Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Motohelperservice.exe removed now No Internet


  • Please log in to reply

#16
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts
Hi,

Not all the bad lines included on my first OTL fix were removed let's see if FRST can do it...


Step 1 - Uninstall Programs

Another program to uninstall please.

Please open Start > Control Panel > then Add or Remove Programs, locate these programs on the list and uninstall them:
  • File Opener Pro
Notes:
- If you can't uninstall the program let me know.
- After the programs have been uninstalled Reboot the computer. If requested by the uninstallers reboot the computer between uninstalls.


Step 2 - FRST Fix

!!! WARNING !!! The following fix is only relevant for this system and no other, running the script on another computer will not work and may cause problems...

  • Attached File  fixlist.txt   1.69KB   257 downloads
  • Download the file above and save it to the Desktop as fixlist.txt
    (It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work!)
  • Execute FRST by double clicking on the icon Posted Image. Make sure all the other programs are close.
    Posted Image
  • Press the Fix button just once and Wait. After the fix the system needs to restart if the tool does not request it please Restart the computer.
  • The tool will make a log (Fixlog.txt) on the same location as FRST/FRST64 please post it in your next reply.

Things I would like to see in your next reply:
  • The Fixlog.txt log
  • Tell me if you can access the Internet after the fix.

  • 0

Advertisements


#17
jlurie

jlurie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Hi, SleepyDude, I have not heard from you since my last post on the 19th. I hope that everything is going ok for you. Hope to hear from you soon.
  • 0

#18
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts

Hi, SleepyDude, I have not heard from you since my last post on the 19th. I hope that everything is going ok for you. Hope to hear from you soon.

Hi Jlurie,

Please execute the steps from my post #16 above, the thread is now two pages long.
  • 0

#19
jlurie

jlurie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Hi SleepyDude, Nice to hear from you again.I talked to a friend from work and he told me about pinging an IP Address. He said there was something called a gateway and that is how you can connect to the internet. he came over to the house and pinged my gateway. He changed my IP and he pinged the gateway. He then changed my IP back to auto? since it did not work. He said there is something strange. when he pings it says "pinging oy" with two dots over the Y. He said that should not look that way. I really do not undrstand what he means, maybe you do.

If I try to remove any programs I get an error message that the windows installer can not be actvated or something like that.

Below is the fix log results. And when I try to open internet explorer it starts to open then close quickly in a flash, so there is no internet.



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014 01
Ran by ATS at 2014-03-22 16:23:32 Run:1
Running from C:\Documents and Settings\ATS\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
() C:\monitor.exe
SearchScopes: HKLM - DefaultScope value is missing.
Winsock: Catalog9 01 C:\WINDOWS\system32\PCProtect.dll File Not found ()
Winsock: Catalog9 02 C:\WINDOWS\system32\PCProtect.dll File Not found ()
Winsock: Catalog9 16 C:\WINDOWS\system32\PCProtect.dll File Not found ()
cmd: netsh winsock reset
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 PCProtect; C:\Program Files\Web Protect\PCProtect.exe [1265608 2014-01-07] (Objectify Media Inc)
S2 ProtectMonitor; C:\monitorsvc.exe [34244 2014-02-02] ()
S4 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [X]
2014-02-27 11:13 - 2014-02-27 11:13 - 00000000 ____D () C:\Documents and Settings\MSHELLMAN\Application Data\SparkTrust
2014-02-27 11:12 - 2014-02-27 11:12 - 00000000 ____D () C:\Documents and Settings\MSHELLMAN\Start Menu\Programs\SparkTrust
2014-02-25 16:48 - 2014-02-25 16:48 - 00000000 ____D () C:\Documents and Settings\MSHELLMAN\Local Settings\Application Data\Avg2014
2014-03-15 17:06 - 2014-02-06 15:42 - 00000000 ____D () C:\Program Files\Web Protect
2014-03-14 18:38 - 2006-01-24 18:54 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
2014-03-14 18:38 - 2006-01-24 18:54 - 00000000 ____D () C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2014-02-24 17:18 - 2012-12-10 12:36 - 00000000 ____D () C:\Program Files\iYogi Support Dock
IObit Apps Toolbar v8.8 (HKLM\...\{B2A36391-A3A9-4293-88B2-A8263EC7F865}) (Version: 8.8 - Spigot, Inc.) <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCProtect => ""="service"
C:\monitor.exe
C:\Program Files\Motorola Mobility
Reboot:
*****************

[668] C:\monitor.exe => Process closed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 => Unable to delete key
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 => Unable to delete key
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 => Unable to delete key

========= netsh winsock reset =========


Unable to reset the Winsock Catalog.
Access is denied.



========= End of CMD: =========

HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
PCProtect => Unable to delete service
ProtectMonitor => Service deleted successfully.
Motorola Device Manager => Service deleted successfully.
C:\Documents and Settings\MSHELLMAN\Application Data\SparkTrust => Moved successfully.
C:\Documents and Settings\MSHELLMAN\Start Menu\Programs\SparkTrust => Moved successfully.
C:\Documents and Settings\MSHELLMAN\Local Settings\Application Data\Avg2014 => Moved successfully.
C:\Program Files\Web Protect => Moved successfully.
C:\Program Files\Spybot - Search & Destroy => Moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy => Moved successfully.
C:\Program Files\iYogi Support Dock => Moved successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCProtect => Key deleted successfully.
Could not move "C:\monitor.exe" => Scheduled to move on reboot.
"C:\Program Files\Motorola Mobility" => File/Directory not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-03-22 16:25:00)<=

C:\monitor.exe => Is moved successfully.

==== End of Fixlog ====
  • 0

#20
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts
Hi,

You didn't got an e-mail notification when a reply was added to your topic?

I would like you to boot in Safe Mode and repeat the Step 2 from post #16.

After power on the computer start pressing F8 to access a boot menu like this:
Posted Image

- Select Safe Mode from the menu

Note: In some machines pressing F8 during boot can give you access to a BIOS boot menu if this happens select boot from the Hard Disk and start pressing F8 again.

Execute the Step 2 and post the resulting log.
  • 0

#21
jlurie

jlurie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Hi SleepyDude, Here are the results of the FRST run in safe made:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014 01
Ran by ATS at 2014-03-23 12:52:31 Run:3
Running from C:\Documents and Settings\ATS\Desktop
Boot Mode: Safe Mode (minimal)

==============================================

Content of fixlist:
*****************
() C:\monitor.exe
SearchScopes: HKLM - DefaultScope value is missing.
Winsock: Catalog9 01 C:\WINDOWS\system32\PCProtect.dll File Not found ()
Winsock: Catalog9 02 C:\WINDOWS\system32\PCProtect.dll File Not found ()
Winsock: Catalog9 16 C:\WINDOWS\system32\PCProtect.dll File Not found ()
cmd: netsh winsock reset
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 PCProtect; C:\Program Files\Web Protect\PCProtect.exe [1265608 2014-01-07] (Objectify Media Inc)
S2 ProtectMonitor; C:\monitorsvc.exe [34244 2014-02-02] ()
S4 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [X]
2014-02-27 11:13 - 2014-02-27 11:13 - 00000000 ____D () C:\Documents and Settings\MSHELLMAN\Application Data\SparkTrust
2014-02-27 11:12 - 2014-02-27 11:12 - 00000000 ____D () C:\Documents and Settings\MSHELLMAN\Start Menu\Programs\SparkTrust
2014-02-25 16:48 - 2014-02-25 16:48 - 00000000 ____D () C:\Documents and Settings\MSHELLMAN\Local Settings\Application Data\Avg2014
2014-03-15 17:06 - 2014-02-06 15:42 - 00000000 ____D () C:\Program Files\Web Protect
2014-03-14 18:38 - 2006-01-24 18:54 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
2014-03-14 18:38 - 2006-01-24 18:54 - 00000000 ____D () C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2014-02-24 17:18 - 2012-12-10 12:36 - 00000000 ____D () C:\Program Files\iYogi Support Dock
IObit Apps Toolbar v8.8 (HKLM\...\{B2A36391-A3A9-4293-88B2-A8263EC7F865}) (Version: 8.8 - Spigot, Inc.) <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCProtect => ""="service"
C:\monitor.exe
C:\Program Files\Motorola Mobility
Reboot:
*****************

C:\monitor.exe => No running process found
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 => Unable to delete key
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 => Unable to delete key
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 => Unable to delete key

========= netsh winsock reset =========


Unable to reset the Winsock Catalog.
Access is denied.



========= End of CMD: =========

HKLM\SOFTWARE\Policies\Google => Key not found.
PCProtect => Unable to delete service
ProtectMonitor => Service not found.
Motorola Device Manager => Service not found.
"C:\Documents and Settings\MSHELLMAN\Application Data\SparkTrust" => File/Directory not found.
"C:\Documents and Settings\MSHELLMAN\Start Menu\Programs\SparkTrust" => File/Directory not found.
"C:\Documents and Settings\MSHELLMAN\Local Settings\Application Data\Avg2014" => File/Directory not found.
"C:\Program Files\Web Protect" => File/Directory not found.
"C:\Program Files\Spybot - Search & Destroy" => File/Directory not found.
"C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy" => File/Directory not found.
"C:\Program Files\iYogi Support Dock" => File/Directory not found.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCProtect => Key not found.
"C:\monitor.exe" => File/Directory not found.
"C:\Program Files\Motorola Mobility" => File/Directory not found.


The system needed a reboot.

==== End of Fixlog ====
  • 0

#22
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts
Hi,

I have another fix for you. Please delete the other fixlist.txt from the Desktop to avoid confusion.


!!! WARNING !!! The following fix is only relevant for this system and no other, running the script on another computer will not work and may cause problems...

  • Attached File  fixlist.txt   1.07KB   337 downloads
  • Download the file above and save it to the Desktop as fixlist.txt
    (It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work!)
  • Execute FRST by double clicking on the icon Posted Image. Make sure all the other programs are close.
    Posted Image
  • Press the Fix button just once and Wait. After the fix the system needs to restart if the tool does not request it please Restart the computer.
  • The tool will make a log (Fixlog.txt) on the same location as FRST/FRST64 please post it in your next reply.


Things I would like to see in your next reply:
  • The Fixlog.txt log

  • 0

#23
jlurie

jlurie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts

Hi SleepyDude, The FRST fix will not run. Just as it starts it says It encountered a problem and It must close.


  • 0

#24
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts

Hi SleepyDude, The FRST fix will not run. Just as it starts it says It encountered a problem and It must close.

Hi,

 

I'm assuming you run FRST in Normal mode can you try in Save Mode?


  • 0

#25
jlurie

jlurie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts

Hi SleepyDude, When running FRST in safe mode it did the same thing, Including the same failure message.


  • 0

Advertisements


#26
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts
Hi,

Let's get more logs...

Step 1 - RogueKiller Scan
  • Visit the RogueKiller download page by clicking here.
    (If you are using Internet Explorer 8 or better the Smartscreen Filter will need to be disabled. To learn how to do this in IE 8, 9 and 10 check this link)
  • Click the download button next to Build 32 bits (x86) and save the RogueKiller.exe file to the Desktop.
  • Close all the running programs, specially the Web browser.
  • Double click the RogueKiller icon to run the program.
    (On Windows Vista or higher right click the file and select Run as Administrator)
    Note: If this is the first time you have used the program you will need to accept the User Agreement and the browser will open with some information related to the program.
  • Wait until Prescan has finished... This may take a few minutes, especially if it is the first time you have used the program.
    RogueKiller_Scan.png
  • Click on Scan
  • Wait for the end of the scan. Do not delete anything at this time.
  • Click the Report button. Notepad will open with the log please Copy & Paste all the contents into your next reply.
    Note: The report has been created on the Desktop in a file named RKreport[x]_S_mmddyyyy_hhmmss.txt.

Step 2 - Minitoolbox
  • Download MiniToolBox and save the file to the Desktop.
  • Close all the programs and run MiniToolBox
    MiniToolBox.png
  • Check the following options:
    • List IP Configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Devices: Only Problems
  • Click on Go.
  • Post the resulting log in your next reply.

Step 3 - Farbar Service Scanner
  • Run FSS by double clicking the FSS.gif icon
    (On Windows Vista or higher right click the file and select Run as Administrator)
  • Check all the options
  • click Scan
  • Post the generated log on your reply (The FSS.txt log is saved to the same folder where FSS is run from).

Things I would like to see in your next reply:
  • The RogueKiller report RKreport[x]_S_mmddyyyy_hhmmss.txt
  • The MiniToolBox log Result.txt
  • The FSS.txt log

  • 0

#27
jlurie

jlurie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts

Hi SleepyDude, Sorry about the late response, I have been real busy at work.

 

The Rougekiller log is listed below:

 

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : ATS [Admin rights]
Mode : Scan -- Date : 03/27/2014 18:34:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[37] : NtCreateFile @ 0x805790A2 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491178)
[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA4919F8)
[Address] SSDT[62] : NtDeleteFile @ 0x80576C4A -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA49110C)
[Address] SSDT[65] : NtDeleteValueKey @ 0x806248D6 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491C7E)
[Address] SSDT[116] : NtOpenFile @ 0x8057A1A0 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA49124E)
[Address] SSDT[119] : NtOpenKey @ 0x80625648 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491AEA)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491DF8)
[Address] SSDT[145] : NtQueryDirectoryFile @ 0x80579E82 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA4914B4)
[Address] SSDT[224] : NtSetInformationFile @ 0x8057B02E -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA490F46)
[Address] SSDT[247] : NtSetValueKey @ 0x806227DC -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491B72)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491E94)
[Address] EAT @explorer.exe (DllCanUnloadNow) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31070)
[Address] EAT @explorer.exe (DllGetClassObject) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31030)
[Address] EAT @explorer.exe (DllRegisterServer) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D310D0)
[Address] EAT @explorer.exe (DllUnregisterServer) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31110)
[Address] EAT @explorer.exe (GetProxyDllInfo) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31000)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10EZEX-00BN5A0 +++++
--- User ---
[MBR] 28bcb8d38c04fead2455e6eca651aad8
[BSP] 548f75f2985f65716ba6e26a5aae5841 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) OCZ RALLY2 USB Device +++++
--- User ---
[MBR] 214e2c171bfd7b1ed22d9e09f136746e
[BSP] 0885be81cc915c2a066451995cdfd914 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 MB
1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 MB
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 MB
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): -1409286144 | Size: 27 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_03272014_183428.txt >>

 

MiniToolBoxlog:

 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by ATS (administrator) on 27-03-2014 at 18:42:34
Running from "C:\Documents and Settings\ATS\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
========================= IP Configuration: ================================

Atheros L2 Fast Ethernet 10/100 Base-T Controller = Local Area Connection 7 (Connected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 7"

set address name="Local Area Connection 7" source=dhcp
set dns name="Local Area Connection 7" source=dhcp register=PRIMARY
set wins name="Local Area Connection 7" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : PWIcp005

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 7:



        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Atheros L2 Fast Ethernet 10/100 Base-T Controller

        Physical Address. . . . . . . . . : 00-1F-C6-A0-58-07

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        Autoconfiguration IP Address. . . : 169.254.98.153

        Subnet Mask . . . . . . . . . . . : 255.255.0.0

        Default Gateway . . . . . . . . . :

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging ø˜ with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for     :

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1f c6 a0 58 07 ...... Atheros L2 Fast Ethernet 10/100 Base-T Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
      169.254.0.0      255.255.0.0   169.254.98.153  169.254.98.153      20
   169.254.98.153  255.255.255.255        127.0.0.1       127.0.0.1      20
  169.254.255.255  255.255.255.255   169.254.98.153  169.254.98.153      20
        224.0.0.0        240.0.0.0   169.254.98.153  169.254.98.153      20
  255.255.255.255  255.255.255.255   169.254.98.153  169.254.98.153      1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\PCProtect.dll [File not found] ()
Catalog9 02 C:\WINDOWS\system32\PCProtect.dll [File not found] ()
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\PCProtect.dll [File not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.156]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrMfNet:: OpenUDPServer Error

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrNet:: OpenUDP_Server socket INVALID

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.140]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrMfNet:: OpenUDPServer Error

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrNet:: OpenUDP_Server socket INVALID

Error: (03/25/2014 09:00:02 PM) (Source: Application Error) (User: )
Description: Faulting application frst.exe, version 3.3.10.2, faulting module frst.exe, version 3.3.10.2, fault address 0x0001fcbe.
Processing media-specific event for [frst.exe!ws!]

Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/25 20:55:49.453]: [00001004]: ---- Monitor Thread OpenBrNetUDP_Server Error ----

Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrMfNet:: OpenUDPServer Error

Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrNet:: OpenUDP_Server socket INVALID


System errors:
=============
Error: (03/27/2014 06:22:46 PM) (Source: DCOM) (User: PWICP005)
Description: The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.

Error: (03/27/2014 06:22:16 PM) (Source: Service Control Manager) (User: )
Description: The BITS service terminated with service-specific error 2147952506 (0x8007277A).

Error: (03/27/2014 05:27:01 PM) (Source: Service Control Manager) (User: )
Description: The Automatic Updates service terminated with the following error:
%%2147952506

Error: (03/27/2014 05:27:01 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%10106

Error: (03/25/2014 09:00:33 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
Fips
i8042prt
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
WS2IFSL

Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31


Microsoft Office Sessions:
=========================
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.156]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrMfNet:: OpenUDPServer Error

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrNet:: OpenUDP_Server socket INVALID

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.140]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrMfNet:: OpenUDPServer Error

Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrNet:: OpenUDP_Server socket INVALID

Error: (03/25/2014 09:00:02 PM) (Source: Application Error)(User: )
Description: frst.exe3.3.10.2frst.exe3.3.10.20001fcbe

Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/25 20:55:49.453]: [00001004]: ---- Monitor Thread OpenBrNetUDP_Server Error ----

Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrMfNet:: OpenUDPServer Error

Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrNet:: OpenUDP_Server socket INVALID


========================= Devices: ================================

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Class Guid: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


**** End of log ****
 

The FSS log:

 

Farbar Service Scanner Version: 25-02-2014
Ran by ATS (administrator) on 27-03-2014 at 18:57:45
Running from "C:\Documents and Settings\ATS\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

 

 

 




 


  • 0

#28
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts

Hi,
 
Thanks for the logs. I need you to check one file to confirm if it's malicious or not.

Upload file for Malware Check

  • Open the folder C:\WINDOWS\System32\drivers and copy the file pcwatch.sys to the Flash Drive
  • Visit the site www.virustotal.com
  • Click Choose File then on the File Upload window locate the file pcwatch.sys you have on the Flash Drive and click Open
  • If you see a pop-up with "File already analyzed" click Reanalyse and wait for the scan to finish
  • Copy the link you have on the address bar of the browser window, it should be something like this: https://www.virustotal.com/en/file/... and post in your topic
  • Delete the file pcwatch.sys from the Flash Drive

  • 0

#29
jlurie

jlurie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts

Hi SleepyDude, In  regular mode or Safe mode pcwatch cannot be copied. C:\WINDOWS\System32\drivers\pcwatch says Access is Denied.


  • 0

#30
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,974 posts

Hi SleepyDude, In  regular mode or Safe mode pcwatch cannot be copied. C:\WINDOWS\System32\drivers\pcwatch says Access is Denied.

Hi,
 
Let's see if we can unlock and remove it... Please delete the other fixlist.txt from the Desktop to avoid confusion.

 

 

Step 1 - FRST Fix

!!! WARNING !!! The following fix is only relevant for this system and no other, running the script on another computer will not work and may cause problems...

  • Attached File  fixlist.txt   173bytes   225 downloads
  • Download the file above and save it to the Desktop as fixlist.txt
    (It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work!)
  • Execute FRST by double clicking on the icon FRST.gif. Make sure all the other programs are close.
    FRST_Fix.png
  • Press the Fix button just once and Wait. After the fix the system needs to restart if the tool does not request it please Restart the computer.
  • The tool will make a log (Fixlog.txt) on the same location as FRST/FRST64 please post it in your next reply.

 

Step 2 - FRST Scan

 

Run a new Scan with FRST like you did on Step 2 in post #14 and post the new log please.

 

 

Things I would like to see in your next reply:

  • The Fixlog.txt log
  • The new FRST.txt log

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP