Solved Rootkit Help

troothteller · 2015/08/01

Results of screen317's Security Check version 1.006
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Baidu Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
AOL Spyware Protection
SpywareBlaster 5.2
SUPERAntiSpyware
Secunia PSI
Java 8 Update 51
Adobe Flash Player 18.0.0.194
Adobe Reader XI
Mozilla Firefox (39.0)
````````Process Check: objlist.exe by Laurent````````
Privatefirewall 6.1 pfsvc.exe
Baidu Security Baidu Antivirus 5.6.3.186847.0 BavSvc.exe
Baidu Security Baidu Antivirus 5.6.3.186847.0 BHipsSvc.exe
Baidu Security Baidu Antivirus 5.6.3.186847.0 BavTray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````

troothteller · 2015/08/01

broni, I think Temp File Cleaner restarts whether or not you choose. Programs like that I do not use regularly.

troothteller · 2015/08/01

Farbar Service Scanner Version: 26-07-2015
Ran by Louis Paul Toscano (administrator) on 01-08-2015 at 21:34:31
Running from "C:\Documents and Settings\Louis Paul Toscano\Desktop "
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.

System Restore:
============

System Restore Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) pwipf6(12) Tcpip(3)
0x100000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B0000000D0000000E0000000C0000000F00000010000000
IpSec Tag value is correct.

**** End of log ****

broni · 2015/08/01

Try TFC from safe mode.
How to start Windows in Safe Mode

troothteller · 2015/08/01

broni, Sophos isn't doing anything. It just opens a white window and hangs. OK, now its going. It was past 10 PM when I started Sophos; so I went to bed. Now that I am up, I went to the computer to finish the run and the screen went blank. I only touched the touch pad to bring the screen up. It came up for a second and went blank. After hitting the power button to try to bring up the screen, it powered up. I am leaving to attend church; but I restarted Sophos. Before bring Windows up, I put the computer in Safe Mode. While there, Temp File Cleaner did not find anything.

troothteller · 2015/08/02

Sophos ran showing results "Your system ran clean." I assume that it did not produce a log; however I took a screenshot. This caused much concern over nothing because of the time my system seems to rule over me. Today, for example, because of the previous crash, I came back from an eatery en route to church just to check on this program.

broni · 2015/08/02

Update Adobe Flash Player: http://get.adobe.com/flashplayer/
Make sure you UN-check Yes, install McAfee Security Scan Plus

NOTE 1: Beginning with Adobe Flash Version 11.3, the universal installer includes the 32-bit and 64-bit versions of the Flash Player.
NOTE 2: While installing make sure you UN-check any extra garbage which wants to install alongside.

===============================

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

Activate UAC (optional; some users prefer to keep it off)

Remove disinfection tools

Create registry backup

Purge System Restore

Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now ")

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

12. Please, let me know, how your computer is doing.

troothteller · 2015/08/02

While I was away from my computer for the morning and afternoon, Baidu Antivirus ran and found Adware.Win32.OpenCandy.C, which it deleted. Then, according to my weekly routine I ran SAS which ran clean. What should I do about Recovery Console? Also, do you concur that RAS Async Adapter should go? If so, how? I noticed that the Sophos program is still on. Also, I still have the problem of Windows Firewall settings not coming up.

broni · 2015/08/02

What about Recovery Console?

I'd leave RAS Async Adapter alone. Why does it bother you?

troothteller · 2015/08/02

Specifically I meant should I leave Recovery Console on? The RAS Async Adapter with its yellow "!" was the problem I tried to fix that led to this thread. There seems to be some agreement that I don't need this; but Control Panel tried to connect with Internet Connection Sharing when I try to view Windows Firewall settings. The settings show Firewall on; but I would like to turn it off, which Control Panel is not allowing. Right now I have the RAS Async Adapter disabled. I believe it is corrupted. It neither uninstalls nor updates. Doesn't it occupy system resources?

broni · 2015/08/02

No. Since you disabled it.
Yes keep Recovery Console.
Some day you may need it in case your computer won't boot up for whatever reason.

troothteller · 2015/08/03

broni, my Windows XP now boots up more slowly. Also, do you concur with those who think I need a clean install of Windows XP?

broni · 2015/08/03

Some people do reinstall and it may help with speeding XP up but only for a while.
Once you reinstall everything, use your computer for a few months things will be back to where they were before.
Is it worth a hassle? Not to me.
If you really want to have your computer up 30 seconds after you push power button feel free to reinstall
IMHO.

troothteller · 2015/08/03

broni, since I have Recovery Console, which I did not have before, suspecting that it now slows down my computer, and since I do not know how to uninstall it. Can we use it to remove RAS Async Adapter? If you know, then please share. After all, this thread is leaving me with an inconvenience and the same problem that led to its creation.

broni · 2015/08/03

Recovery Console has nothing to do with your computer speed.
It only delays your startup for a second or two.
I don't think it's some extraordinary hardship.
It's there as you may need it one day.

As for RAS Async Adapter...

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck

troothteller · 2015/08/03

We are back where we started. I already started two threads under Networking. The first one the moderator abandoned, and his advice was a new Windows installation. On the second I have had to go out of my way to describe my basic network. Besides, we still have the problem of not being able to bring up Windows Firewall settings so I can turn it off, which I never turned on.

broni · 2015/08/03

We can probably fix your firewall issue here. As for the rest, different forum please.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download RemoteAccess.reg file from here: http://download.bleepingcomputer.com/win-services/xp/RemoteAccess.reg
Double click on afd.reg file and confirm the prompt.

Download SharedAccess.reg file from here: http://download.bleepingcomputer.com/win-services/xp/SharedAccess.reg
Double click on afd.reg file and confirm the prompt.

Restart computer.
Post new FSS log.

troothteller · 2015/08/03

Thank you, broni! I just made a System Restore point and, like I have done for about three years, added to my archive a new Registry Backup. Now, I am going to try your last series of steps. One question I must ask before I proceed, do these downloads go to Desktop; or can they run from the normal Downloads folder where they normally go?

broni · 2015/08/03

You can run them from any location.

troothteller · 2015/08/03

Thanks, broni; here goes!

Log in or Sign up

Solved Rootkit Help

troothteller Well-Known Member Thread Starter

troothteller Well-Known Member Thread Starter

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved Rootkit Help

troothteller Well-Known Member Thread Starter

troothteller Well-Known Member Thread Starter

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

broni Moderator Malware Analyst

troothteller Well-Known Member Thread Starter

Share This Page

Useful Searches