Invalid IP Address after running SuperAntiSpyware

Google pages being hijacked/redirected, and wouldn't allow me access to my google calendar and other google products.


So, I started following steps in "READ & RUN ME FIRST. Malware Removal Guide"



First as instructed I did all the steps in "Fixing Google Redirection/hijacking and other redirection problems" (logs are attached)
http://forums.majorgeeks.com/showthread.php?t=230267

Issue not resolved, so then continued on with "READ & RUN ME FIRST. Malware Removal Guide" steps.

After running Superantivirus scan (log attached), I cannot connect to internet due to Invalid IP Address. As suggested in post, I used the repair utility within superantivirus, and problem still occurs.

Thank you in Advance for your help.

 

Thank you for your fast response.

Completed remainder of instructions, logs attached to this post and one in next post.

You'll notice two logs for Malwarebtyes. Malwarebytes is the anti-malware program I typically run when encountering an issue.

The first log is from 2012-02-28 when I first came across the problem. Once scan ran and I still had problems, I then came to majorgeek.com and started following the instructions step-by-step.

The second log from 2012-03-01, was run in accordance and sequence with the instructions outlined.

 

Additional Log

 

Hello mbfranchi,

I will help you until Chaslang is able to get back to you.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]FCopy::[/COLOR]
c:\windows\ServicePackFiles\i386\ipsec.sys | c:\windows\system32\drivers\ipsec.sys
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\dds_trash_log.cmd
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB23692$
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\6HH57FS2
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\B09Z9BMW
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\MFVWF79K
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\O4JTOA4T
[COLOR="DarkRed"]MIA::[/COLOR]
c:\windows\system32\drivers\netbt.sys
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"Adobe ARM"=-
"DivXUpdate"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\*.dll /30
  %windir%\system32\*.dll /lockedfiles
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach OTL.txt to your next message. (How to attach)

 

Thank you for your help as well Thisisu.

Followed your instructions.

Logs attached. OTL.txt exceeded size limit for upload, so it has been compressed.

 

Hi, ComboFix ran into a little problem.
This fix below should address your internet issue.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] --  -- (WMIService)
NetSvcs: WMIService -  File not found
SRV - File not found [Auto | Stopped] --  -- (w800mdfl)
NetSvcs: w800mdfl -  File not found
SRV - File not found [Auto | Stopped] --  -- (vmodem)
NetSvcs: vmodem -  File not found
SRV - File not found [Auto | Stopped] --  -- (S3GIGP)
NetSvcs: S3GIGP -  File not found
SRV - File not found [Auto | Stopped] --  -- (RoxLiveShare9)
SRV - File not found [Auto | Stopped] --  -- (RichVideo) Cyberlink RichVideo Service(CRVS)
SRV - File not found [Auto | Stopped] --  -- (nv)
NetSvcs: nv -  File not found
SRV - File not found [Auto | Stopped] --  -- (incdrm)
NetSvcs: incdrm -  File not found
SRV - File not found [Auto | Stopped] --  -- (btfirst)
NetSvcs: btfirst -  File not found
SRV - File not found [Auto | Stopped] --  -- (bgmainsvc)
NetSvcs: bgmainsvc -  File not found
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Auto | Stopped] --  -- (DgiVecp)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Running] --  -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (UIUSys)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Auto | Stopped] --  -- (SSPORT)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (RimUsb)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
O3 - HKU\S-1-5-21-2650876703-581755411-1505849268-1126\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\system32\drivers\netbt.sys|C:\WINDOWS\system32\dllcache\netbt.sys /replace
netsh winsock reset /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Thank you, thank you, thank you Thisisu!!

Instructions followed, log attached.

Internet works again which should make copying code and posting logs far easier!!

 

You're welcome.

What malware problems are you still experiencing, if any?

Pretty sure your logs are clean but let's have you get an updated MGlogs.zip.

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Updated MGlogs attached.

Original issue were google redirects/hijacked results which were also denying me use of my google calendar and several other google products. However these issues now seem to be corrected!!

Chaslang mentioned Zero Access infection, in first response.

 

Yes you were infected with ZeroAccess. It's gone now though.

Latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thanks Thisisu, you're AWESOME!!

 

:cool You're welcome.