Removed a virus and now now internet

I removed a virus, or attempted too, but I can not longer access the internet using Firefox or IE.

Using IP Config, nothing appears, not even an ipaddress saying 0.0.0.0

I ran netsh winsocket reset, and nothing.

I uninstalled my network drivers and reinstalled, and nothing.

I ran the logs and attached is the results. However, I cannot run Combofix since it hangs. I also cannot logoff my PC. It hangs and i need to manually shutdown.

Help?!

 

Here's my new logs. I ran the reg key and rebooted. Still no ip address.

 

Hi anon1m0us,

I will help you with your remaining malware problems as chaslang has been very busy.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR=darkred]KillAll::[/COLOR]
[COLOR=darkred]FCopy::[/COLOR]
C:\WINDOWS\system32\dllcache\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now download another new version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



Now attach the below log:

• C:\MGlogs.zip

 

My computer keeps crashing when running Combofix with a no_pages_available.

However, when running Combofix it tells me I am infected with Rootkit.ZeroAccess

 

Hi,

Copy: C:\WINDOWS\system32\dllcache\netbt.sys
and paste it in this folder: C:\WINDOWS\system32\drivers

Reboot and test your internet.

Then do the following scan:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

I added the netbt.sys but with no luck.

Here are the two files that were outputted.

 

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

here's the log

 

========WARNING========
The below is specifically for anon1m0us's computer
Do NOT run the below if you are not anon1m0us
Doing so may damage your PC!
========WARNING========

Attached is netbt.zip

Inside is:

• netbt.reg
• fixme+restart.bat

Extract both files to the infected computer's desktop.

First double-click netbt.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the fixme+restart.bat file by double-clicking it.
Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach the fixme_results.txt file the .bat file created.

 

Still no luck. There was an improvement though My wireless connection now says connected versus the disconnected, but I still can not access internet via wired or wireless.

Also, it still hangs when logging off.

 

First, uninstall Avast antivirus. You can reinstall it when we are finished if you'd like.

Then download and run Avast! Uninstall Utility for good measure.

Reboot your PC...

Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List IP configuration
• List Winsock Entries
• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Here ya go.

 

oops, forgot the attachment

 

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-73586283-1645522239-1417001333-500\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O15 - HKLM\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: microsoft.com ([sftus.one] https in Trusted sites)
O15 - HKLM\..Trusted Domains: remote ([]http in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range1 ([http] in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: microsoft.com ([sftus.one] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: remote ([]http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: microsoft.com ([sftus.one] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: remote ([]http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[COLOR="DarkRed"]:services [/COLOR]
aswTdi
aswMon2
aswFsBlk
aswSnx
aswSP
aswRdr
[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\System32\drivers\aswTdi.sys
xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
ipconfig /all /c
ipconfig /release /c
ipconfig /flushdns /c
ipconfig /renew /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
ipconfig /all /c
sc config netbt start= auto /c
sc config dhcp start= auto /c
sc queryex netbt /c
sc queryex ipsec /c
sc queryex afd /c
sc queryex tcpip /c
sc queryex dhcp /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Please go to Control Panel -> open Administrative Tools and see if you have Local Security Policy.

 

In Control Panel\Administrative Tools I have Local Security Policy.

 

Open Local Security Policy.
First select IP Security Policies on Local Computer.
Then right click the selected IP Security Policies on Local Computer and select "Export list...". Give it a name and save it.
Please post the content of it or attach it to your reply.

 

Also I want you to try running ComboFix the way I describe below:

First delete ComboFix.exe and empty it from the Recycle Bin too.

Now download a new ComboFix.exe to your desktop.
Click the button. > Run - copy and paste this command in the box ComboFix /nombr then click OK.
Let it unpack and attempt to run.
Attach c:\ComboFix.txt if it was successful.

 

here are the logs

There are no policies enabled.

After running the combofix, i ran it again, and it still picked up Rookit.ZeroAccess.

 

That's OK. We got a ComboFix log which revealed some more malware. Let's remove what was found and then we can continue on the internet issue.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:services [/COLOR]
tnlvhi
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\system32\drivers\vuodkxi.sys
sc config tnlvhi start= disabled /c

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Please download the latest Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

Still no luck

 

Making some progress at least.

Code:

=====================================================================================  
Checking DHCP, AFD, NetBT, TCP/IP, IPsec Service States 

   Dynamic Host Control Protocol -DHCP-     is running  
   AFD Networking Support Environment -AFD- is running  
   NetBios over Tcpip -NetBT-               is running  
   TCP/IP Protocol Driver -TCP/IP-          is running  
   IPSEC driver  -Ipsec-                    is running  

===================================================================================== 

I am attaching another .bat file (fixme+restart2.bat) for you to run and then attach resulting log (fixme_results2.txt) for review.
This one will reboot your PC too. Test your internet after the reboot.

 

It ran and the log file only says "Completed".

Internet still not working.

 

That's it? Should say more than that. Can you attach it anyways.

Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List IP configuration
• List Winsock Entries
• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

I ran the fixme twice, with nothing in the logs.

 

Is this a business computer? Are you able to log into Windows without using the domain: MKLLP

 

Code:

Error: (12/29/2011 08:24:04 PM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for [B]domain MKLLP[/B] due to the following: 
%%[B][COLOR="Red"]1311[/COLOR][/B].

Source: http://www.chicagotech.net/wineventid.htm

The rest of your logs look OK. I think it may be something domain related due to some of the system errors you are receiving. You should review the quoted text and that link I posted.

 

I have been running all the scans on the local account, not domain.

 

Also, I do not have access to the company network, since this is my home computer and always connects via my home network.

 

Ok good to know.

Please download Microsoft Fix it 50203 to your desktop.

• Double-click it to run.
• Reboot when asked to.

 

But when log into Windows, is the domain (MKLLP) listed as an option in the "Log on to" field?

So you would not mind if I wanted to delete the traces of the MKLLP domain from your logs for troubleshooting purposes?

 

ran the fix. Nothing.

Yes, you can delete whatever needs to be deleted.

 

I want you to read and follow these instructions: TDSSKiller - How to run

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

O16 - DPF: {D3AB4ED4-EFAB-48D2-840D-714CBF76B801} (EPOActiveXEntryPoint.ManagementConsoleEntryPoint) - https://globalsafeboot.mkllp.com:8443/DATALOSS2000/DLP.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mkllp.com
O17 - HKLM\Software\..\Telephony: DomainName = mkllp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mkllp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mkllp.com

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\All Users\Application Data\f7n6beithc3553o8ae7ie4l1neo
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\sfcfiles.dll
c:\windows\dwrcs\DWRCWXL.dll
C:\WINDOWS\system32\dllcache\mshtml.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\DRIVERS\netbt.sys
[COLOR="DarkRed"]Folder::[/COLOR]
C:\WINDOWS\$NtUninstallKB16441$

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Register System Files
  • Repair Windows Firewall
  • Repair Internet Explorer
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

If still no luck, try this: http://go.microsoft.com/?linkid=9664547

 

Still no luck..

 

You still need to follow the directions here: http://forums.majorgeeks.com/showpost.php?p=1696949&postcount=33

 

Did. The combofix took a few hours to run and it seemed the pc crashed since i did not see any logs when I booted up again.

All the steps were done.

 

Can you attach the TDSSKiller log, they didn't get included.
And the domain entries were not removed.

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

What exactly happened with ComboFix?

 

Combofix hangs. I ran it twice in 48 hours, and left it running for over 12 hours. Nothing happens

 

I deleted the entries as specified.

Here are the logs.

I also ran rkill and it keeps on finding things.

 

You are correct, it seems the domain was there still. I deleted it again.

 

Internet now works!!!

THanks sooo much!