can not connect to internet after malware removal

You may not have removed all the malware. Please follow these instructions:

READ & RUN ME FIRST. Malware Removal Guide

 

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Driver::
qttuwjmt
tbisu

File::
c:\windows\system32\drivers\dkqhdyc.sys
c:\windows\system32\drivers\jmkl.sys
C:\Documents and Settings\user\Application Data\7b5ba836
C:\Documents and Settings\user\Templates\gh5ce1p7661ra3rw3pxjmu207810366086ds8

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Your network log indicates this:

Code:

   AFD Networking Support Environment -AFD- is NOT running  
   Dynamic Host Control Protocol -DHCP- is NOT running

I want you to go here and see if you can either download the FIXIT tool to run on your system or do the manual repairs indicated:
How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply. As well as the Log from ComboFix.

 

Those logs are clean. Were you able to do the winsocks fix?

 

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:otl
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [URL="http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab"]http://java.sun.com/update/1.6.0/jin...ndows-i586.cab[/URL] (Java Plug-in 1.6.0_23)
c:\documents and settings\user\Local Settings\Application Data\BIT2B.tmp

:files
[2011/11/01 16:15:31 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\xtsmfi.sys
[2011/05/16 11:35:21 | 000,001,464 | -HS- | C] () -- C:\Documents and  Settings\user\Local Settings\Application  Data\gh5ce1p7661ra3rw3pxjmu207810366086ds8
[2011/05/16 11:35:21 | 000,001,464 | -HS- | C] () -- C:\Documents and  Settings\All Users\Application  Data\gh5ce1p7661ra3rw3pxjmu207810366086ds8
[2011/11/03 06:41:02 | 000,001,616 | ---- | C] () -- C:\Documents and Settings\user\Desktop\System Restore.lnk
[1 C:\Documents and Settings\user\Local Settings\Application Data\*.tmp  files -> C:\Documents and Settings\user\Local Settings\Application  Data\*.tmp -> ]
[2011/10/30 09:49:38 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\user\Application Data\7b5ba836
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Now re-run OTL and attach a new log.

 

Go to device manager, while I look over the logs, click on View and click on show hidden devices. Expand Non-Plug and play drivers and right click on Ancilliary Function Driver for winsock. Click properties and under the driver tag, make sure it is started.

Then go to run / services.msc and make sure the DHCP service is started. Let me know what you find. You may need to reboot.

 

Although I am not seeing them, let's run OTL one more time:

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:otl
:files
C:\Documents and Settings\user\Application Data\7b5ba836
C:\Documents and Settings\user\Desktop\System Restore.lnk
C:\Documents and  Settings\All Users\Application  Data\gh5ce1p7661ra3rw3pxjmu207810366086ds8
C:\Documents and  Settings\user\Local Settings\Application  Data\gh5ce1p7661ra3rw3pxjmu207810366086ds8
C:\WINDOWS\System32\drivers\xtsmfi.sys
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Tell me how things are running.

 

Did you first try to start the AFD service in device manager?

 

Did you open device manager and click on View? Then click on Show Hidden devices. Under Non-plug and play the first one should be:Ancilliary Function Driver for winsock. Click properties and under the driver tag, make sure it is started.

Then go to run / services.msc and make sure the DHCP service is started. Let me know what you find. You may need to reboot.

 

That isn't good. Let me confer with my colleagues.

 

Do you have your installation CD? Can your run sfc /scannow?

 

System File checker. I will have to get back to you regarding the missing device.

 

Crap. Please download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the exe and attach the new log. It will have some new logs that may be of help.

 

It only produced one log. Please try running it again.

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot your PC.

After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Can you connect to the internet now?

 

Okay AFD now has at least an appearance in the registry but does not seem to have started. Does AFD now show in Device Manager under the Non-Plug and Play Devices where TimW had you look earlier? Does it show as started?

 

Copy the below file:

C:\WINDOWS\system32\dllcache\afd.sys

Into the below folder;

C:\Windows\system32\drivers


If you can get it copied there, reboot your PC and check that it still is in the drivers folder after reboot. If it is, then check Device Manager again and also rerun GetLogs.bat and attach a new log. See if you can connect too.

This appears to be the wrong version file but hopefully it is good enough to get started.

 

Okay we are making some progress. Let me continue to look at your logs this evening. I have to run out in a little while though. Be back later.

But this is a wireless connect.... right? Can you try hardwiring to see what happens?

 

By the way, uninstall SUPERAntiSpyware which you have installed improperly to the below location:

C:\Documents and Settings\user\Desktop\major\SASCORE.EXE

It should not be install here.

I see left overs from McAfee and AVG too. Are either of these still installed?