Trojan Detected - ZeroAccess trojan [Solved]
#31
Posted 22 July 2012 - 11:56 AM
#32
Posted 22 July 2012 - 01:58 PM
Either restore to the restore point that combofix made rior to running
Or I can check out the net registry
If the later then :
run farbar service scanner
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
#33
Posted 22 July 2012 - 06:19 PM
Farbar Service Scanner Version: 22-07-2012
Ran by User (administrator) on 22-07-2012 at 17:16:11
Running from "J:\"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7
C:\Windows\System32\drivers\afd.sys
[2012-02-15 07:18] - [2012-01-03 07:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 14:59] - [2012-03-30 05:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E
C:\Windows\System32\dnsrslvr.dll
[2011-04-13 22:03] - [2011-03-02 09:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0
C:\Windows\System32\mpssvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C
C:\Windows\System32\bfe.dll
[2009-12-04 00:49] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-12-04 00:50] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1
C:\Windows\System32\wscsvc.dll
[2009-12-04 00:49] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A
C:\Windows\System32\wbem\WMIsvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C
C:\Windows\System32\es.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF
C:\Windows\System32\cryptsvc.dll
[2012-06-13 17:10] - [2012-04-23 09:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF
**** End of log ****
#34
Posted 23 July 2012 - 07:45 AM
[attachment=59155:bfe.reg]
Right click the file and select merge
Accept the warnings and reboot
Please post a fresh FSS log
Also could you cycle the McAfee firewall off and on
#35
Posted 23 July 2012 - 08:25 AM
Farbar Service Scanner Version: 22-07-2012
Ran by User (administrator) on 23-07-2012 at 07:20:56
Running from "C:\Users\User\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7
C:\Windows\System32\drivers\afd.sys
[2012-02-15 07:18] - [2012-01-03 07:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 14:59] - [2012-03-30 05:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E
C:\Windows\System32\dnsrslvr.dll
[2011-04-13 22:03] - [2011-03-02 09:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0
C:\Windows\System32\mpssvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C
C:\Windows\System32\bfe.dll
[2009-12-04 00:49] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-12-04 00:50] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1
C:\Windows\System32\wscsvc.dll
[2009-12-04 00:49] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A
C:\Windows\System32\wbem\WMIsvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C
C:\Windows\System32\es.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF
C:\Windows\System32\cryptsvc.dll
[2012-06-13 17:10] - [2012-04-23 09:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF
**** End of log ****
#36
Posted 23 July 2012 - 08:49 AM
I rebooted and still no connection to the internet
Farbar Service Scanner Version: 22-07-2012
Ran by User (administrator) on 23-07-2012 at 07:42:46
Running from "C:\Users\User\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7
C:\Windows\System32\drivers\afd.sys
[2012-02-15 07:18] - [2012-01-03 07:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 14:59] - [2012-03-30 05:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E
C:\Windows\System32\dnsrslvr.dll
[2011-04-13 22:03] - [2011-03-02 09:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0
C:\Windows\System32\mpssvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C
C:\Windows\System32\bfe.dll
[2009-12-04 00:49] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-12-04 00:50] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1
C:\Windows\System32\wscsvc.dll
[2009-12-04 00:49] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A
C:\Windows\System32\wbem\WMIsvc.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C
C:\Windows\System32\es.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF
C:\Windows\System32\cryptsvc.dll
[2012-06-13 17:10] - [2012-04-23 09:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-12-04 00:50] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF
**** End of log ****
#37
Posted 23 July 2012 - 08:58 AM
This indicates that you do have internet connection but the DNS is not working .. To test this type into IE address bar74.125.224.72 and let me know if it gets googleLocalhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors
Reset/Renew TCP/IP connection
- Open an elevated command prompt. To do that:
- Click the Start Orb
- In the Start Search box type cmd.exe. A program named cmd.exe will be listed at the top of the menu list under Programs
- Right click on cmd.exe and click Run as Administrator. A black command window will open up.
- At the blinking cursor type the following commands, pressing the Enter key after each command typed:
ipconfig /release
ipconfig /renew - Back at the blinking cursor type Exit and press the Enter key. This will close the command window.
- Reboot the computer
#38
Posted 23 July 2012 - 09:25 AM
What you can try:
Diagnose Connection Problems
After clicking on that icon, I got the Windows Network Diagnostics stating that a problem with your network router or braodband modem might be prevenint an internet connection. I followed the instructions, unplugging, waiting 10 seconds and still no connection. I think the router/modem is working fine, since I'm able to access the internet from my laptop.
For some reason, the computer isn't able to access/connect to the router/modem.
Here are the messages when I typed in ipconfig /release and ipconfig /renew in the cmd.exe file
ipconfig/release
Windows IP Configuration
An error occurred while releasing interface Local Area Connection:
An address has not yet been associated with the network endpoint.
ipconfig/renew
Windows IP Configuration
An error occurred while renewing interface Local Area Connection:
An invalid argument was supplied
I rebooted and no internet access. When I click on the computer icons on the taskbar, the window popup says unidentified network, Access: Local only
#39
Posted 23 July 2012 - 11:08 AM
This should restore the connection
I will then take a fresh look with a slightly different analysis tool
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
- Flush DNS
- Report IE Proxy Settings
- Reset IE Proxy Settings
- Report FF Proxy Settings
- Reset FF Proxy Settings
- List content of Hosts
- List IP configuration
- List Winsock Entries
- List last 10 Event Viewer log
- List Installed Programs
- List Devices
- List Users, Partitions and Memory size.
- List Minidump Files
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
#40
Posted 23 July 2012 - 03:40 PM
MiniToolBox by Farbar Version: 23-07-2012
Ran by User (administrator) on 23-07-2012 at 14:31:46
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
***************************************************************************
========================= Flush DNS: ===================================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= FF Proxy Settings: ==============================
"network.proxy.no_proxies_on", "*.local"
"network.proxy.type", 0
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
========================= Hosts content: =================================
::1 localhost
127.0.0.1 localhost
========================= IP Configuration: ================================
Realtek RTL8168C(P)/8111C(P) Family PCI-E GBE NIC = Local Area Connection (Connected)
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
reset
set global
popd
# End of IPv4 configuration
Windows IP Configuration
Host Name . . . . . . . . . . . . : User-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E GBE NIC
Physical Address. . . . . . . . . : 00-26-18-4B-4A-77
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5dee:4097:c51a:a7f2%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, July 23, 2012 2:31:58 PM
Lease Expires . . . . . . . . . . : Tuesday, July 24, 2012 2:31:57 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 251667596
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-D0-5E-01-00-26-18-4B-4A-77
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 6:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 14:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: myrouter.home
Address: 192.168.1.1
Name: google.com
Addresses: 2607:f8b0:4007:801::1003
74.125.224.161
74.125.224.163
74.125.224.165
74.125.224.169
74.125.224.162
74.125.224.164
74.125.224.168
74.125.224.166
74.125.224.160
74.125.224.174
74.125.224.167
Pinging google.com [74.125.239.0] with 32 bytes of data:
Reply from 74.125.239.0: bytes=32 time=7ms TTL=252
Reply from 74.125.239.0: bytes=32 time=7ms TTL=252
Ping statistics for 74.125.239.0:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 7ms, Average = 7ms
Server: myrouter.home
Address: 192.168.1.1
Name: yahoo.com
Addresses: 209.191.122.70
72.30.38.140
98.139.183.24
Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=51ms TTL=250
Reply from 209.191.122.70: bytes=32 time=56ms TTL=250
Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 51ms, Maximum = 56ms, Average = 53ms
Server: myrouter.home
Address: 192.168.1.1
Name: bleepingcomputer.com
Address: 208.43.87.2
Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.
Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
10 ...00 26 18 4b 4a 77 ...... Realtek RTL8168C(P)/8111C(P) Family PCI-E GBE NIC
1 ........................... Software Loopback Interface 1
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.2 276
192.168.1.2 255.255.255.255 On-link 192.168.1.2 276
192.168.1.255 255.255.255.255 On-link 192.168.1.2 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.2 276
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 276 fe80::/64 On-link
10 276 fe80::5dee:4097:c51a:a7f2/128
On-link
1 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================
Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [223232] (Microsoft Corporation)
x64-Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [62976] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [78848] (Microsoft Corporation)
x64-Catalog5 05 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [27648] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [304128] (Microsoft Corporation)
========================= Event log errors: ===============================
Application errors:
==================
Error: (07/23/2012 02:26:54 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (07/23/2012 08:11:23 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (07/23/2012 07:46:51 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (07/23/2012 07:40:01 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (07/23/2012 07:26:08 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (07/23/2012 07:06:38 AM) (Source: MsiInstaller) (User: NT AUTHORITY)NT AUTHORITY
Description: Product: Microsoft Works - Update 'Security Update for Microsoft Works 9 (KB2680317)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127
Error: (07/23/2012 07:06:38 AM) (Source: MsiInstaller) (User: NT AUTHORITY)NT AUTHORITY
Description: Product: Microsoft Works -- Error 1606.Could not access network location %APPDATA%\.
Error: (07/23/2012 07:06:38 AM) (Source: MsiInstaller) (User: NT AUTHORITY)NT AUTHORITY
Description: Product: Microsoft Works -- Error 1606.Could not access network location %APPDATA%\.
Error: (07/23/2012 06:59:28 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (07/22/2012 10:49:49 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
System errors:
=============
Error: (07/23/2012 02:27:32 PM) (Source: Service Control Manager) (User: )
Description: Beep
i8042prt
SRTSP
SRTSPX
Error: (07/23/2012 02:27:32 PM) (Source: Service Control Manager) (User: )
Description: HP CUE DeviceDiscovery Service
Error: (07/23/2012 02:26:56 PM) (Source: Service Control Manager) (User: )
Description: Norton Internet Security%%3
Error: (07/23/2012 02:26:56 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser%%1060
Error: (07/23/2012 02:15:03 PM) (Source: Service Control Manager) (User: )
Description: UPnP Device HostSSDP Discovery%%0
Error: (07/23/2012 02:14:59 PM) (Source: Service Control Manager) (User: )
Description: UPnP Device HostSSDP Discovery%%0
Error: (07/23/2012 08:13:47 AM) (Source: Service Control Manager) (User: )
Description: UPnP Device HostSSDP Discovery%%0
Error: (07/23/2012 08:13:45 AM) (Source: Service Control Manager) (User: )
Description: UPnP Device HostSSDP Discovery%%0
Error: (07/23/2012 08:12:03 AM) (Source: Service Control Manager) (User: )
Description: UPnP Device HostSSDP Discovery%%0
Error: (07/23/2012 08:12:03 AM) (Source: DCOM) (User: )
Description: 1068upnphost{204810B9-73B2-11D4-BF42-00B0D0118B56}
Microsoft Office Sessions:
=========================
Error: (08/04/2010 03:12:01 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6535.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1261 seconds with 1140 seconds of active time. This session ended with a crash.
Error: (05/22/2010 11:26:08 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.
=========================== Installed Programs ============================
Agere Systems PCI-SV92EX Soft Modem
Apple Mobile Device Support (Version: 5.2.0.6)
Avery Toolbar Updater (Version: 1.2.1.22229)
Bonjour (Version: 3.0.0.10)
Clone Wars
Hardware Diagnostic Tools (Version: 5.1.5144.16)
HP Customer Participation Program 10.0 (Version: 10.0)
HP Deskjet D1500 Printer Driver Software 10.0 Rel .3 (Version: 10.0)
HP Imaging Device Functions 10.0 (Version: 10.0)
HP MediaSmart SmartMenu (Version: 2.1.12)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Remote Software (Version: 1.0.5.0)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 13.0 (Version: 13.0)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes (Version: 10.6.3.25)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office Home and Student 60 day trial
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Puran Defrag Free Edition 7.3
Shop for HP Supplies (Version: 10.0)
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0) (Version: 11/05/2008 1.1.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)
========================= Devices: ================================
Name: Microsoft ISATAP Adapter #2
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver
Name: Microsoft ISATAP Adapter #3
Description:
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
========================= Memory info: ===================================
Percentage of memory in use: 29%
Total physical RAM: 6133.33 MB
Available physical RAM: 4304.66 MB
Total Pagefile: 12379.68 MB
Available Pagefile: 10270.23 MB
Total Virtual: 4095.88 MB
Available Virtual: 3996.64 MB
========================= Partitions: =====================================
1 Drive c: (HP) (Fixed) (Total:582.5 GB) (Free:427.21 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:13.67 GB) (Free:1.93 GB) NTFS
8 Drive j: () (Removable) (Total:3.77 GB) (Free:3.58 GB) NTFS
========================= Users: ========================================
User accounts for \\USER-PC
Administrator Guest User
========================= Minidump Files ==================================
No minidump file found
========================= Restore Points ==================================
29-06-2012 09:13:34 Scheduled Checkpoint
29-06-2012 10:00:22 Windows Update
30-06-2012 10:00:21 Windows Update
30-06-2012 10:00:27 Scheduled Checkpoint
01-07-2012 10:00:22 Windows Update
01-07-2012 10:00:44 Scheduled Checkpoint
02-07-2012 23:15:25 Windows Update
02-07-2012 23:16:20 Device Driver Package Install: Leapfrog Network adapters
02-07-2012 23:18:52 Device Driver Package Install: LeapFrog Universal Serial Bus controllers
03-07-2012 13:54:48 Windows Update
04-07-2012 14:10:19 Windows Update
05-07-2012 13:08:06 Windows Update
06-07-2012 13:33:49 Windows Update
07-07-2012 12:45:24 Windows Update
08-07-2012 14:17:37 Windows Update
10-07-2012 01:19:46 Windows Update
10-07-2012 13:41:41 Windows Update
11-07-2012 01:49:13 Scheduled Checkpoint
11-07-2012 13:34:49 Windows Update
12-07-2012 07:00:00 Scheduled Checkpoint
12-07-2012 14:55:03 Windows Update
13-07-2012 13:35:29 Windows Update
14-07-2012 03:10:20 Scheduled Checkpoint
14-07-2012 03:56:21 Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
14-07-2012 03:56:33 Device Driver Package Install: Apple Network adapters
14-07-2012 13:42:03 Windows Update
15-07-2012 13:44:58 Windows Update
16-07-2012 13:48:50 Windows Update
16-07-2012 21:06:11 OTL Restore Point - 7/16/2012 2:06:11 PM
16-07-2012 22:10:11 OTL Restore Point - 7/16/2012 3:10:11 PM
17-07-2012 13:22:11 Windows Update
18-07-2012 10:00:32 Windows Update
19-07-2012 10:00:20 Windows Update
20-07-2012 10:00:25 Windows Update
20-07-2012 10:00:38 Scheduled Checkpoint
21-07-2012 10:00:20 Windows Update
22-07-2012 06:28:01 Scheduled Checkpoint
22-07-2012 10:00:23 Windows Update
22-07-2012 13:55:23 OTL Restore Point - 7/22/2012 6:55:23 AM
23-07-2012 14:03:40 Windows Update
23-07-2012 21:20:38 Restore Operation
**** End of log ****
#41
Posted 23 July 2012 - 03:53 PM
Could you now run the computer as normal until tomorrow and let me know of any wierdness or problems
#42
Posted 23 July 2012 - 04:27 PM
#43
Posted 24 July 2012 - 11:29 AM
#44
Posted 24 July 2012 - 11:36 AM
The Farbar tools are not yet within the cleanup routine so just delete them from the desktop
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Malwarebytes. Update and run weekly to keep your system clean
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
#45
Posted 24 July 2012 - 01:07 PM
I'll run a recovery disc today as well. Have a great rest of the week.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users