[Resolved] Fallout from "Smart Fortress 2012" cleanup.

[edw]

  BTW, one snippet of information that might be useful.

  The earliest information of something wrong was a runaway svchost.exe process.  It used 98-100% of the CPU.  Since my cpu fan had failed around the same time, this continuous usage drove the cpu temperatures up and eventually slowed the computer down to total unusability, so it could only ber shiut down with the power switch.  That was when I replaced the fan and came back up with the "Smart Fortress 2012" infection.  However, I haven't seen this behavior since.

             

[Bear]

Hi edw

Before we move on we will back up the registry.

1.  Download ERUNT and save it to your desktop.  Double click on the file to install it.  Now run ERUNT by clicking on ERUNT in Start/All Programs/ERUNT.  Click OK and then check Other open user registries.  Click OK/Yes and then record the file location for the registry backup.

2.  Disable all Anti-virus, Anti-spyware programs as instructed earlier.  Do not forget to re-enable them before you reply to this post.

3.  I'd like you to run ComboFix again with some changes.  Open Notepad, click on Format and be sure Word Wrap is NOT checked.  Then copy the text in the code box below and paste it into the Notepad window.  Now name this file CFScript.txt and save it to your Desktop.

Code: [Select]


KILLALL::

ClearJavaCache::

RegLock::

RegLockDel::
[HKEY_USERS\S-1-5-21-1177238915-963894560-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F0D00B61-F3DB-1E1B-99C7-C909CB0F78D3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gccehgpngdcogmpmaeidhjfknjeongaldolnfaoemimoaakfmcglplipjkocfmmjffdpggaifdefcj"=hex:6c,
61,69,70,6d,69,66,6f,64,67,70,63,69,63,6f,65,64,6f,70,6a,70,61,64,6a,00,d3

File::
c:\windows\system32\drivers\haktfvqm.sys
c:\windows\system32\drivers\svkrnvma.sys

Folder::
2012-03-08 16:31 . 2012-03-08 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E

Registry::

Driver::

Firefox::

dirlook::

FCopy::

DDS::


4. Close all open browsers.



5. Referring to the picture above, drag CFScript.txt onto the ComboFix.exe icon.  ComboFix will run and produce a report.  This report will be saved at C:\ComboFix.txt.
Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.  Reboot your computer.


Remember to be sure Word Wrap is NOT turned on in any Notepad files you post and to be sure and check that all the data you entered was posted. 

Now please post the following to me as a reply to this post:
The file location and name of the registry backup file you received from ERUNT
ComboFix.txt
If for any reason, ERUNT cannot back up your registry
Let me know how your computer is operating
If you have any other questions or problems, let me know that as well

[edw]

  Registry backed up to C:\WINDOWS\ERDNT\3-14-2012

  Running the combofix script, it complained as usual about an un-updated recovery panel and the inability to connect to the Internet.  It then said it was aborting the script, but continuing the scan.

  It then said it was deleting the two .sys files and rebooted.


 Perhaps we need to boot off a CD and attempt to update the Microsoft Recovery Panel somehow? 

ComboFix 12-03-12.02 - williams 03/14/2012  18:32:07.3.8 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3062.2355 [GMT -7:00]
Running from: c:\documents and settings\williams\Desktop\gotcha.exe
Command switches used :: c:\documents and settings\williams\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\haktfvqm.sys"
"c:\windows\system32\drivers\svkrnvma.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\haktfvqm.sys
c:\windows\system32\drivers\svkrnvma.sys
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-15 to 2012-03-15  )))))))))))))))))))))))))))))))
.
.
2012-03-15 01:27 . 2012-03-15 01:28   --------   d-----w-   c:\program files\ERUNT
2012-03-14 07:30 . 2012-03-14 07:41   --------   d-----w-   C:\gotcha
2012-03-13 05:16 . 2012-03-13 05:16   --------   d-----w-   C:\TDSSKiller_Quarantine
2012-03-12 19:53 . 2008-04-14 12:00   75264   ----a-w-   c:\windows\system32\drivers\ipsec.sys
2012-03-12 07:00 . 2012-03-12 07:00   --------   d-----w-   C:\_OTL
2012-03-10 06:49 . 2012-03-11 02:47   --------   d-----w-   c:\windows\system32\NtmsData
2012-03-10 03:33 . 2008-04-14 08:10   43904   -c----w-   c:\windows\system32\dllcache\sbp2port.sys
2012-03-10 03:33 . 2008-04-14 08:10   43904   ----a-w-   c:\windows\system32\drivers\sbp2port.sys
2012-03-09 10:04 . 2012-03-09 10:04   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-03-09 02:48 . 2012-03-09 06:50   --------   d-----w-   c:\program files\Core Temp
2012-03-08 17:58 . 2012-03-08 17:58   29904   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3FF63C55-B7A2-433B-A8C2-BC04FDB1A254}\MpKsl0a732e9c.sys
2012-03-08 17:32 . 2012-02-08 06:03   6552120   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3FF63C55-B7A2-433B-A8C2-BC04FDB1A254}\mpengine.dll
2012-03-08 17:15 . 2012-03-08 17:15   --------   d-----w-   c:\documents and settings\williams\Application Data\Malwarebytes
2012-03-08 17:15 . 2012-03-08 17:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-08 17:15 . 2012-03-08 17:15   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-03-08 17:15 . 2011-12-10 23:24   20464   ------w-   c:\windows\system32\drivers\mbam.sys
2012-03-08 16:34 . 2012-03-08 16:34   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2012-03-08 16:31 . 2012-03-08 16:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\99058D500033A0A4005FA5A6D151FC4E
2012-02-15 17:36 . 2012-03-15 01:45   --------   d-----w-   c:\documents and settings\williams\Application Data\Dropbox
2012-02-15 11:42 . 2012-01-11 19:06   3072   -c----w-   c:\windows\system32\dllcache\iacenc.dll
2012-02-15 11:42 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\iacenc.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-08 17:41 . 2011-05-30 05:40   414368   ------w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 17:18 . 2010-06-23 15:28   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-18 20:56 . 2010-01-01 19:44   1480   ------w-   c:\windows\AUTOLNCH.REG
2012-02-08 06:03 . 2010-06-24 15:32   6552120   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-29 20:22 . 2012-01-29 20:22   121208   ------w-   c:\windows\system32\drivers\AnyDVD.sys
2012-01-12 16:53 . 2008-04-14 12:00   1859968   ----a-w-   c:\windows\system32\win32k.sys
2012-01-12 00:19 . 2012-01-12 00:19   4448256   ------w-   c:\windows\system32\GPhotos.scr
2011-12-17 19:46 . 2008-04-14 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-14 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-14 12:00   385024   ------w-   c:\windows\system32\html.iec
2012-02-25 03:10 . 2011-05-08 17:12   134104   ------w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-03-14_07.40.25   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-15 01:45 . 2012-03-15 01:45   16384              c:\windows\Temp\Perflib_Perfdata_d40.dat
- 2008-04-14 12:00 . 2012-03-14 07:29   79116              c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-03-15 01:30   79116              c:\windows\system32\perfc009.dat
+ 2012-03-15 01:30 . 2012-03-15 01:30   8192              c:\windows\ERDNT\3-14-2012\Users\00000004\UsrClass.dat
+ 2012-03-15 01:30 . 2012-03-15 01:30   8192              c:\windows\ERDNT\3-14-2012\Users\00000002\UsrClass.dat
+ 2008-04-14 12:00 . 2012-03-15 01:30   462914              c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-03-14 07:29   462914              c:\windows\system32\perfh009.dat
+ 2012-03-15 01:45 . 2012-03-15 01:45   425984              c:\windows\ERDNT\AutoBackup\3-14-2012\Users\00000002\UsrClass.dat
+ 2012-03-15 01:45 . 2005-10-20 19:02   163328              c:\windows\ERDNT\AutoBackup\3-14-2012\ERDNT.EXE
+ 2012-03-15 01:30 . 2012-03-15 01:30   425984              c:\windows\ERDNT\3-14-2012\Users\00000006\UsrClass.dat
+ 2012-03-15 01:30 . 2012-03-15 01:30   245760              c:\windows\ERDNT\3-14-2012\Users\00000003\NTUSER.DAT
+ 2012-03-15 01:30 . 2012-03-15 01:30   385024              c:\windows\ERDNT\3-14-2012\Users\00000001\NTUSER.DAT
+ 2012-03-15 01:30 . 2005-10-20 19:02   163328              c:\windows\ERDNT\3-14-2012\ERDNT.EXE
+ 2012-03-15 01:45 . 2012-03-15 01:45   7188480              c:\windows\ERDNT\AutoBackup\3-14-2012\Users\00000001\NTUSER.DAT
+ 2012-03-15 01:30 . 2012-03-15 01:30   7188480              c:\windows\ERDNT\3-14-2012\Users\00000005\NTUSER.DAT
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49   94208   ------w-   c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-02-20 5860984]
"Seattle Avionics Data Manager"="c:\program files\Seattle Avionics\Data Manager\DataManager.exe" [2011-12-28 995328]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Oops!Backup"="c:\program files\Altaro\Oops!Backup\OopsBackup.exe" [2011-09-29 3335680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2008-11-18 36864]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 16876032]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CAPEXP.EXE [2000-11-1 821248]
.
c:\documents and settings\williams\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\williams\Application Data\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Shortcut to CAPEXP.lnk - c:\program files\Capture Express\CAPEXP.EXE [2010-11-21 821248]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Dyn Updater Tray Icon.lnk - c:\program files\DynDNS Updater\DynTray.exe [2011-11-15 78192]
Evernote Clipper.lnk - c:\windows\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico [2011-1-4 293950]
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-12-16 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\eudora51\EuShlExt.dll" [2006-08-17 86016]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\X-Plane 9\\X-Plane.exe"=
"c:\\Program Files\\NETGEAR ReadyNAS\\RAIDar.exe"=
"d:\\Drivesavers\\1st_Partition_C\\HP DS9100C\\Link\\hpnsjtr.exe"=
"c:\\HPDS9100C\\Link\\hpnsjtr.exe"=
"d:\\Drivesavers\\2nd_Partition_D\\Programs\\Cessna NAVIII G1000 Trainer v8.01\\CDUSIMv2.exe"=
"c:\\Garmin_simulators\\Cessna NAVIII G1000 Trainer v8.01\\CDUSIMv2.exe"=
"c:\\Program Files\\AirPort\\APUtil.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GNS\\G530SIM.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GNS\\hsi400wx.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GDU\\CDUSIMv2.exe"=
"c:\\Program Files\\Garmin\\G600 Trainer\\GSM\\gsim_server.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\emailrelay\\emailrelay.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Documents and Settings\\williams\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5353:UDP"= 5353:UDP:Bonjour
.
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [8/30/2009 9:21 AM 66736]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/12/2009 12:32 PM 691696]
R2 Dyn Updater;Dyn Updater;c:\program files\DynDNS Updater\DynUpSvc.exe [11/15/2011 10:20 AM 95608]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [3/25/2011 11:06 PM 13336]
R2 OopsBackup.Service.exe;Oops!Backup Service;c:\program files\Altaro\Oops!Backup\OopsBackup.Service.exe [9/29/2011 10:59 AM 22016]
S2 DeltaCopyService;DeltaCopy Server;c:\programs\DeltaCopy\DCServce.exe [11/23/2009 3:28 PM 683008]
S2 emailrelay;E-MailRelay;c:\program files\emailrelay\emailrelay-service.exe [9/19/2011 7:29 PM 597281]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 10:08 PM 135664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [10/23/2011 3:06 PM 2214504]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\williams\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\williams\LOCALS~1\Temp\ALSysIO.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 10:08 PM 135664]
S3 JEPPDRIVE;JeppDrive Service;c:\windows\system32\drivers\JeppDrive.sys [3/5/2010 9:06 PM 24344]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 11:15 AM 31125880]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 10:07 AM 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [4/13/2009 1:09 PM 16384]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2012-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:08]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:08]
.
2012-03-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2012-03-15 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2011-05-30 17:29]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FC0D2F06-D88B-4C0E-AB2A-2C7298748C71}: NameServer = 206.13.28.12,206.13.31.12
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://lumahai.dyndns.org/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\williams\Application Data\Mozilla\Firefox\Profiles\9g2mvweg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 192.168.1.4
FF - prefs.js: network.proxy.http_port - 9999
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 18:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-963894560-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F0D00B61-F3DB-1E1B-99C7-C909CB0F78D3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gccehgpngdcogmpmaeidhjfknjeongaldolnfaoemimoaakfmcglplipjkocfmmjffdpggaifdefcj"=hex:6c,
   61,69,70,6d,69,66,6f,64,67,70,63,69,63,6f,65,64,6f,70,6a,70,61,64,6a,00,d3
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1156)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp1.dll
c:\documents and settings\williams\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Capture Express\QCAPHK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Evernote\Evernote\EvernoteClipper.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2012-03-14  18:48:48 - machine was rebooted
ComboFix-quarantined-files.txt  2012-03-15 01:48
ComboFix2.txt  2012-03-14 07:41
.
Pre-Run: 453,330,964,480 bytes free
Post-Run: 453,238,620,160 bytes free
.
- - End Of File - - D9BCF3929EBFA64EA5B7C282145ABD9F

[Bear]

Hi edw

At this point you should be able to get back online.  Let me do some research to see if I can find out what's not working.

[edw]

   Doesn't seem to be any change in the networking.  The adapter still shows as working normally in the device manager.

IPCONFIG /ALL    gives:

   Windows IP configuration.

  An internal error occurred: The request is not supported.

  Please contact Microsoft Product Support Services for further help.

  Additional information:  Unable to query host name.

PING localhost   gives:

Unable to contact IP driver: Error code 2.

   
  It appears the TCP/IP stack is still munged.

[Bear]

Hi edw

This tool is especially designed for repairing internet connectivity after Zero Access.

1.  Please download Farbar Service Scanner and run it on the computer with the issue.

2.  Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update
Windows Defender

3.  Click Scan.

It will create a log (FSS.txt) in the same directory the tool is run.


Remember to be sure Word Wrap is NOT turned on in any Notepad files you post and to be sure and check that all the data you entered was posted. 

Now please post the following to me as a reply to this post:
FSS.txt
Let me know how your computer is operating
If you have any other questions or problems, let me know that as well

[edw]

  I'll do that when I get home.  In the meantime I found the following thread describing how to install Microsoft Recovery Panel using Combofix and no internet.

http://forums.techguy.org/virus-other-malware-removal/1032865-internet-wont-work-after-removing.html

[edw]

  Here's the FSS results:

Farbar Service Scanner Version: 01-03-2012
Ran by williams (administrator) on 15-03-2012 at 18:27:48
Running from "R:\"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
DNE(8) Gpc(3) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000008000000
Attention! IpSec Tag value should be 5. Attention! IpSec Tag value is missing and it should be 5.

**** End of log ****

[edw]

  Is this what's damaged?


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
  00,73,00,79,00,73,00,00,00
"Group"="PNP_TDI"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[edw]

  Hi Bear:

My googling suggests I need to import this into the registry to fix the problem reported by FSS:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Tag"=dword:00000005

  Do you concur?

[Bear]

Hi edw

Yes, copy the code in the code box in your post into Notepad.  Name the file ipsecfix.reg and save it to your desktop.  Double click on ipsecfix.reg.
Let me know how your internet connection is working.

[edw]

 Hey bear!!

   Ran the regfix, turned on Microsoft Essentials, rebooted and I have Internet!  I updated Microsoft Essentials and Java.

   Now for cleanup and making sure there's nothing left on the machine....

             Ed

[edw]

  I also did the Microsoft Security Updates I'd missed:

Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2641653)
Update Rollup for ActiveX Killbits for Windows XP (KB2647518)
Windows Malicious Software Removal Tool - March 2012 (KB890830)

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition


 I'll be away from this computer until Sunday evening - then I'll proceed with whatever clean-up you suggest.  Thanks.

[Bear]

Hi edw

Wow, that was a tough one but we get them in the end.  Two more steps.  First lets run a couple of good scans and make sure we have it all.

1.  Update Malwarebytes Anti-Malware and run a full system scan.

2.  Download ESET Online Scanner ESET Online Scanner and save it to your desktop.

3.  Double-click on esetsmartinstaller and then click Run.  Click Yes on the license and then Start.

4.  Be sure that ONLY the following items are checked:
   Remove found threats
   Scan for potentially unwanted applications
   Enable Anti-Stealth technology

Click Start.

It may take some time for the virus definitions to download and the scan to finish.  Do not click on the interface, download or install anything until the scan completes.  When the scan completes click Finish.

5.  Navigate to the following file path, C:\Program Files\ESET\ESET Online Scanner and Double-click on the log.txt file.  Click File/Save As and name the file ESETLog.txt and save it to your desktop.

As always please be sure Word Wrap is disabled in Notepad.  Also be sure to check that the data you posted was not cut off by the sites posting size limits.

Please post the following as a reply to this post:
MBAM Log
ESETLog.txt
How your computer is working
Any problems or questions

[edw]

  Microsoft Security Essentials found "Rogue:Win32/WinWebSec" - I let it delete it.

 1)  Ran Malwarebytes. It found four items - only one real probably.  One was the quarantined TDSS files another some old copies of ssh-keygen.  I didn't delete the latter.

 2) Downloaded and ran ESET.  It appear to conflict with MSE running.  MSE meanwhile found some old versions of VNC, which were installed by me, but I let it delete them.  Turned off MSE then EST would run after rebooting.  It took a long time...  When I returned the computer was asleep - on awakening it, EST had stopped claiming the user has stopped it!  I'll try it again - but here are the logs:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
williams :: ASUS-I7-XP [administrator]

3/17/2012 10:31:19 PM
mbam-log-2012-03-17 (22-31-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 937567
Time elapsed: 2 hour(s), 52 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
D:\Drivesavers\Drive_L\Programs\Fsecure-ssh\Program\Keygen.exe (RiskWare.Tool.CK) -> No action taken.
D:\Drivesavers\Drive_L\Programs\Fsecure-ssh\v1\Program\Keygen.exe (RiskWare.Tool.CK) -> No action taken.
C:\System Volume Information\_restore{F57F332A-A768-4738-A936-C4250AB401AF}\RP1118\A0101300.dll (Trojan.Scar) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\12.03.2012_22.13.27\mbr0000\tdlfs0000\tsk0006.dta (Rootkit.Agent.Gen) -> Quarantined and deleted successfully.

(end)


ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=667d18fa43a0b543890b2c048da2c6ca
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-18 04:38:56
# local_time=2012-03-18 09:38:56 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776869 42 87 0 28840814 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=155484
# found=3
# cleaned=3
# scan_time=3591
C:\Program Files\eudora51\data\attach\bill9.zip   probably a variant of Win32/TrojanDownloader.Agent.IVEHRZQ trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Program Files\eudora51\data\attach\PayPaI_Limited_Form.html   HTML/Phishing.Gen trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Program Files\Nero\Nero-8.1.1.0_eng_trial_wch.exe   Win32/Toolbar.AskSBar application (deleted - quarantined)   00000000000000000000000000000000   C