Virus prevents starting windows firewall and internet connectivity

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by anton48, Nov 25, 2011.

  1. anton48

    anton48 Private E-2

    On Tuesday (11/22), I suspect I got a virus because a window popped up that was not my security scanner and said I had a virus and needed to perform a scan now to remove it. I instantly turned my computer off.

    When I restarted the system, the 'Windows Security Alert' icon was red with an 'x' through it. I clicked on the icon which brought up the 'Windows Security Center'. In that window, my 'Firewall' was turned off. I tried to turn the firewall back on and received the following error:
     
    anton48, Nov 25, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to the Malware Removal Forum.

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Nov 25, 2011
    #2
  3. anton48

    anton48 Private E-2

    On Tuesday (11/22), I suspect I got a virus because a window popped up that was not my security scanner and said I had a virus and needed to perform a scan now to remove it. I instantly turned my computer off.

    When I restarted the system, the 'Windows Security Alert' icon was red with an 'x' through it. I clicked on the icon which brought up the 'Windows Security Center'. In that window, my 'Firewall' was turned off. I tried to turn the firewall back on and received the following error: "We're sorry. The Security Center could not turn on Windows Firewall. To try turning on the firewall yourself, go to Windows Firewall in Control Panel. In the Windows Firewall dialog General tab, select On (recommended), and then click OK.

    When I attempted to perform this task, I received the following message: "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?".

    I clicked 'Yes' and received the following message: "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.

    I then went to the 'Services' tab under 'Administrative Tools' and attempted to manually start the service. When attempting to do this, I received the following message: "Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer. Error 10050: A socket operation encountered a dead network."

    I then attempted to visit the internet to research the error message; however, I was unable to connect. My wireless adapter kept getting hung up on 'Acquiring Network Address'. I went back to the 'Services' to ensure that everything having to do with my wireless was running and tried again. Still no luck. I then borrowed my wife's laptop (wireless connection on same network) and it worked just fine. After several hours of reading different forums, I found myself here.

    I read many of the posts and was unable to identify the problem, which is why I am now attempting my first post. I read the 'READ AND RUN ME FIRST' post and followed all the directions with little complication when running the ComboFix software. It is as follows.

    First, after starting the software, a dialog box popped up stating that I didn't have the Windows Recovery Console installed and would I like to have it installed. I chose 'No' because I didn't have internet connectivity and continued on with the process.

    Then, after scanning several items, another dialog box popped up with stating "You are infected with Rootkit ...?". I tried to search the internet regarding the message; however, ComboFix restarted my computer before I could get all the information copied.

    Anyway, I've attempted to run all the scans to the best of my ability (what my computer allows) and have attached four of the log files as requested. The other log files will be in the next reply. Also, when running the SAS scanner, I accidentally ran a quick scan which found several errors. I've attached both the log from the quick scan and the full system scan. Your assistance in this matter is much appreciated.

    Kind Regards,
    Anton
     

    Attached Files:

    anton48, Nov 25, 2011
    #3
  4. anton48

    anton48 Private E-2

    Here are the other log files.

    Kind Regards,
    Anton
     

    Attached Files:

    anton48, Nov 25, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\Documents and Settings\LocalService\Local Settings\Application Data\dwfvycmvv

Driver::
dafvcgkm

File::
c:\windows\000002_.tmp
c:\windows\system32\drivers\dafvcgkm.sys

Folder::
C:\Documents and Settings\LocalService\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint
C:\Documents and Settings\NetworkService\Local Settings\Application Data\AskToolbar

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Nov 26, 2011
    #5
  6. anton48

    anton48 Private E-2

    First off, thanks for your reply. I really appreciate you taking the time to help. Now on with what I've done.

    I began by running ComboFix from my desktop as requested. Once it began running, I received the following message:

    "ComboFix has detected the following real time scanner(s) to be active:

    antivirus: Microsoft Security Essentials

    Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage.

    Please disable these scanners before clicking 'OK'."

    I then verified the settings of Microsoft Security Essentials by opening up the program and going to the settings tab. Under "Real Time Protection", I verified that the box was unchecked. I then clicked on 'OK' to proceed. Upon doing this, I received the following message:

    "antivirus: Microsoft Security Essentials

    The above real time scanner(s) are still active but ComboFix shall continue to run. Kindly note that this is at your own risk."

    I then re-verified that the real time protection was disabled for Microsoft Security Essentials and since it was, I clicked 'OK' to continue. The program began to run and then I received the following message:

    "This machine does not have the 'Microsoft Windows Recovery Console' Installed. Alternatively, an existing installation of the recovery console may be present but requires updating.

    Without it, ComboFix shall not attempt the fixing of some serious infections.

    Click 'YES' to have ComboFix download/install it.

    NOTE: this requires an active internet connection."

    Since I don't have an active internet connection (one of my two known problems), I clicked 'NO' and the program continued. The program completed and created the log report (attached). I then went on to the next step of running the TDSSkiller with no problems (log attached). Next step was to run the MBRCheck from the desktop which also ran successfully (log attached). The final step was to run the GetLogs.bat file which resulted in the following message:

    "HiJackThis Error

    Please help us imporve HiJackThis by reporting this error.

    Click 'YES' to submit.

    Error Details:

    An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini,sSection=boot,sValue=shell)

    Error#5 - Invalid procedure call or argument.

    Windows Version: Windows NT 5.01.2600
    MSIE Version: 8.0.6001.18702
    HiJackThis Version: 2.0.4"

    Since I don't have an active internet connection, I clicked 'NO' and continued on. The program finished running and the log is attached.

    Questions:

    1. Should I uninstall Microsoft Security Essentials in order to allow ComboFix to run without errors since just unchecking the real time protection doesn't seem to be working?http://forums.majorgeeks.com/images/smilies/confused.gif

    2. Is there a way to manually install the 'Microsoft Windows Recovery Console' to allow ComboFix to correct serious errors?http://forums.majorgeeks.com/images/smilies/confused.gif

    Current status of system:

    I'm still unable to get the Firewall to work by any method that I'm aware of. I continue to get the following error when trying to manually start the service:http://forums.majorgeeks.com/images/smilies/cry.gif

    "Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.

    Error 10050: A socket operation encountered a dead network."

    Also, I'm still unable to connect to my network. The wireless connection can see my network; however, it gets hung up on 'Acquiring network address'.http://forums.majorgeeks.com/images/smilies/cry.gif

    I'm now going to leave the computer in this state until further direction is given. Once again, thank you so much for your assistance with this matter.
     

    Attached Files:

    anton48, Nov 26, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am seeking advices about this. Thanks for your patience.
     
    Kestrel13!, Nov 27, 2011
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the below file:

    C:\WINDOWS\system32\dllcache\afd.sys

    Into the below folder;

    C:\Windows\system32\drivers


    If you can get it copied there, reboot your PC and check that it still is in the drivers folder after reboot.

    Also rerun c:\MGtools\GetLogs.bat and attach a new MGlogs.zip log. See if you can connect to the internet too.
     
    chaslang, Nov 27, 2011
    #8
  9. anton48

    anton48 Private E-2

    Chaslang, you are nothing short of godlike. I found the file as you said and copied it into the drivers folder. I then rebooted my computer. The file was still in the drivers folder when I checked it.

    I then attempted to connect to the internet, and walla!:-D

    I then immediately disconnected from the internet because I remembered that I also had a problem with the Windows Firewall. I went to Control Panel and Windows Firewall to see if I could check on its status and walla, it was working as well.:-D

    Kestrel13 and Chaslang, you guys are both awesome. As far as I can tell, everything seems to be working fine. I've reran the GetLogs.bat as you asked and have attached that to this reply.

    One question, of all the files/programs that I've downloaded in this posting, which ones should I keep and which ones should I remove? Also, is there any special way to remove any of the files when told to do so. I will be keeping everything on until I hear confirmation from the MGTools log file that everything is ok.

    My mistake, one more question, is there any antivirus/spyware/firewall software that either of you recommend instead of what I have installed? I currently use Malwarebytes for spyware, Microsoft Security Essentials for real time antivirus protection, and Microsoft Windows Firewall for my firewall.

    Once again, thank you guys so much.

    Kind Regards,
    Anton48
     

    Attached Files:

    anton48, Nov 27, 2011
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think the below final instructions should address your questions.
    The free version of Malwarebytes provides NO protection. Are you using the free version?

    The Windows Firewall is inadequate as you will see in the link below.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Nov 28, 2011
    #10
  11. anton48

    anton48 Private E-2

    Chaslang,

    Once again, thanks for all your help.

    I was using the free version of the Malwarebytes; however, I was only using it as a scanner. Since I only had the Windows Firewall, I took your advice and downloaded the Comodo Firewall. As far as the antivirus is concerned, I currently use Microsoft Security Essentials; however, I was thinking of changing over to the Avira software. It sounds like it has quite a bit more protection than Microsoft Security Essentials.

    Anyway, thanks again. Everything is still running ok. As far as I'm concerned, this thread can be closed.:major

    Kind Regards,
    Anton
     
    anton48, Nov 28, 2011
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Nov 28, 2011
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds