Multiple threats removed and still cannot connect to internet

I am helping a friend with her computer. I have found a few viruses and malware but was still having issues when I found you. I have read the "READ & RUN ME FIRST. Malware Removal Guide" at http://forums.majorgeeks.com/showthread.php?t=35407

My current issue is I cannot connect to the internet router in my house with their PC (it works fine with my PCs) and I do not know if I have found all malware.

The PC is a Dell Optiplex GX270 running WinXP sp3. I have been downloading programs to my PC and transferring them to the Evil PC via flash drive.

I ran SUPERAntiSpyware 3 times until it came back clean. Last log is attached. Let me know if you need other 2 logs.

I ran MalwareBytes before I found MajorGeeks so I ran it again as directed in the "READ & RUN ME FIRST..." post. Latest log is attached. The first time I ran MalwareBytes it found and removed 2 Registry Keys, 1 Registry Value, and 3 Registry Data Items.

When I run ComboFix, a window pops up telling me:
"Version_12-05-28.5
Current date is 2012-06-28. ComboFix has expired
Click 'Yes' to run in REDUCED FUNCTIONALITY mode
Click 'No' to exit"
And when I click 'Yes', the window disappears and the ComboFix exe disappears from the desktop.

RootRepeal and MGTools seemed to run just fine.

Thanks for your time.
Turbine

 

Welcome to MajorGeeks, Turbine

I want you to read and follow these instructions: TDSSKiller - How to run


Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

I'm on it. Thanks!

 

TDSSKiller has been run. All isues are failed signature checks. Log attached.
aswMBR has been run. Log attached.
Thanks again for your help!

 

Attached is OTLfix.txt
Download and save this to the desktop of the infected computer.

Fix items using OTL by OldTimer

Transfer OTL.exe to the infected computer too.
Double-click OTL.exe to open the application.
Shut down any protection programs so that they do not interfere with the fix.
Then drag OTLfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

I kicked off OTL early this morning and it was running for 2 hours before I left for work. I was able to move the mouse but the cursor is an hourglass. Is there any fear of me killing the PC and re-running OTL on restart?
Thanks again!

 

Try terminating OTL.exe by pressing Ctrl+Alt+Delete.
End the OTL.exe process
If that doesn't work, you will have to reboot.
Retry the fix from Safe Mode with Networking: See: How to start your computer in Safe mode with Networking

 

OTL has been run (in safe mode). Log attached. What's next? And thanks again!

 

Boot back into Normal Mode.

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Also check for internet connectivity.

 

New MGTools logs attached.
I booted up the Evil PC connected to my router and it never got past "Acquiring network address" (see attached screenshot).
I changed the TCP/IP properties to "Obtain an IP address automatically" and "Obtain DNS server address automatically" (see attached screenshot) before I first posted here at MajorGeeks. Let me know if I need to change the settings or if you want to know what the settings were before I changed them.
Thanks,
Turbine

 

Leave these as you currently have them.
Now do this:

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on the desktop of the infected PC.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

Once the computer has been restarted:

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Windows Repair has been run as specified.
New MGTools logs are attached.
Thanks again!

 

NOTICE: This registry patch has been customized for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixme.zip

• Inside is fixme.reg
• Extract fixme.reg to the desktop of the infected computer.
• Now double-click fixme.reg and allow it to merge into the registry.
  • If the registry fix was successful, reboot and test for internet connectivity.
  • If the registry fix was unsuccessful, re-run GetLogs.bat and attach the latest MGlogs.zip

 

I ran the "fixme.reg" file from the desktop of the Evil PC and it ended badly (see attachments).
I ran GetLogs.bat and new MGTools logs are attached as well.
Thanks again for all your help. I truly appreciate it.
I'll be back in 6 hours to check this post (gotta get some sleep).

 

I updated the attachment from my previous post. Refresh this page and download the attachment again. It should work this time.

 

fixme.reg seemed to run properly but still no internet (it's still stuck on "Acquiring network address").
New MGTools logs are attached.
I just realized that the Evil PC has the wrong date/dime as well.
Anyway, thanks again for all your help!

 

Oops, I forgot the logs :-o

 

Hrm you are the second user that has reported this. Both of you are infected with ZeroAccess.

Are you able to adjust the date/time? If so, please set the current date and time and try to download and run the latest copy of ComboFix.exe
Let me know if:

• You were able to successfully change date/time
• You were now able to run ComboFix.exe
  • If not, describe the problems you encountered.

 

Thanks. At least I have a name for my issue now.
I'll be back to the Evil PC in 9 hours (after work).
Thanks again!

 

I was able to change the date/time.
I downloaded and was able to run ComboFix.
I clicked on "no" on the Windows Recovery Console window since I have no internet connection (see screenshot "Combofix1.PNG").
I got a window telling me the Evil PC is infected with Rootkit.ZeroAccess (see screenshot "Combofix2.PNG").
ComboFix asked me to reboot due to rootkit activity and eventually produced a log (attached).
The LAN connection is still stuck on "Acquiring network address".
Thanks again for all your help!

 

No problem
Only do what is posted here (do not reboot).

NOTICE: This registry patch has been customized for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is netbt.zip

• Inside is netbt.reg
• Extract netbt.reg to the desktop of the infected computer.
• Now double-click netbt.reg and allow it to merge into the registry.
• Let me know if the merge was successful or not.

 

netbt.reg has been successfully entered!

 

Ok great. Now we need to do the same exact thing with this registry file: legacy_netbt.reg

See attachment below.

 

legacy_netbt.reg has been successfully entered!

 

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

MGTools logs are attached.
I'm dying to run ComboFix again to see what it says.

 

Ok, that looks like they were finally merged successfully.

Now run C:\MGtools\FixNet.bat by double-clicking it.
This will run some additional commands and reboot your computer for you.
Test for internet connectivity once the computer has been rebooted.

 

Internet connectivity has been restored.
You are officially my hero.
What's next?

 

Logs look pretty good at this point. Let's do a couple more things and then let me know how the system is running.

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\Administrator\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cmt87zgq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB30129$
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

ComboFix has been running for over 20 minutes (and it did update itself) and shows no sign of life. Shall I kill it and try to run MGTools?

 

You can end ComboFix.
Retry the CFScript while in Safe Mode.
ComboFix will want to reboot the computer, allow it to boot back into Normal Mode to produce log.

I do not need MGlogs.zip until we get ComboFix or another tool to remove the leftover entries.

 

Thanks. I'm on it!

 

ComboFix worked in safe mode (log attached).
New MGTools logs are attached as well.
Thanks again for all your help.
We'll type again tomorrow (only 2 minutes for me).

 

Your latest logs are clean but I would recommend that you upgrade to Internet Explorer 8

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Wow. That process was grueling. I can't express how much I appreciate your help (amd MajorGeeks in general) with this.
Thanks again.

 

You're welcome