ComboFix aftershock - no Internet

Did you download and save MGtools.exe at the point requested? If so, please run it and attach the C:\MGlogs.zip which will give us a little more info that we need.


ComboFix deleted the below files:
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\ndisapi.dll

All of which have been associated with malware.
http://www.bleepingcomputer.com/startups/ndisrd.sys-25024.html
http://www.prevx.com/filenames/116418579896185226-X1/SNETCFG.EXE.html
http://www.greatis.com/appdata/d/SysDir/n/ndisapi.dll.htm

So it would be interesting to get copies of these files to see if they were really valid. The copies will be in your C:\QooBox folder which is where ComboFix quarantines everything. You should see the below folder:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers

and in this folder you should see the below files
ndisrd.sys.vir
snetcfg.exe.vir
ndisapi.dll.vir

which is just the original files renamed to have a .vir extension. Put them into a ZIP file and attach them here. Also copy them back to your C:\Windows\system32\drivers folder and then rename them to remove the .vir extension that was added.

We also need to restore 2 driver registry entries related to the files that was removed. The below 2 drivers were removed:
-------\Service_Ndisrd
-------\Service_NdisrdMP

I need the MGlogs.zip file from MGtools to help me determine how you can restore these entries.

 

Sorry about that. It is in the below folder:

C:\Qoobox\Quarantine\C\WINDOWS\system32


Did you restore the other the files to their proper locations and without the extra .vir extension?

 

Looks like false detections based on those two files you Zipped. Please also put the below 3 files into a ZIP file and attach it.

Code:

"C:\Qoobox\Quarantine\Registry_backups\"
servic~1.dat  Feb  2 2010        3114  "Service_Ndisrd.reg.dat"
servic~2.dat  Feb  2 2010        1324  "Service_NdisrdMP.reg.dat"

"C:\Qoobox\Quarantine\C\Windows\System32\"
ndisap~1.vir  May 14 2009       61440  "ndisapi.dll.vir"

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work so don't continue with the below.

If the above registry patch was successful and you are sure you restore the 3 files and removed the .vir extension, then reboot your PC and see how things are working afterwards.

 

The only things left to try are a system restore to before the point of running the cleaning process and if that does not work, you may need to reinstall the drivers. It may be necessary to first delete the devices from Device Manager and then reboot. During the reboot the notification of new hardware should be seen and during this time you can reinstall the drivers.

 

You're welcome.

It was previously deleted by the cleaning procedure. See the log from SUPERAntiSpyware which is why it cannot really be uninstalled. It has been forcefully deleted. The below should remove the entry you see.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!