Abnow and Internet issues

Hello,

My uncle's computer was having some redirect issues with abnow. He attempted some repairs on his own. I can't seem to find abnow anymore, BUT the computer will no longer connect to the wireless internet at either his home or mine. It will connect to the router, but tells me "local access only." My laptop works in both locations. The TCP/IP4 and TCP/IP6 both are selected to automatically obtain IP/DNS and DHCP is enabled.

I'm not sure if this is still a malware issue, so I went through the steps. With a few exceptions. No internet, so I couldn't update anything. I removed AVG both through the Control Panel and through the AVG removal, with no success in running CombiFix. As I result, I will attach the AVG removal log, instead of CombiFix.

Still not seeing any apparent abnow issues, but still can't go anywhere on the internet, so it might just not have time to redirect.

Oh - I also ran the TDSSKiller that has been recommended for abnow by others.

TIA for ANY and ALL help!

 

Here are the rest of the files.

 

Hi and welcome to Major Geeks, treydawgmt!

I have attached tdx.zip.

• Inside of tdx.zip is tdx.reg
• Extract tdx.reg to your desktop and run it by double-clicking it.
• Allow it to merge into the registry.
• Now reboot your system.
• Let me know if the internet was restored.

 

I ran the tdx file, it did restore the internet! As soon as I restarted the internet from the tdx, malware began recognizing lots of threats. I quarantined all these as I ran an update to Malware and then a new quick scan. I've attached the new Malware log and a text doc of all the files quaranteened.

Let me know if there are other steps. I don't appear to have a redirect right now.

Thanks!

 

Here is the next step, we must stop the infection from its source first:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\system32\*.dll /30
  %windir%\system32\*.dll /lockedfiles
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach OTL.txt to your next message. (How to attach)

 

Okay. OTL.txt is attached. Also, I forgot to say, after running the reg edit file you attached, there are now two shaded desktop.ini files on the desktop.

Thanks!

 

Can you upload this file: C:\Windows\System32\MREMP50.dll

To VirusTotal.com

Let me know the results.

 

You still seem to be very heavily infected.

I would recommend backing up your data first before proceeding. There have been quite a few boot issues lately with this variant of ZeroAccess.

 

I basically have the data backed up. (There is almost no data kept on this file. My uncle doesn't do much except surf the net.)

It's a trojan according to VirusTotal.com.

It's some variant of the following three on over half of the programs.

Trojan.Sirefef.BP
W32/ZeroAccess.D!tr
ZeroAccess.dr.gen.d

 

Good to know. So now ZeroAccess is faking Company Name: Iomega

This seems to be the latest variant of ZeroAccess your uncle has picked up :x

We are going for a major fix here...
I would prefer if you ran this fix while in Safe Mode for the highest chance of success.

Attached is otlfix.txt
Download and save this to your desktop.


Now reopen OTL
Then drag otlfix.txt into the text-field.
You should see a bunch of text transferred over into the text-field.
Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Here's the OTL fix log. I did run in Safe Mode, but restarted back into regular mode since I forgot to hit F8! (I had to zip the text doc to get it to upload.)

 

Actually I prefer that you return to Normal Mode. I do not think OTL would have generated a complete log otherwise.

This looks good! How is the computer running at this point?

 

After you answer I'd like you to run the following scans. Please note that we are running TDSSKiller a different way than you previously have on your own.

I want you to read and follow these instructions: TDSSKiller - How to run

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Can you also let me know what issues you encountered when running ComboFix before?

Was it just that AVG kept being detected? The more details you can provide the better.

 

Computer seems to be running better.

A bit slow, but otherwise not bad. Do you want me to run those three programs in that order?

And yes, CombiFix just kept telling me AVG 2012 is running. I ran the AVG removal tool twice though.

 

Yes.

Do this before attempting to run ComboFix again:

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Repair WMI
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Then try to download a new copy of ComboFix.exe and run it.
It should not detect AVG anymore.
Attach C:\ComboFix.txt if successful. (How to attach)

 

Ok, I ran the first two fixes Sunday night, then got sick for a few days... I'm still having problems with CombiFix. It runs now, but got hung. I'm gonna try one more time, but I don't seem to be having any issues right now. Let me know.

Thanks!

 

With this type of infection I would like to see a ComboFix log if you are able to provide one.

We still need to work on repairing the Windows Firewall too.

 

I run Combifix, and it goes to a blue DOS screen, that says "Administrator: AutoScan" on the top and "Scanning for infected files... This typically doesn't take more than 10 minutes, However, scan times for badly infected machines may easily double."

I'll leave that sit for 2 hours.

Finally, if I try clicking on the blue box or doing something else, I get a "Freeware implementation of XCACLS has stopped working. Windows is checking for a solution to the problem...."

I have CombiFix.exe in the C: drive root folder.

 

If you are not having problems, then running ComboFix probably is unnecessary. It's just a scan I like to run with these types of infections. Let's work on restoring your Windows Firewall.

Run the following .bat file by right-mouse clicking it once and selecting "Run as Administrator".

• C:\MGtools\FixWFW.bat

Then reboot your PC.

Then let me know if your Windows Firewall was restored after the PC has been rebooted.

 

Computer is restarting just fine (tried it a few times.) Firewall working both times. Internet working both times with no redirects. So far seems good? I hope!?

 

:cool Glad to hear it.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe