Google Redirection and Malware Detection Problem

I started having google redirection problems a couple of days back. I suspected that there was a malware attack and tried running CA virus scan and it said there was a problem with my scanner. I then tried running Malwarebytes Anti-Malware. It scanned for 5 seconds and then disappeared. I tried to restart the scan, but started getting the following message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access". I then tried running Spybot - Search and Destroy, but ended up getting the same message above.
After doing some research online, I came across this forum. As instructed by chaslang, I first read the "READ & RUN ME FIRST. Malware Removal Guide" and downloaded the programs one by one. I tried running SUPERAntiSpyware Free Edition. I have the same issue. It starts scanning for a few seconds and then shuts down. The next time I try to run it, I get the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access".
I presume my computer is severely infected. I would really appreciate it if someone could help me with this

 

Hi and welcome to Major Geeks!

Have you attempted to run SAS and the rest of the Read and Run Me First procedures through Safe Mode with Networking? Let me know if this also does not work for you.

 

Hi thisisu,

Thanks for your reply. I had already tried running SAS in Safe Mode earlier, but it gave me the same problem. It runs for about 15-20 seconds and it disappears. I managed to pause the scan just before it disappeared and captured the attached screen shot.

Regards,
Kishan

 

Do MBAM, ComboFix, MGtools all not function while in Safe Mode with Networking too?

 

If so, try the following as soon as you get into Safe Mode with Networking:

Please download RKill by Grinler to your desktop.
RKill is an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.

RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
Note: You only need to get one of them to run, not all of them.

RKill.com Download Link
RKill.exe Download Link
RKill.scr Download Link
eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
iExplore.exe Download Link
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link

Once you get one of them to work, IMMEDIATELY try to proceed with SAS MBAM ComboFix MGTools and tell me if you still get rebooted while in the middle of a scan.

 

I downloaded rkill and tried running SAS Portable version. I still got kicked out after a couple of minutes. I managed to capture a screenshot just before I got booted and have attached it for your reference. As for rest of the programs, I still get the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access" and cannot proceed.

 

Ok thank you for clearing this up for me
We'll get this resolved don't worry

Do you have a C:\RKill.log?
If so, please attach this in your next post

 

Hi thisisu,

Attached for your reference. Thanks again.

 

You have a globalroot infection as shown from your RKill.log:

We typically deal with this infection a different way, but since the PC keeps rebooting on its own, we will have to resort to using some quicker, more direct scans to attempt to rectify your infection.

Please download McAfee Fake Alert Stinger to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Double-click stinger.exe to run (Vista and Win7 right-mouse click and select Run as Administrator)

http://img585.imageshack.us/img585/3484/stingermain.png
Stinger opens
Note: Double-check that your C: drive is in the Directories to scan: area.

http://img809.imageshack.us/img809/6539/stingerscannow.png
Click the Scan Now button

When the scan is complete, at the top of the Stinger window..
go to File > Save report to file
stinger.txt will be created on your desktop
Attach stinger.txt to your next message. (How to attach items to your post)

 

Just to clarify, my computer does not reboot by itself. It is just that the SAS window closes after scanning for a couple of minutes. I am still able to continue with normal operations on the computer like browsing. I will still run the mcAfee scan you recommended below and post the results in my next reply.

 

Ok you will have be a bit more specific on which programs close on you after scanning for a couple of minutes.

So far you have mentioned that SAS and MBAM close. Answer the below for me and add any additional information you think may be important.

• If you reboot your PC and the first thing you run is ComboFix.exe, does that run at all? Does it close on its own?
• If you reboot your PC and the first thing you run is MGtools.exe, does that run at all? Does it close on its own?

 

Hi Thinisu,

Combofix and MBAM do not even start and give me this error: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access" . I started running MGTools. After a certain point of time, I get the attached message and it seems to be stuck in " Checking Routes" for a long time. Is it a concern?

 

What happens when you press the OK button to the nslookup.exe - the ordinal 1108 could not be located in the dynamic link library WSOCK32.dll. box from that picture?

Be specific

 

It proceeds to the next step, "Checking Routes". It has been stuck there for almost 3 hours. There are no messages since then?

 

Ok. Skip trying to run MGtools for now.
Any luck with obtaining a log from McAfee Fake Alert Stinger?

 

Same problem with McAfee Fake Alert Stinger. I get the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access" . I even tried running it in Safe Mode as well as after running RKILL. Still same message. Am I doomed? :cry

 

Can you tell me if you have a C:\MGlogs.zip file? Please attach this file if you do.

Also, try the below:

Now download exeHelper by Raktor.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message. (How to attach items to your post)
  Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

I have attached all the relevant logs. For exeHelper.com, there was no file called log.txt. Instead, something called exeHelperlog.txt. I have attached that instead. Hope this helps.

 

Yes this helps quite a bit. And it looks like TDSSKiller removed a ZeroAccess Rootkit which may allow you to perform some additional scans without closing. Continue with the below

From Add/Remove Programs (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0

Please follow the below instructions very carefully!
Let me know if you are unsure about anything!!

Now we need to go into the Registry Editor to remove one bad data value.
1) Click Start > run > regedit
** Remember to use extreme caution while in here **
2) Now click File > Export...
3) Save this as regbackup.reg
4) Save it to your desktop. (This is in-case something goes wrong!)

Now we need to navigate to the below location (you can navigate by "collapsing" a folder by clicking the [+] symbol to the left of the folder looking icon.

In the right-hand pane, please find and locate "netsvcs" like the picture here: http://img11.imageshack.us/img11/706/netsvcs.png
Double-click netsvcs to open this value.

Now where it says Value Data:
First find the below entry that is in the code-box below, when you see it, Delete this and only this!:

Code:

ewjgtjve

Once you have completed this step. Click OK and then exit the Registry Editor by clicking the [X] in the top-right corner.

Please download OTL by Old Timer to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double-click OTL.exe again to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :processes
  killallprocesses
  :services
  1550
  :files
  ipconfig /flushdns /c
  C:\Documents and Settings\mkpchandra\aawssa.exe
  C:\Documents and Settings\mkpchandra\awa.exe
  C:\Documents and Settings\mkpchandra\awsa.exe
  C:\Documents and Settings\mkpchandra\qrhweq.exe
  C:\Documents and Settings\mkpchandra\s8j7z14o1.exe
  C:\Documents and Settings\mkpchandra\u4y5a19j3.exe
  C:\32788R22FWJFW
  C:\Documents and Settings\mkpchandra\Desktop\Combofix.exe
  C:\WINDOWS\system32\mkghj.dll
  C:\WINDOWS\system32\drivers\1550
  C:\WINDOWS\Tasks\Hdftmgqbea.job
  C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
  C:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
  C:\Recycle.Bin\Recycle.Bin.exe
  :reg
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "4E3E0230AEBB4E96"=-
  :commands
  [purity]
  [createrestorepoint]
  [emptytemp]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

If you have gotten this far, I would like you to retry to get me a MBAM, SAS, and ComboFix logs. You will have to re-download ComboFix

Then, I want you to do the following:

1. Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
3. Put check-marks in LOP Check and Purity Check.
4. Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

When the scan is complete, a log entitled OTL.txt will be created on your desktop.
Attach this log to your next message. (How to attach items to your post)

 

After running OTL and I rebooting, a strange thing is happening. I am unable to browse the internet. I am currently running SAS and will update you with the results in some time.

 

As mentioned in my previous post, aftern running OTL, my internet stopped working. I then ran SAS Portable version and it found a few threats which I fixed. Unfortunately, i forgot to save that log. I tried running SAS again and this time, it did not detect any threats. I was able to save this log. As for MBAM, I still get the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access". I ran OTL a second time and have attached the logs for your reference. My internet on the affected laptop is still not working (it says there is full signal strength in my wifi, but when i open Firefox/IE, I cannot load any website) Please help!

 

Let's see if the following can repair your connection:

Open SAS,
Click the Repairs button
Place a check-mark in: Repair broken Network Connection (Winsock LSP Chain) like the picture below
http://img199.imageshack.us/img199/2870/repairlsp.png
Now click the Repair Selected Item button.
You should be required to reboot in order for the changes to take affect. If SAS doesn't prompt you to, reboot anyways.

Does your internet work now?

Afterwards, I want you to reopen OTL.

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :processes
  killallprocesses 
  :otl
  O2 - BHO: () - {A403C358-96E5-416F-958B-413006165C7B} -  File not found
  O4 - HKLM..\Run: [capfupgrade]  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000002 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000003 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000004 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000005 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000006 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000008 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000009 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000010 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000011 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000012 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000013 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000014 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000015 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000016 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000017 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000018 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000019 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000020 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000021 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000022 -  File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000023 -  File not found
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
  ""=""%1" %*"
  :commands
  [purity]
  [createrestorepoint]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

I tried fixing the internet connection through SAS. It still does not work.

 

Proceed with the rest of the instructions.

 

In OTL, after running the fix, the screen says "Processing Complete" and just hangs there. I tried ending the program via task manager. It terminated, but the screen is blank now (cannot see anything on desktop). Should I just rebbot and see if the new log has been created?

 

Can you bring up the task manager again? (Ctrl+Alt+Del)

If so, go to File > New Task (Run)
In the Open text box, type in: explorer.exe
press ENTER

Can you see your desktop now?
If so, attach the logs requested.

 

I have attached the logs for your reference.

 

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :otl
  :processes
  killallprocesses 
  :services
  63885403
  :files
  C:\Documents and Settings\mkpchandra\Local Settings\Application Data\A403C358-96E5-416F-958B-413006165C7B.txt
  C:\Documents and Settings\mkpchandra\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150000}
  C:\WINDOWS\rnapxs
  C:\WINDOWS\system32\drivers\63885403.sys
  echo,Y|cacls "%windir%\system32\drivers\etc\hosts" /G everyone:f /c 
  ipconfig /flushdns /c 
  :reg 
  :commands
  [purity]
  [createrestorepoint]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Note: Get the rest of these files from another computer if your Internet connection still doesn't work, and then transfer them to your infected computer via Flash drive or CD.

Now I would like you to download and run ComboFix.exe

• Save ComboFix.exe to your desktop.
• Double-click to run.
• Follow the prompts.
• Attach C:\ComboFix.txt when it is finished.

Now I want you you to delete the C:\MGtools folder and MGlogs.zip

Now I want you to download the newest version of MGtools which will help identify any leftovers of your globalroot infection.

• Save MGtools.exe to the root of C:\ as you did before.
• Now double-click MGtools.exe to run
• Attach MGlogs.zip when it has completed.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I have CA anti virus installed on my computer. When I rty to run combofix, it says that it cannot run when CA is installed and it is dangerous to continue. It is asking me to uninstall CA and use some other program. What do I do?

 

Try disabling it.

Let me know if you still a warning after doing this.

 

I still get the error message. Screenshot attached.

 

Ok, skip running ComboFix. Continue with the rest of the instructions.

 

I have attached relevant logs. Still cannot access the internet. So, cannot say how the computer is running

 

Please do the following:
Start > run > devmgmt.msc > press ENTER
The device manager should appear.
At the top of the Device Manager window, click View > Show hidden devices
Now take a screenshot of the Device Manager window and attach it to your next message.

Then proceed with the below:

We need to make use of OTL by Old Timer

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :otl
  :processes
  killallprocesses 
  :services
  WinDefend
  :files
  C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
  C:\Documents and Settings\mkpchandra\Local Settings\Temp\BTN%Copy%1
  :reg 
  :commands
  [purity]
  [createrestorepoint]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log (How to attach items to your post)

C:\win32kdiag.exe -f -r


Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

There is a newer version of TDSSKiller out so I need you to follow the directions here again:

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

Now we need to get a new OTL log

1. Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
3. Put check-marks in LOP Check and Purity Check.
4. Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

When the scan is complete, a log entitled OTL.txt will be created on your desktop.
Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

I have attached scrrenshot of device manager and the otl log. Also, when I tried Win32kDiag, but I encountered the error attached.

 

Ok, go ahead and try to proceed with the rest of the instructions while I work up another fix for you to get your Internet restored.

 

Note: The below drivers are for makam78's laptop only! Do not use if you are not makam78!

This is the Wireless Ethernet driver for your laptop, makam78: Mini PCI Intel Pro/Wireless 2200BG 802.11B/G WLAN card - Designed to work on both 802.11b and 802.11g wireless networks (ROW) - Please download and install this and tell me if your internet connection is working again.

If your Onboard LAN isn't working either (your wired connection), then download and install this one as well: REALTEK RTL8139/810x NIC Driver

These are the setup files. Double-click them to run, follow the prompts.
Do note that since there are still signs of infection on the laptop, these drivers may not work until all traces of the infection are gone.

When you post back with the rest of the logs, I'll give you another fix to perform.

 

Sorry for the late reply. I installed the drivers, but the internet still does not work. I then ran junction and have attached the log. When I tried running tdsskiller.exe, it opens a cmd window and closes immediately. So, I openeded up a cmd window and tried to run it manually. It gave me the error saying "program too big to fit in memory". So, I went ahead and ran OTL again followed by MG Tools. I have attached the logs for your reference. Is my laptop heavily infected?

 

Unfortunately, yes. We're actually making progress. Junction log revealed a new part of the globalroot infection and your latest OTL log revealed some more files.

• Do you have the installation CD/software to reinstall CA Antivirus?
• If so, would you be willing to uninstall CA temporarily so that we can make use of ComboFix? It may reveal some more information that OTL and MGtools may be missing.
  I don't want you to uninstall it and run ComboFix just yet. Just wondering if you would be willing to uninstall CA first.

IF CERTAIN STEPS HERE DO NOT WORK, CONTINUE WITH THE NEXT STEP.

We need to make use of OTL by Old Timer
Note: You will notice that I have included tdsskiller.exe to be deleted. The way this infection works is so that you can only run certain tools once before they are blocked from being run again. I'm deleting it so you can download a new tdsskiller.exe and attempt to run that. It should be successful this time around.

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :otl
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  [2011/08/27 09:56:00 | 001,406,768 | ---- | M] () -- C:\Documents and Settings\mkpchandra\Desktop\tdsskiller.exe
  [2004/08/04 13:30:00 | 000,179,968 | ---- | C] () -- C:\WINDOWS\System32\vxjcsgan.dat
  [2004/08/04 13:30:00 | 000,136,448 | ---- | C] () -- C:\WINDOWS\System32\asdsaskn.dat
  :services 
  :files
  net user mkpchandra /c
  net user mpkiran /c
  net user Administrator.PC280282771323 /c
  ipconfig /all /c
  dir C:\WINDOWS\system32\DRIVERS\ipsec.sys /c
  dir C:\WINDOWS\system32\DRIVERS\tcpip.sys /c
  dir C:\WINDOWS\system32\DRIVERS\ipnat.sys /c
  dir C:\WINDOWS\system32\DRIVERS\1550 /c
  C:\WINDOWS\$NtUninstallKB3255$
  C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
  C:\Documents and Settings\mkpchandra\Desktop\tdsskiller.exe
  C:\Documents and Settings\mkpchandra\Local Settings\Temp\pft1F.tmp
  C:\Documents and Settings\mkpchandra\Local Settings\Temp\pft2C.tmp
  C:\Documents and Settings\mkpchandra\Local Settings\Temp\plf1D.tmp
  C:\Documents and Settings\mkpchandra\Local Settings\Temp\plf2A.tmp
  :reg 
  :commands
  [purity]
  [createrestorepoint]
  [emptytemp]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now we need to run TDSSKiller by Kaspersky. Remember, you will need to download a new copy of this!
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

Could you please get these files: wuauclt.exe and wuauclt.exe.vet into a zipped file and attach it for me in your next post? To do this, see the below:

Start > Run
This opens the Run dialog box for Windows XP
Now paste in the following:

Press ENTER
log retrievable @ C:\collect.zip
Attach collect.zip to your next message. (How to attach items to your post)

Please go to virustotal and upload the following files for analysis, and let me know the results.

• C:\WINDOWS\system32\wuauclt.exe
• C:\WINDOWS\system32\wuauclt.exe.vet

Now we need to get a new OTL log

1. Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
3. Put check-marks in LOP Check and Purity Check.
4. Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

When the scan is complete, a log entitled OTL.txt will be created on your desktop.
Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

I do not have the installation CD for CA. However, let me see if I can extract it and then try installing it again. I was able to complete all the scans you mentioned in your previous reply and have attached most of the logs. I also printed the results of the virustotal scan (which I think did not reveal any infections) and have included them as part of collect.zip

 

I found the installer. However, I would need the internet to be working in order to proceed which is currently not the case. Also, just to let you know, the internet connection says strength is excellent, but when I try to browse, I get the error Problem loading page.

 

Please attach the log from running the OTL fix. 08262011_XXXXXX.log (where XXXXXX is is the latest date)

Please download WinSock XP Fix by Fabio Pinto to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double-click WinsockxpFix.exe to run.

http://img233.imageshack.us/img233/2876/winsockxp.png

• Click the Fix button.
  Note: You will hear a long beep -- This is normal.
• Reboot your PC
• Let me know if internet connection works.

Please download SystemLook by jpshortstuff to your desktop.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :dir /s
  C:\WINDOWS\OPTIONS
  C:\Documents and Settings\All Users\Application Data\WSTB
  :filefind
  bde30d~1.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

 

ComboFix was just updated to handle this infection.

If the WinSock XP Fix is able to restore your Internet connection, I would highly recommend uninstalling CA. Downloading the latest ComboFix. Running it on your infected machine and posting the ComboFix.txt for analysis. Then you will have the option of reinstalling CA after this infection has been completely removed.

Skip gathering the VirusTotal results for now. -- In fact, I will edit my post to remove these as I would prefer if you got these results from an already infected computer with an active internet connection.

We're going to continue working on getting your internet connection restored if WinSock XP Fix wasn't able to achieve this.

 

The WinSock XP Fix did not work unfortunately. I skipped the virustotal part and have attached rest of the logs for your reference.

 

I still need the latest OTL fix log:

 

Sorry.....It is not letting me attach it as it says, I have already done it in the past. Please refer to screenshot. Also, I remembered that the internet sort of stopped working after we did the registry update and ran OTL. Do you think that might have caused the issue with internet?

 

That is because the log was already posted here: http://forums.majorgeeks.com/showpost.php?p=1659155&postcount=35
There should be a newer one. We'll get back to this. Can you try the following:

From Device Manager, under Network Adapters, can you screenshot what is listed here and then post the attachment.

It's possible.

 

I have uploaded the screenshot. Also, I have attached the latest log of OTL as far as I can see in terms of time generated.

 

Ok, that was the log I was looking for

I'd like you to try the following:

While in the Device Manager, with Network Adapters displayed:
Right-mouse click the Intel(R) Pro Wireless 2200BG Network Connection and select Uninstall
If you get a "Warning: You are about to uninstall this device from your system." message, click OK.
If you are asked to delete the driver software associated with this device as well (will be a checkbox)".
First try to complete this task WITHOUT removing the actual drivers, and then click the Scan for hardware changes button
http://www.olympus.co.jp/en/support/imsg/digicamera/qa/contents/03b/image/di100003_09.gif


You have the driver setup files on hand so you can always reinstall these.
If your system doesn't automatically pick up the drivers and reinstall them on their own. You can use the drivers we used earlier here:
try reloading the drivers using the setup file I gave you here: http://forums.majorgeeks.com/showpost.php?p=1659179&postcount=37
Direct download
You can either run this sp33636.exe again for point Device Manager to the correct area to look of where it extracted these files.

 

I tried uninstalling the device without deleting the drivers. I still have the same issue...cannot browse the internet (tried both wireless as well as wired). As I mentioned in one of my previous messages, I see on the bottom hand right corner of the desktop that the status of the connection is good. However, when I try to open a browser window (Firefox), I get the message "Server not found"