Virus or worm has disabled internet, hidden program and other files

[padraig]

I am sorry but since the PC will not connect to the internet I cannot run an online scan

I receive an error message "no connection to the internet is currently available." work offline is the only option

Do I have to wipe this PC "clean" and start from scratch?

I reran Security Check 317 and here is the log:

 Results of screen317's Security Check version 0.99.50 
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SpywareBlaster 4.4   
 SUPERAntiSpyware Free Edition   
 CCleaner     
 Java(TM) 6 Update 29 
 Java version out of Date!
 Adobe Flash Player    11.3.300.270 
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````[/u] 
 IObit IObit Malware Fighter IMFsrv.exe 
 PC Tools Firewall Plus FWService.exe   
 PC Tools Firewall Plus FirewallGUI.exe   
 iolo Common Lib ioloServiceManager.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]

[SuperDave]

I am sorry but since the PC will not connect to the internet I cannot run an online scan

I receive an error message "no connection to the internet is currently available." work offline is the only option

Do I have to wipe this PC "clean" and start from scratch?

Let's see if we can fix the connectin problem.

Please download MiniToolBox to Desktop and run it.



Checkmark the following boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• List content of Hosts
• List IP Configuration
• Lst Last 10 Event Viewer Errors
• List Users, Partitions and Memory Size
[/b]

Click Go and copy/paste the log (Result.txt) into your next post.
**************************************************************
Please download Farbar Service Scanner and run it on the computer with the issue.

• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

*******************************************************
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
Please take time to defrag your harddrive.

[padraig]

how do I "defrag"?

here is the minitoolbox log:

MiniToolBox by Farbar  Version: 23-07-2012
Ran by Patrick (administrator) on 04-09-2012 at 19:29:46
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

Intel(R) 82566DC Gigabit Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : FamilyRoom

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Broadcast

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



        Media State . . . . . . . . . . . : Media disconnected

        Description . . . . . . . . . . . : Intel(R) 82566DC Gigabit Network Connection

        Physical Address. . . . . . . . . : 00-19-D1-1A-C7-71

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 d1 1a c7 71 ...... Intel(R) 82566DC Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1     1
  255.255.255.255  255.255.255.255  255.255.255.255               2     1
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/03/2012 07:59:11 PM) (Source: Application Hang) (User: )
Description: Hanging application SysProt.exe, version 1.0.1.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (09/03/2012 10:08:05 AM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files.  Check your connection to the network, or CD-ROM drive.    For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (09/01/2012 08:28:00 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/28/2012 00:56:36 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/26/2012 09:40:27 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/26/2012 00:36:41 PM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files.  Check your connection to the network, or CD-ROM drive.    For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (08/26/2012 00:36:12 PM) (Source: Application Hang) (User: )
Description: Hanging application WINWORD.EXE, version 11.0.8345.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/26/2012 00:35:44 PM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files.  Check your connection to the network, or CD-ROM drive.    For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (08/26/2012 00:24:31 PM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files.  Check your connection to the network, or CD-ROM drive.    For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (08/25/2012 07:11:09 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.


System errors:
=============
Error: (09/04/2012 03:19:03 PM) (Source: Service Control Manager) (User: )
Description: The crd service failed to start due to the following error:
%%1053

Error: (09/04/2012 03:19:03 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the crd service to connect.

Error: (09/03/2012 09:51:37 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AVGIDSHX

Error: (09/03/2012 09:51:31 AM) (Source: Service Control Manager) (User: )
Description: The Vsapint service failed to start due to the following error:
%%2

Error: (09/03/2012 09:50:34 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (09/03/2012 09:40:15 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (09/03/2012 09:40:09 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (09/03/2012 09:39:53 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (09/03/2012 09:39:40 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (09/02/2012 10:59:39 PM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}


Microsoft Office Sessions:
=========================

========================= Memory info: ===================================

Percentage of memory in use: 52%
Total physical RAM: 1021.83 MB
Available physical RAM: 484.08 MB
Total Pagefile: 2458.33 MB
Available Pagefile: 1795.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.93 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:171.43 GB) (Free:111.66 GB) NTFS
3 Drive d: (Backup) (Fixed) (Total:57.63 GB) (Free:23 GB) NTFS
7 Drive h: (HP SimpleSave) (Fixed) (Total:465.11 GB) (Free:261.06 GB) NTFS
8 Drive i: (My Passport) (Fixed) (Total:931.48 GB) (Free:547.54 GB) NTFS
9 Drive j: (USB20FD) (Removable) (Total:7.53 GB) (Free:6.6 GB) FAT32

========================= Users: ========================================

User accounts for \\FAMILYROOM

Administrator            Anna                     Guest                   
HelpAssistant            Patrick                  SUPPORT_388945a0         


**** End of log ****


and the FSS log:


Farbar Service Scanner Version: 06-08-2012
Ran by Patrick (administrator) on 04-09-2012 at 19:30:38
Running from "C:\Documents and Settings\Patrick\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
Attempt to access Yahoo.com returned error: Other errors


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) hnmwrlspkt(9) IPSec(4) NetBT(5) Packet( pctgntdi(12) pctNDIS(11) PSched(7) Tcpip(3) wsppkt(10)
0x0F00000004000000010000000200000003000 0000C0000000D0000000E0000000F0000000500 0000060000000700000008000000090000000A0 000000B000000
IpSec Tag value is correct.

**** End of log ****

[padraig]

after a search on how to do it, I am defragmenting the hard drive

[padraig]

my employment takes me out of town for these next three days in which I will not have access to the infected PC.

I will be offline until Friday PM.

[SuperDave]

my employment takes me out of town for these next three days in which I will not have access to the infected PC.

I will be offline until Friday PM.

Ok. Is this computer hardwired to the modem? Did you try re-setting the modem? Disconnect the power supply for 30 secs. and then connect it.

[padraig]

PC and the laptop that I am using to post to this thread are hard cabled to ubee modem. Time Warner Cable replaced modem two weeks ago to restore telephone service. This was no less than two weeks after the virus blocked access to the internet for the PC only. I did disconnect the power supply to the new modem, waited about 1 minute, reconnected and internet service was restored to the laptop only. The PC will not connect to internet through IE8 or Firefox.

C: defragmentation has been completed.

[SuperDave]

The PC will not connect to internet through IE8 or Firefox.

Did you try another cable?

You will have to download this on your laptop and transfer it to your PC using a memory stick or disk.

Please download LSPFix © 2002-2006 Cexx.org.
Save it to your desktop.  Alternate download site available  here
Run LSPFix - Repair LSP Chain
PRINT these instructions... then disconnect from the Internet and close all browser windows.

• Double click the LSPFix.exe icon on your desktop.
  
• If you had to use the alternate download...double click the "lspfix.zip" file on your desktop.
  
• Use XPs Compressed File Extraction Wizard or your own 3rd party zip file program.
• Extract the "LSPFix.exe" file to your desktop... double click to start the program.
  
• Press the "Finish... button.
  
• Now...Reboot your computer, normally, to complete the process.
  

[padraig]

internet connection has been restored!!!   

[padraig]

Super Anti-Spy scan returned 33 threats, all Adware, no trojan or worm found

still have issue with empty program list or "shortcuts" in start menu and USB drive not able to stop to safely eject

[SuperDave]

Good news and bad news. It's good that your internet access is repaired. You could try running Rkill again. And now, the bad news. I'm required to give you this warning.

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

 What danger is presented by rootkits?
 Rootkits and how to combat them
 r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
 Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.