Zero Access Rootkit/Connection Problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by billyclyde, Nov 14, 2011.

  1. billyclyde

    billyclyde Private E-2

    The system is running pretty well. The rootkit seems to have hosed the connection though. Wifi and wire. I've tried to reset the TCP/IP settings via the command line, WinSock XP fix, and add/remove Windows features Network Services. When I try to reinstall the networking features from add/remove it says the "simptcp.dll" file is missing. The error message when I try to repair the connection says "cannot renew IP address"
     

    Attached Files:

    Last edited: Nov 14, 2011
  2. billyclyde

    billyclyde Private E-2

    more logs
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, billyclyde!

    Can you please also attach the MGlogs.zip from running MGtools.exe?

    It will be at the root of C: -- C:\MGlogs.zip

    You should uninstall one of these. Pick one you like and uninstall the other. Having more than one Antivirus can and typically will cause problems for you.
     
  4. billyclyde

    billyclyde Private E-2

    System is still working fast and smooth. I suspect though I'm missing some important .dll files here and there. Not sure about the MGlogs.zip those are the 3 I came up with.
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    These were INSIDE the MGlogs.zip archive.

    I just want you to attach the 1 MGlogs.zip file.
    It's one file with a bunch of logs inside of it.

    If you do not see this, run c:\MGtools\GetLogs.bat

    You are still having problems with your internet connection through right?
     
  6. billyclyde

    billyclyde Private E-2

    yeah the connection is FUBAR. I'm sure all my tinkering compounded it.
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • ClamWin Free Antivirus 0.96.2.1 (unless you prefer this over avast!)
    • J2SE Runtime Environment 5.0 Update 4 (outdated)
    • Java(TM) 6 Update 26 (outdated)

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click MessengerDisable.exe
    • Place a check-mark in Uninstall Windows Messenger
    • Click Apply
    • Click Exit

    [​IMG] Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      C:\win32kdiag.exe -f -r
    • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
    • Attach this log to your next message. (How to attach items to your post)

    ComboFix.exe should not have been run from here. Please place it on your desktop for the next step.

    [​IMG] Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]DDS::[/COLOR]
    uInternet Settings,ProxyServer = http=127.0.0.1:1069
    uInternet Settings,ProxyOverride = *.local
    [COLOR="DarkRed"]Driver::[/COLOR]
    15181e2a
    [COLOR="DarkRed"]FCopy::[/COLOR]
    C:\WINDOWS\I386\PROQUOTA.EX_ | c:\windows\system32\proquota.exe
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Documents and Settings\Stephen M. Wynne\Application Data\1072892508\1072892508.exe
    C:\Documents and Settings\Stephen M. Wynne\Local Settings\Application Data\73648-88365-27475-00IP7-22847
    C:\WINDOWS\temp\sig10.tmp
    C:\WINDOWS\temp\sig11.tmp
    C:\WINDOWS\temp\sig16.tmp
    C:\WINDOWS\temp\sigA.tmp
    C:\WINDOWS\temp\sigB.tmp
    C:\WINDOWS\temp\sigC.tmp
    C:\WINDOWS\temp\sigE.tmp
    C:\WINDOWS\temp\sigF.tmp
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\Stephen M. Wynne\Application Data\1072892508
    c:\documents and settings\Stephen M. Wynne\Local Settings\Application Data\15181e2a
    c:\windows\$NtUninstallKB62669$
    C:\Documents and Settings\Stephen M. Wynne\Local Settings\Application Data\awfkwdtjn
    C:\Documents and Settings\Stephen M. Wynne\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150040}
    C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee.com Personal Firewall
    [COLOR="DarkRed"]Registry::[/COLOR]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\AutorunsDisabled]
    "1072892508"=-
    [COLOR="DarkRed"]SecCenter::[/COLOR]
    AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall Plus *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    MGtools.exe should have been run from: C:\MGtools.exe

    Test your internet connection now... If it still is not working, try the below FixIt tool

    [​IMG] Please download Microsoft Fix it 50203 to your desktop.
    • Double-click it to run.
    • Reboot when asked to.

    [​IMG] Now install the current version of Sun Java from: Sun Java Runtime Environment

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
    Note: This will automatically update all the logs inside MGlogs.zip

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
    Last edited: Nov 14, 2011
  8. billyclyde

    billyclyde Private E-2

    No result on the connection. Yesterday, before I posted here, I did remove the Network Services settings from add/remove Windows Components. I was not able to reinstall them. After running the tasks today when I try to repair the connection it says it can't renew my IP address. In the Wireless Network Connection Status window under support tab when I hit repair it also says "Invalid IP address" and IP address and Subnet Mask are both "0.0.0.0"
     

    Attached Files:

    Last edited: Nov 15, 2011
  9. thisisu

    thisisu Malware Consultant

    You may have just caused another Windows problem for yourself but it does not appear be required as I just tried it on one of my own machines and I still have internet access.

    A couple of things I wanted to correct with that CFScript was unsuccessful so let's try another way...

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Viewpoint Media Player

    [​IMG] Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Shut down your protection software now to avoid possible conflicts.
    Note: This is actually Trend Micro HiJackThis - v2.0.4
    Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:
    After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

    Test your internet connection now. HJT's (analyse.exe) fix should be immediate (should NOT require a restart).
     
  10. billyclyde

    billyclyde Private E-2

    I'm grateful you're putting in the time to help me out here. Unfortunately, HJT process didn't solve the problem. I also tried to reset the TCP/IP stack and the Winsock fix and neither helped. When I try to repair it's still saying it can't renew the IP address. When I go to the command line for ipconfig /release & renew it says "an operation was attempted on something that is not a socket" or "a socket operation encountered a dead network.

    edit: i don't know if this means anything but in the wireless network connection status it still shows a flow of packets coming in out
     
    Last edited: Nov 15, 2011
  11. thisisu

    thisisu Malware Consultant

    Thanks for providing the error messages you were receiving ;)

    Ok so the TCIP/IP stack is completely dead.

    Here are the manual instructions on how to fix this.

    Delete the following keys from the registry: (Start > run > regedit)
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
    Close the Registry Editor.

    Locate the Nettcpip.inf file in %winroot%\inf ( c:\windows\inf ), and then open the file in Notepad.
    Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xa0 entry by replacing 0xa0 with 0x80. Save the file. Exit Notepad.
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy manufacturer's files from text box, type c:\windows\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK.

    Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
    Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
    In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
    On the General tab, click Install, select Protocol, and then click Add.
    In the Select Network Protocols window, click Have Disk.
    In the Copy Manufacturer's files from text box, type c:\windows\inf, and then click OK.
    Select Internet Protocol (TCP/IP), and then click OK.
    Restart your computer.
    Test your Internet connectivity.
     
  12. billyclyde

    billyclyde Private E-2

    After deleting the files, registry edit, and when I get to this step:

    "Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
    Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes."


    the network connection thing in the tray started showing me as connected instead of the yellow triangle but I still couldn't access any pages. When I proceded to the next step and rebooted I got the same error messages as before.

    edit: tried the process again and though the tray icon shows me as connected the computer does not show me as having any network device installed or that it is turned off
     
  13. thisisu

    thisisu Malware Consultant

    Start > run > devmgmt.msc > ENTER

    Are there any devices here that have a red X in them or a yellow !

    [​IMG]
     
  14. billyclyde

    billyclyde Private E-2

    yes i had it disabled the first time i went through the process. do i need to run through the whole thing again including deleting the files and the registry editing or just the install/delete of the tcp/ip stuff?
     
  15. thisisu

    thisisu Malware Consultant

  16. billyclyde

    billyclyde Private E-2

    Was that post for me? Either way, I made sure the proxy server box was not checked.
     
  17. thisisu

    thisisu Malware Consultant

    Couple of questions for you.

    • You mean you disabled it on purpose when you went through the READ and RUN ME?
    • What was marked as disabled?
    • What process are you referring to?

    The infection is what may have disabled it (your network devices). You should not disable it on your own!
    Which files are you referring to? The manual instructions request that you delete registry keys. No files are involved.

    You may want to try those manual instructions again as they should work for you as it sounds like the problem is a bad tcp/ip stack.

    Remember though, you're only deleting registry keys while in regedit.
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
     
  18. billyclyde

    billyclyde Private E-2

    I'm sure that it was disabled (Local Access Connection) when I went through the process you gave this evening with the deleting keys, reg editing, etc. I've enabled all the network devices and will start that process again from the beginning
     
  19. thisisu

    thisisu Malware Consultant

    Ok. :)
     
  20. billyclyde

    billyclyde Private E-2

    Same result as before. After I do the step that allows me to uninstall the TCP/IP proctocol I'm forced to restart for changes to take effect. When I restart the connection icon in the bottom right tray shows me as connected yet I can't get anywhere in the broswer. I then go back through the install process for the protocol and after that reboot I'm back to the same ol' yellow triangle.
     
  21. thisisu

    thisisu Malware Consultant

    Perhaps the notes should have said that, but yes, you are supposed to reboot here.

    Otherwise, you will NOT be able to find Internet Protocol (TCP/IP) from the c:\windows\inf list.

    I have attached a fixme.zip file to this message.
    Inside of it is
    • fixme.bat
    Please extract fixme.bat to your desktop and run it (from your desktop! / not from the .zip file!) by double-clicking on it.

    Attach the fixme_results.txt log file that appears on your desktop afterwards.
     

    Attached Files:

  22. billyclyde

    billyclyde Private E-2

    Those results seem to confirm what I saw late last night. Seems to be saying that my network hardware is not connected or something though we already confirmed that all my network devices are enabled. I was also getting some sort of error messaged and I can't remember exactly but it had "xferr" some numbers and the word "socket" in it.
     

    Attached Files:

  23. thisisu

    thisisu Malware Consultant

    Can you uninstall and reinstall the below network adapter devices from Device Manager
    • Intel(R) PRO/100 VE Network Connection
    • Intel(R) PRO/Wireless 3945ABG Network Connection
    If asked to delete driver software, choose No.

    Just uninstall both of them, then click "scan for hardware changes" and let them reinstall again.

    You may also want to try resetting your Modem and/router and see if that helps.

    If this does not work, attach a new MGlogs.zip by running c:\mgtools\GetLogs.bat
     
    Last edited: Nov 16, 2011
  24. billyclyde

    billyclyde Private E-2

    No luck.

    Reinstalled the devices. Reset the router. LAN settings boxes are unchecked. Devices are enabled. In Network Connection > Local Area Connection I can check the TCP/IP properties and confirm Auto IP and DNS. In the list there is also Microsoft TCP/IP v6 and the properties button for that one is not able to be clicked. IP config still had the message "socket operation encountered a dead network".
     

    Attached Files:

  25. thisisu

    thisisu Malware Consultant

    According to your logs, you are still behind a proxy...

    This is most likely not something you set yourself.

    Can you completely disable Avast (or uninstall it) and uninstall SuperAntiSpyware.

    Retry removing this line from HJT again

    Then run another scan with HJT and see if it has reappeared / was not deleted.
     
  26. thisisu

    thisisu Malware Consultant

    Here are a couple of other scans I would like you to run.

    Hitman Pro
    Hitman Pro may detect a bad proxy server, if so, allow the program to Repair this.

    [​IMG]Please download OTL by Old Timer to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
    • When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
    • Select Scan All Users.
    • For Drivers and Services, select "All" for both.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      explorer.exe
      ipsec.sys
      netbt.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\netbt
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\ipsec
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      
    • Now click the [​IMG] button.
    • When the scan is complete, Notepad will open with the results of the OTL scan.
    • Close Notepad.
    • There will be two log files on your desktop entitled OTL.txt and Extras.txt.
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)
     
  27. thisisu

    thisisu Malware Consultant

    Microsoft TCP/IP v6 should NOT be listed here.
    I have a feeling you accidentally chose Microsoft TCP/IP v6 whenever you got to this step of the manual instructions of resetting completely dead TCP/IP stack:
    There's a difference!!!
    • Microsoft TCP/IP version 6
    • Internet Protocol (TCP/IP)
    [​IMG]

    I would reread those instructions and execute exactly as it says.
     
  28. billyclyde

    billyclyde Private E-2

    Avast and SAS completely uninstalled.

    Deleted that line from HJT and ran a couple more scans and it didn't come back.

    Hitman wouldn't work without an internet connection. OTL logs are attached.

    I'm pretty sure I didn't select v6 but I will do it again to make sure.
     

    Attached Files:

  29. thisisu

    thisisu Malware Consultant

    It was something I overlooked. I did not notice that you let TDSSKiller quarantine afd.sys.

    ========WARNING========
    The below is specifically for billyclyde's computer
    Do NOT run the below if you are not billyclyde
    Doing so may damage your PC!
    ========WARNING========

    Try the below steps.

    I have attached afd.zip to this message.
    Inside of it are 3 files
    • afd.sys
    • afd.reg
    • fixme2.bat
    Extract afd.sys to the following folder: C:\windows\system32\drivers
    If prompted to overwrite, allow it to overwrite.
    Go ahead and test your internet connection now as that may have been enough to fix it.

    If not, continue with the rest of these steps.

    Extract afd.reg to your desktop
    Extract fixme2.bat to your desktop

    Now double-click afd.reg and allow it to merge into the registry. If you get a successful message, reboot your PC for the changes to take effect.

    Once you have rebooted.. run fixme2.bat by double-clicking it

    Attach the fixme2_results.txt log that it produces on your desktop.

    Now test your internet connection.
     

    Attached Files:

    • afd.zip
      File size:
      77.2 KB
      Views:
      81
  30. billyclyde

    billyclyde Private E-2

    Success!

    I overwrote the afd.sys file and upon reboot it took a moment and then it did an automatic reinstall of the hardwire and drivers. Though, when I rebooted again it went through the same process of detecting the wireless network adapter, installing it, and finding the drivers for it.
     
  31. thisisu

    thisisu Malware Consultant

    Good to hear, are you having any other issues?
     
  32. billyclyde

    billyclyde Private E-2

    Everything is good. But I'm a bit concerned about what it might mean that every time I reboot it has to rediscover the wireless card, reinstall it and the drivers. Is that something that could cause future problems?
     
  33. thisisu

    thisisu Malware Consultant

    It's an annoyance above anything IMO.

    The drivers are reinstalled successfully each time the PC reboots? How many times have you rebooted? Are there any devices in Device Manager with errors?
     
  34. billyclyde

    billyclyde Private E-2

    It sort of seems like it's detecting two new devices at the same time. It detects, reinstalls the hardware and drivers, then gives me an error on one of the new devices. In the device manager all the network adapters look fine but then there's an "Other Device" thing opened up with the yellow exclamation point on an "Unknown Device".
     
  35. thisisu

    thisisu Malware Consultant

    I'm thinking it may the two drivers from SUPERAntiSpyware since we did uninstall it earlier.

    Run the below fix and let me know if you have any other problems.

    [​IMG]Now we need to make use of OTL by Old Timer.
    • Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
    • When OTL opens, copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      [COLOR="DarkRed"]:otl[/COLOR]
      O3 - HKU\S-1-5-21-2375064488-2847203173-3650136717-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
      [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2009/04/03 10:03:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
      [2010/07/19 13:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
      [2009/09/11 11:49:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
      [2009/04/10 12:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
      [2008/05/04 21:09:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stephen M. Wynne\Application Data\Viewpoint
      [2008/12/28 10:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
      [COLOR="DarkRed"]:services [/COLOR]
      SASDIFSV
      SASKUTIL
      [COLOR="DarkRed"]:files[/COLOR]
      xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
      xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
      xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
      xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
      [COLOR="DarkRed"]:commands[/COLOR]
      [purity]
      [clearallrestorepoints]
      [emptytemp]
      [resethosts]
      
    • Now click the [​IMG] button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • Click the OK button.
    • When complete, Notepad will open.
    • Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (How to attach items to your post)
     
  36. billyclyde

    billyclyde Private E-2

    Perfect. You are a genius. Thanks for everything!
     
  37. thisisu

    thisisu Malware Consultant

    You're welcome. Surf safely!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
     
  38. billyclyde

    billyclyde Private E-2

    New symptom: All of a sudden the monitor display flickers twice and lose illumination. Even after reboot it will flicker twice . The computer seems to function still and I can see the desktop there but there's no illumination.

    Edit: I can still see and do some function if I hold up a flashlight to the screen. Everything seems to be functional, including the connection
     
  39. thisisu

    thisisu Malware Consultant

    This does not sound malware related. More like hardware related, possibly the laptop's backlight or inverter is going bad? I am not sure.
     
  40. billyclyde

    billyclyde Private E-2

    I bet you're right. I already cracked it open and jiggered the plugs. Quite the timing, eh? Anyway. Everything else still running good. Sorry to bother.
     
  41. thisisu

    thisisu Malware Consultant

    Quite the timing indeed :-D

    No problem :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds