 2012 - 02:27 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP