Could not access the internet

Dell Dimension 3000 Running Windows XP Pro service pack 3. Originally receiving message 'DNS Lookup failed' when trying to access the internet from firefox, internet explorer, and google chrome.
Original scan of malwarebytes found trojan.zaccess which was removed but I was still not able to connect.
Getting message 'system restore is not able to protect you computer. Please restart your computer and then run system restore again' when trying to run system restore. Cannot start computer in safe mode via F8 and cannot change boot settings via f2 in order to run a system recovery using the installation CD.
Ran all the scans in the Malware Removal Procedure and i am now able to get to the internet but i am still having the same problems with system restore. Also, on system start up the folder 'c:\windows\system32' automatically pops up.
Malwarebytes is not finding anything but i am attaching the logs for roguekiller, tdsskiller, hitmanpro, and mgtools. Any help will be appreciated. Thank you!

 

Hello jeffandalyssa,

Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the scan is complete, go to the Registry tab and checkmark everything except the below items:

• [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0)
• [HJ] HKLM\[...]\System : EnableLUA (0)

Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

Please download and run ComboFix and attach its log.
Read these instructions on how to use it: How to use ComboFix
Do not uninstall ComboFix yet as we may need it to fix remaining malware issues.

__

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Hi thisisu,

Thank you for the prompt reply to my post. I ran the requested scans and have attached the logs.

Thanks again for all your help!

 

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Ask Toolbar
• ASPCA Reminder V7F+AU by We-Care.com
• FreeApps
• Java(TM) 6 Update 32
• IObit Toolbar v5.8
• Spybot - Search & Destroy
• Viewpoint Media Player

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded just a while ago is on your desktop. If it is not on the desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[4][/COLOR]
C:\Documents and Settings\Gary and Karen\Templates\435csv8p05683vcfc24634
[COLOR="DarkRed"]Driver::[/COLOR]
0209851346015566mcinstcleanup
Viewpoint Manager Service
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Gary and Karen\Application Data\Mozilla\Firefox\Profiles\u7e7pzva.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=113959&tt=010712_3&babsrc=KW_ss&mntrId=2877a396000000000000001111bd75ff&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63414
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
[COLOR="DarkRed"]Folder::[/COLOR]
c:\program files\Viewpoint
C:\WINDOWS\Installer\{403d803b-1285-0754-ecad-1168dafdf849}
C:\Documents and Settings\Gary and Karen\Local Settings\Application Data\{403d803b-1285-0754-ecad-1168dafdf849}
c:\documents and settings\Gary and Karen\Application Data\Otse
c:\documents and settings\Gary and Karen\Application Data\Rufoy
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{274daec0-c4e8-4f30-9e5c-9424990769b9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C6ED4286-7F30-47DE-86D9-9E2D6500E486}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

__

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I was able to uninstall everything but IObit Toolbar v5.8 where I get the message 'Error 1316: A network error occurred while attempting to read from C:\WINDOWS\Installer\iobitToolbar.msi'. I then tried to run ComboFix by dragging CFScript.txt on top of the ComboFix.exe icon which was still on my desktop. When I did this I got the message that combofix.exe could not be found and then the combofix.exe icon disappeared from my desktop. When I try to reinstall combofix I get the message 'combofix.exe could not be saved because an unknown error occurred. Try saving to a different location.' I tried to save combofix.exe to My Documents but my computer becomes unresponsive. I even tried to rename combofix.exe to combofx.exe but I get the same message.

I did run C:\MGtools\GetLogs.bat and have attached the log. Any further help will be appreciated...thanks.

 

Reboot your computer.
Once you have done this, the ComboFix icon should no longer appear.

Then try redownloading a fresh copy of it and placing it on the desktop.

Let me know if you run into further trouble.

 

I was still getting the error 'Combofix.exe could not be saved because an unknown error occurred. Try saving to a different location' when tryiing to download combofix. I was able to get into safemode with networking using msconfig and then was able to run combofix through safemode. I have attached this log along with the log from C:\MGtools\GetLogs.bat.

I then noticed that I could download combofix to the desktop using Internet Explorer - I was using Firefox before. Please let me know if I should try running it again? Thank you.

 

This log is fine but I think the problem may have been that you ran it from a different profile

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

When you first attached your logs, you were logged into: Gary and Karen

Now according to your latest MGlogs you are logged into Administrator.

It's important to be logged into the correct profile that has issues when we are performing these steps.

Please re-scan with MGtools while in Normal Mode and signed into the Gary and Karen user account.

__


Can you open a command prompt window (Start -> Run -> cmd -> ENTER)
And type in the following command: net start srservice
Then press ENTER
Let me know exactly what message appears when you have done this.

 

Attached is a new log which I ran under Gary and Karen.

When I typed net start srservice at a cmd prompt I got the message 'The service name is invalid. More help is available by typing NET HELPMSG 2185'.

 

Download this to the desktop of the computer that has the issue.

• Then double-click it and allow it to merge into the Windows registry.
• Let me know if the merge was successful or not.
• If it wasn't successful, let me know exactly what error message you received.
• If it was merged successfully, then reboot your computer and test to see if System Restore is now functioning.

__

Can you also test out Windows Update and let me know if that is functioning properly? Your logs suggest that was broken as well.

 

System restore now seems to be functioning...should I toggle it to get rid of any restore points? Also, Windows Update seems OK - I ran a scan and there were no high priority updates found.

This computer was running McAfee SecurityCenter which still seems to be running, but the icon does not show up in the system tray upon start up like it used to. Should I re-install this program?

Also, when I go into control panel and click on Windows Firewall, I get the message 'Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the SharedAccess service?' If I say yes, it tells me 'Windows cannot start the SharedAccess service.' Is this OK? It does say that McAfee firewall is currently running.

Thanks again for all your help!

 

Not yet, we'll do that once we are all finished.

Yes you can do this now.

In this case, download the zipped file attached to this message.
Extract its contents to the desktop of the computer with these issues and one at a time, try to merge each file into the Windows registry.
Let me know if all were successful or not.


Regardless if they were successful or not, reboot and run another scan of Farbar Service Scanner using all the options.

 

McAfee Security seems to be running OK now. The registries in the zip file you sent me were successfully merged. I was still getting the message 'Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the SharedAccess service?' when clicking on Windows Firewall in Control Panel. But after I re-booted I was able to successfully open Windows Firewall.

I have attached the current log for Farbar Service Scanner.

 

Looks good

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe