Can't connect to internet : not getting IP address

Hello,

Initially I had problem like getting frequent pop-ups like 'Security essential has detected 1 potential threat' , then asked for cleaning and finally asking for reboot. I had to reboot several times, but it continued to get popups for threat. At that time my internet was working. Suddenly my internet stopped working, its unable to get ip address from my router. Then I came to this forum. I have executed all steps given in your 'read n run me first' section of malware removal. Every other steps executed successfully, except the 'combofix'. The run for combofix was hanging for hours at stage 41, so I killed the process. During the run it said that it has detected rootkit at tcp/ip stack. Since it could not be completed , I am unable attach the log. Please find other logs attached.
Since I got great help from this forum before, I know how helful you are. At the same I know how busy you are, so I would be patient to get reply from you. I do appreciate your help to get my machine clean. Please help!!

 

Hi kousikb,

Can you also attach the MGlogs.zip file as requested from the Read and Run Me thread?

Also follow these instructions:

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach that file to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\netbt
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\ipsec
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Thanks for your prompt reply. Also, sorry about my late response. I am now attaching mglogs.zip.

I will follow your instruction and run all those. I will post those logs thereafter.

Thanks again!!

 

Please find all logs as instructed.

Thank you for your time and help.

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• CouponBar <-- not recommended
• Mozilla Firefox (3.6.10) <-- you should upgrade this after we are done with malware removal. Version 8.0 is out now.
• The Cleaner 5.2 <-- not recommended

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [On_Demand | Stopped] --  -- (stllssvr)
SRV - File not found [Disabled | Stopped] --  -- (HidServ)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (MREMPR5)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslf58e836d)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslea307596)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslea2d5f93)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslc5a8a8e4)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslc32097b6)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslc12be9b3)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslbb34bf0c)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKslb2a5b121)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsla925d080)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsla5455f77)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsla4c34c32)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl8caf5481)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl74d337ad)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl565a09b2)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl3000d97e)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl1cacfc6a)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl0e392180)
DRV - File not found [Kernel | System | Stopped] --  -- (MpKsl064946d2)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (IPSECSHM)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKU\S-1-5-21-2787327478-4218349981-1470722994-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
FF - prefs.js..browser.search.defaultengine: "Ask.com"
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-CEC4-75A487FD6484} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-CEC4-75A487FD6484} - No CLSID value found.
O15 - HKU\S-1-5-21-2787327478-4218349981-1470722994-1005\..Trusted Domains: $talisma_url$ ([]https in Trusted sites)
O15 - HKU\S-1-5-21-2787327478-4218349981-1470722994-1005\..Trusted Domains: aol.com ([objects] * is out of zone range -  5)
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Kousik Bhattacharya\*.tmp files -> C:\Documents and Settings\Kousik Bhattacharya\*.tmp -> ]
[2011/11/27 09:30:43 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\8c9f1abe
[2011/11/14 20:12:32 | 000,011,904 | ---- | M] () -- C:\Documents and Settings\Kousik Bhattacharya\Desktop\CEACAA001Z8927.dat
[2010/03/15 20:58:05 | 000,004,838 | -HS- | C] () -- C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\4GCn8U7
[2010/02/27 20:37:42 | 000,014,400 | -HS- | C] () -- C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\qadX88Alu
[2008/11/06 17:13:51 | 000,000,002 | ---- | M] () -- C:\1286085356
[2011/11/27 23:22:11 | 000,025,088 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Kousik Bhattacharya\My Documents\t.wav:Roxio EMC Stream
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794
[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\$NtUninstallKB27102$
C:\WINDOWS\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Documents and Settings\Kousik Bhattacharya\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Documents and Settings\Kousik Bhattacharya\Templates\4GCn8U7
C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\.#
C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\#32E2~1 
C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\ATTYToolbar
dir /s "C:\Documents and Settings\Kousik Bhattacharya\Local Settings\Application Data\Entriq\" /c
C:\WINDOWS\System32\drivers\afd.sys|C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys /replace
xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FixCleaner"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{25477387-2310-45df-933D-E9416D3D0303}]
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

========WARNING========
The below is specifically for kousikb's computer
Do NOT run the below if you are not kousikb
Doing so may damage your PC!
========WARNING========

Attached is afd.zip

Inside is:

• afd.reg
• fixme+restart.bat

Extract both files to the infected computer's desktop.

First double-click afd.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the fixme+restart.bat file by double-clicking it.
Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach the fixme_results.txt file the .bat file created.

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the PC is running afterwards.

 

Hello thisisu,

Thank you so much. My internet is back to normal after I'm done with the step to merge afd.reg.

Here are my execution reports:

1. a) could not remove coupon bar .. looks like unstall program is broken
b) Will update Firefox later , as instructed
c) The Cleaner 5.2 -- uninstalled

2. Uninstall Windows Messenger -- done

3. Executed the code for OTL -- please find log attached.

4. Ran afd.reg and rebooted

Aftet step 4, my internet started working. Do I need to execute rest of the stuffs? Please let me know.

My sincere thanks to you and rest of administrators of this forum. You are awesome !!

 

Glad to hear your internet is working now

Can you download a new copy of ComboFix (delete the old one) and try running it again?

Also I need an updated MGlogs.zip so run the C:\MGtools\GetLogs.bat file after you have attempted to run ComboFix.

Try uninstalling it with Revo Uninstaller.

 

Thanks thisisu.

Combofix worked fine this time. Please see log attached.

Also, find MGlogs.zip attached. I have uninstalled 'couponbar' successfully using Revo.

Please suggest for anything required.

Could you please suggest me on IE cookie setting?

 

These latest logs are clean.

You do not have Comodo Antivirus installed anymore right? If not you should run the below as Security Center still detects it. Remember to only keep one Antivirus installed.

Code:

net stop winmgmt /y
cd %windir%\system32\wbem\repository
del %windir%\system32\wbem\repository\*.* /f/q/s
net start winmgmt
shutdown.exe -r -f -t 15

http://img254.imageshack.us/img254/945/baticonxp.gif Copy paste the above code into a text file and save it as repairwmi.bat. Make sure All Files is selected as we do not want to save it as a text file.

Then run it by double-clicking. It should reboot your PC automatically when finished.

Other than that I think you are good to go.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

I have completed all steps mentioned. My computer is now completely clean and back to normal.

I do appreciate your effort and guidance. Thank you so so much.

 

I'm glad to hear that You're welcome. Surf safely!