Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: ZeroAccess or more

  1. #11
    Member
    Join Date
    Oct 2007
    Posts
    38

    Default

    I found another issue today which is other PC's can't see this PC's on my network and the Network tools won't run. But I can see the other PC's and open files also I can print to my network printer.

    Here's the net.txt:

    AppMgmt
    AudioSrv
    BITS
    Browser
    CryptSvc
    Dhcp
    dmserver
    ERSvc
    FastUserSwitchingCompatibility
    helpsvc
    HidServ
    hkmsvc
    LanmanServer
    lanmanworkstation
    Messenger
    napagent
    Nla
    NtmsSvc
    RasAuto
    RasMan
    RemoteAccess
    Schedule
    seclogon
    SharedAccess
    ShellHWDetection
    srservice
    TapiSrv
    Themes
    TrkWks
    W32Time
    winmgmt
    Wmi
    wscsvc
    wuauserv
    WZCSVC
    xmlprov

  2. #12
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    jm1223,

    Please download DDS and transfer it to the sisck computer's desktop.
    • Disable any script blocking protection
    • Double click dds.scr to run the tool.
    • When done, DDS.txt will open.An additional log called Attach.txt should appear minimized on the task bar.
    • Save both reports to your desktop before closing the DDS window.


    Do the same with SystemLook from one of the links below
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield
    • Do not copy the word CODE , please note the script starts with the :
      Code:
      :reg
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Member of UNITE and ASAP

  3. #13
    Member
    Join Date
    Oct 2007
    Posts
    38

    Default

    I wasn't sure if you needed the McAfee and TeaTimer turned off. So they are on.

    Here's the DDS Report with the attached Attach.zip. and the SystemLook Report:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Jack at 7:34:43 on 2012-06-20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3039.2347 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
    C:\WINDOWS\system32\hasplms.exe
    C:\WINDOWS\system32\HLS32SVC.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\McAfee Online Backup\MOBKbackup.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\McAfee\MAT\McPvTray.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\CodeMeter\Runtime\bin\CodeMeterCC.exe
    E:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120613115349.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\adobea~1.lnk - e:\program files\adobe\acrobat 6.0\acrobat\Acrobat.exe
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\adxprod.lnk - m:\xcel\AdxProd.xls
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{90120000-0030-0000-0000-0000000ff1ce}\outicon.exe
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\outloo~1.lnk - c:\program files\outlook express\msimn.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\codeme~1.lnk - c:\program files\codemeter\runtime\bin\CodeMeterCC.exe
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office Outlook 2007.lnk.disabled
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{F6C99A06-8442-4196-B396-5CA6B6360D60} : DhcpNameServer = 192.168.1.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2012-6-13 64048]
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-2-22 464304]
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2010-12-15 17792]
    R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2010-12-8 13696]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-6-13 89792]
    R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2012-6-13 54776]
    R1 MpKsl67e1f605;MpKsl67e1f605;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKsl67e1f605.sys [2012-6-20 29904]
    R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\codemeter\runtime\bin\CodeMeter.exe [2011-7-6 2304912]
    R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
    R2 HLServer;HL-Server;c:\windows\system32\HLS32SVC.EXE [2010-12-9 327680]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-6-13 214904]
    R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-6-13 166288]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-6-13 161632]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-6-13 151880]
    R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-6-13 57600]
    R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2010-12-16 18864]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-6-13 180848]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-6-13 59456]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-6-13 340920]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-6-13 83856]
    R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2010-12-8 80256]
    R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2010-12-8 70016]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-5-30 136176]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 257696]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-12-8 1684736]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-5-30 136176]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-6-13 83856]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-6-13 87656]
    S3 PaUSB;Panasonic LightPix USB Driver Ver.1.0;c:\windows\system32\drivers\pausb.sys [2010-12-15 12416]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    UnknownUnknown MpKslb6704a0f;MpKslb6704a0f; [x]
    .
    =============== File Associations ===============
    .
    .scr=DWGTrueViewScriptFile
    .
    =============== Created Last 30 ================
    .
    2012-06-20 11:52:32 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKsl67e1f605.sys
    2012-06-20 11:47:33 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\offreg.dll
    2012-06-20 11:47:05 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKslb6704a0f.sys
    2012-06-20 11:27:48 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\MpKslfe0dfddc.sys
    2012-06-19 17:14:20 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c8a4ff0-8981-456a-81fc-f7efc3f79402}\mpengine.dll
    2012-06-19 16:49:15 5904 ----a-w- c:\windows\system32\Autoexnt.exe
    2012-06-19 16:49:15 2364 ----a-w- c:\windows\system32\1.reg
    2012-06-19 16:49:15 2320 ----a-w- c:\windows\system32\Servmess.dll
    2012-06-19 16:49:15 175 ----a-w- c:\windows\system32\Autoexnt.bat
    2012-06-19 16:49:14 34064 ----a-w- c:\windows\system32\Instexnt.exe
    2012-06-18 16:35:23 6737808 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-06-18 13:14:31 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
    2012-06-18 12:14:04 -------- d-sha-r- C:\cmdcons
    2012-06-18 12:09:30 518144 ----a-w- c:\windows\SWREG.exe
    2012-06-18 12:09:30 256000 ----a-w- c:\windows\PEV.exe
    2012-06-18 12:09:30 208896 ----a-w- c:\windows\MBR.exe
    2012-06-18 12:09:29 98816 ----a-w- c:\windows\sed.exe
    2012-06-13 13:10:02 -------- d-----w- c:\program files\McAfeeMOBK
    2012-06-13 13:09:52 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
    2012-06-13 13:09:39 -------- d-----w- c:\program files\McAfee Online Backup
    2012-06-13 13:08:54 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
    2012-06-13 13:08:46 -------- d-----w- c:\documents and settings\jack\local settings\application data\McAfee Anti-Theft
    2012-06-13 13:08:03 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2012-06-13 13:07:58 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2012-06-13 13:07:58 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2012-06-13 13:07:58 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2012-06-13 13:07:58 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2012-06-13 13:07:58 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2012-06-13 13:07:58 340920 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2012-06-13 13:07:58 180848 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2012-06-13 13:07:56 -------- d-----w- c:\program files\common files\Mcafee
    2012-06-13 13:07:55 -------- d-----w- c:\program files\McAfee.com
    2012-06-13 13:07:43 -------- d-----w- c:\program files\McAfee
    2012-06-13 12:53:59 151880 ----a-w- c:\windows\system32\mfevtps.exe
    2012-06-13 12:10:45 -------- d-----w- c:\documents and settings\jack\application data\pchc
    2012-06-12 15:57:35 -------- d-----w- c:\documents and settings\jack\application data\FixZeroAccess
    2012-06-11 14:41:30 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-06-11 14:37:16 -------- d-----w- c:\program files\Microsoft Security Client
    2012-06-07 12:18:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-06-07 12:18:47 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-06-01 14:22:39 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
    2012-06-01 14:22:39 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
    2012-05-30 13:15:01 -------- d-----w- c:\documents and settings\jack\local settings\application data\Temp
    2012-05-30 13:10:36 -------- d-----w- c:\documents and settings\jack\local settings\application data\Google
    .
    ==================== Find3M ====================
    .
    2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
    2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
    2012-05-07 11:53:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-07 11:53:40 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2001-08-23 11:00:00 94784 --sh--w- c:\windows\twain.dll
    2008-04-14 04:42:08 50688 --sh--w- c:\windows\twain_32.dll
    2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 04:42:02 57344 -csh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 04:42:02 413696 --sh--w- c:\windows\system32\msvcp60.dll
    2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 04:42:34 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST350041 rev.CC38 -> Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll ACPI.sys SCSIPORT.SYS nvgts.sys
    c:\windows\system32\drivers\iomdisk.sys Iomega Corporation Microsoft(R) Windows NT(R) Operating System
    c:\windows\system32\drivers\nvgts.sys NVIDIA Corporation NVIDIA nForce(TM) SATA Driver
    1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk1\DR1[0x8B42E810]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> [0x8B42ED78]
    5 iomdisk[0xBA340BC3] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000006f[0x8B3E1808]
    7 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Scsi\nvgts1Port2Path1Target1Lun0[0x8B3E1A38]
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    user != kernel MBR !!!
    .
    ============= FINISH: 7:35:35.73 ===============




    SystemLook 30.07.11 by jpshortstuff
    Log created at 07:40 on 20/06/2012 by Jack
    Administrator - Elevation successful

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
    "HTTPFilter"="HTTPFilter"
    "LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
    "NetworkService"="DnsCache"
    "netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov napagent hkmsvc BITS wuauserv ShellHWDetection helpsvc WmdmPmSN"
    "DcomLaunch"="DcomLaunch TermService"
    "rpcss"="RpcSs"
    "eapsvcs"="eaphost"
    "dot3svc"="dot3svc"
    "imgsvc"="StiSvc"
    "termsvcs"="TermService"
    "WudfServiceGroup"="WUDFSvc"
    "WINRM"="WINRM"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]


    -= EOF =-

  4. #14
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jm1223,

    Download the attached zip file, fix.zip and save it to your desktop. Extract the contents to your desktop.

    You should now have a file on your desktop named myfix.reg with an icon like this

    Right click the file and click merge. Accept any warnings.

    Reboot your computer. Are any of the issues still present?

    Rerun Farbar Service Scanner with the same settings as before and post the log.

    Thanks
    Member of UNITE and ASAP

  5. #15
    Member
    Join Date
    Oct 2007
    Posts
    38

    Default

    No change I can see. The Network Connects won't display and when you refresh you get: Please make sure that the Network Connections Service is enabled and running.
    Also the Network Connection Wizard will not start.

    The Windows Firewall is on but if you double click on it you get: Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) Service.

    Attach is the lastest FSS Report:


    Farbar Service Scanner Version: 19-06-2012
    Ran by Jack (administrator) on 21-06-2012 at 07:27:19
    Running from "C:\Documents and Settings\Jack\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    netman Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    Srservice Service is not running. Checking service configuration:
    The start type of Srservice service is OK.
    The ImagePath of Srservice service is OK.
    The ServiceDll of Srservice service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit


    **** End of log ****

  6. #16
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jm1223,

    Seems I missed adding one to the last fix you ran. Download the attached zip file and run it the same way you ran the last one. When you extract the contents the file will be named netman.reg


    After you have completed the above do this. Click start > run. In the run box copy and paste the following and hit enter

    services.msc

    When th services console opens scroll down to System Restore Service
    • right click on it and click properties
    • in the service status box click the start button
    What error if any, do you recieve?
    Last edited by oldman960; 2012-06-21 at 18:38.
    Member of UNITE and ASAP

  7. #17
    Member
    Join Date
    Oct 2007
    Posts
    38

    Default

    System Restore Service is not there.

    I ran a FSS report if it helps.

    Farbar Service Scanner Version: 19-06-2012
    Ran by Jack (administrator) on 21-06-2012 at 12:56:42
    Running from "C:\Documents and Settings\Jack\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    netman Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open netman registry key. The service key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    Srservice Service is not running. Checking service configuration:
    The start type of Srservice service is OK.
    The ImagePath of Srservice service is OK.
    The ServiceDll of Srservice service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit


    **** End of log ****

  8. #18
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jm1223,

    Let's give this one more shot. Download the attached zip. Extract the contents. the extracted contents is a file named netman1.reg Merge it like you did before and reboot. Windows Firewall/Internet Connection Sharing (ICS) Service ok now?

    After the reboot please rerun FSS.

    In services.msc please tell me what is in the services that start with S

    Thanks
    Member of UNITE and ASAP

  9. #19
    Member
    Join Date
    Oct 2007
    Posts
    38

    Default

    Now were getting somewhere. Network Connections are back and I could Run the Network Connection Wizard. The Window Firewall will open now too.
    Just the Systerm Restore with not open. Here is the list of "S" services I have:
    Secondary Logon: Started
    Security Accounts Manager: Started
    Sentinel HASP License Manager: Started
    Server: Started
    Shell Hardware Detection: Started
    Smart Card: Manual
    SSDP Discovery Service: Started


    Here is the latest FSS Report:


    Farbar Service Scanner Version: 19-06-2012
    Ran by Jack (administrator) on 22-06-2012 at 07:33:21
    Running from "C:\Documents and Settings\Jack\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============
    Srservice Service is not running. Checking service configuration:
    The start type of Srservice service is OK.
    The ImagePath of Srservice service is OK.
    The ServiceDll of Srservice service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit


    **** End of log ****

  10. #20
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi jm1223,

    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    You have mulitple antivirus programs running. This will lead to conflicts between the 2 and leave you with less protection. Since McAfee is a paid for program and seems current please uninstall Microsoft Security Essentials

    Open FSS
    • in the Search box copy and paste Srservice
    • click the Export Service button
    Please post the log.
    Member of UNITE and ASAP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •