Restoring internet connection after Zeroaccess..

Welcome to Major Geeks!

Yes you can attach the log from ComboFix that you already have but we will need you to run the below procedure so that we can properly assess what is going on. SInce you already ran ComboFix ( which by the way should NEVER be the first thing to be run ) then you can skip ComboFix in the below process.


Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

You're welcome.

This may not be possible. You have a new type infection that has just started showing up in the last 2 days or so. There are a couple variations of it already. The problem is that it is doing a lot of damage to the registry. Some we can see but there may be a lot that we cannot see. Even when we repair some of the items like we have from some previous forms of the infection, the Windows services that have been broken are not starting.


Do you have System Restore points from a few days before this infection started?

 

Well that's not good. Not sure if we can fix this since it seems you have a mixture of several infections that have cause significant damage, but we will give it a try.

However first we have a big issue in that you have way too many security type programs installed having multiple antivirus and multiple antispyware protections in place. We are going to have to uninstall ALL of them. So uninstall all of the below:

Advanced SystemCare 4
IObit Malware Fighter
Microsoft Antimalware
Microsoft Security Client
Microsoft Security Essentials
Trend Micro AntiVirus

Also uninstall the below:
Viewpoint Media Player



Download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now right click on resetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.



After reboot now press the Windows key and the R key at the same time to bring up the Run box. Type in regedit and hit OK.

• Then in the Registry Editor click File, Import.
• Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
• Then click the Open button and allow this to be added into your registry

Tell me what happend exactly. Like do you get any error messages or do you get a success message?

No matter what happens with the above, continue on with the below.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

This is just a start at fixing your problems. There will be more to do

 

You cannot run this without first installing Subinacl

You cannot run this without having successfully completed the prior instructions with Subinacl and resetperm

Can you run in normal boot mode at all?

Did you run the instructions with ComboFix?

 

Then you need to finish the rest of the instructions. I asked for the new ComboFIx log and also a new log from MGtools

 

You had them in a different thread. TimW moved them here.

I still see the below installed. These were on the list of things to uninstall:

Microsoft Security Client
Microsoft Security Essentials
Trend Micro AntiVirus

Did you have a problem uninstalling these? You need to uninstall them due to the fact that you had too many security programs installed and now the problems from doing this need to be cleaned up by removing all of them.


Now download this subinacl and save it to the C:\MGtools folder. It must be saved in this folder!!!!

Now download this perm.cmd and also save it to the C:\MGtools folder.

Now right click on perm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.


Uninstall the below old versions of software:
Java(TM) SE Runtime Environment 6 Update 1



Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

 

Okay just reread my previous message and follow the instructions there. I edited it to add a bunch more since you were not around after I first posted it.

 

You did not follow my instructions. I asked you to download two different things to the MGtools folder. You did not do this. You copied the previous files from the other instructions into the MGtools folder. Please follow the instructions as written. There should be a subinacl.exe and perm.cmd in the MGtools folder when you do it properly. I did have a typo though where I forgot to change the "right click resetperm.cmd" to "right click perm.cmd" and that has been edited now.

You don't need to rerun the ComboFix fix. Just try to run perm.cmd and if and only if it runs, then attach a new MGlogs.zip the same way.

 

Excellent. Have you rebooted after running this? If not, please reboot and then get a new MGlogs.zip to attach.

 

Okay the perm.cmd has fixed a few of your problems with services not running, but not all of them.

Read ALL of the below before doing anything.

Hold down the Windows key and press R to bring up the Run box. Type msconfig into the Run box and click OK.

This will bring up the System Configuration Utility.
Select Diagnostic Startup and then click Apply and OK
And reboot your computer.

Allow it to boot normally in this Diagnostic mode. Does it boot up okay? You will not be able to get to the internet or do too much else in this mode. I just want to see if it boots up in this mode okay without an error.

 

Okay now run MSconfig again and this time choose Select Startup.
Then click the Sevices tab and at the bottom first select Hide All Microsoft services.
Then disable the service still showing.
Then goto the Startups tab and disable all the Startups.
The click Apply and OK, and reboot.

Now tell me what happens.

 

Yes!

 

Yes that is what I want you to do. And also disable everything on the Startup tab

 

Okay then that means your inability to boot into normal mode is cause by either one of those non-Microsoft services, or by one of the Startup processes. You will have to experiment enabling and disabling various ones to find out which one.

Example,

• Try just renabling all of those non-Microsoft services
• But leave all of the Startup processes disabled and Apply that and OK it.
• Then Reboot and see what happens.
• If you get the error message back, then one of the services is the problem.
• If you still don't have the error message, then one of the Startup processes is the problem and you will have to slowly zero in on which one.

 

Possibly it is related to this some how.

Run Msconfig and put a check in the box that indicates Normal Startup and then reboot. Now what happens? This will load all device drivers too and this could result in the error coming back.

 

Yes which is what I expected. Seems you have some kind of driver issue.

Go back to Selective Startup and just leave all Services and Startups enabled like last time and see if you can get this to work again. If you do, then run ComboFix and MGtools in this mode and attach new logs from them.

 

Disable all non-Microsoft Services and see what happens. If no good, then also disable all startups.

If that avoids the error, then run ComboFix and MGtools.

 

Based on your logs, I see that you also disable necessary Microsoft services. You need to reenable them so that we can continue. For just a couple examples, you disabled BFE ( Base Filtering Engine ), DHCP ( Dynamic Host Control Protocol ), and many more that are needed.

After you get all of the Microsoft services reenable, you will have to reboot again and then do the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Try enabling the services associated with the below registry keys:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\BFE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\CryptSvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Dhcp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Dnscache]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Eventlog]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\EventSystem]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\IKEEXT]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\IPBusEnum]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\LanmanServer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\LanmanWorkstation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\lltdsvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\MpsSvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\MsMpSvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\napagent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Netman]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\netprofm]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\NisSrv]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\NlaSvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\nsi]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\PolicyAgent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\RpcLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\SamSs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\SharedAccess]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\SSDPSRV]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\SstpSvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\TrustedInstaller]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\upnphost]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\wcncsvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\WdiServiceHost]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\WdiSystemHost]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Wecsvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\wercplsupport]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\WerSvc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Winmgmt]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Wlansvc]

 

That's okay. I should have given you their full text names rather than the simple service name.

Now look the the below in MSconfig and enable each of these and then reboot. See if you can still run without an error.


Base Filtering Engine
DHCP Client
DNS Client
IKE and AutIP IPsec Keying Modules
Internet COnnection Sharing (ICS)
IPsec Policy Agent
Network Access Protection Agent
Network Connections
Network Store Interface
PnP-X IP Bus Enumerator
Remote Procedure Call (RPC) Locator
Security Accounts Manager
SSDP Discovery
Windows Firewall

 

Good now let's continue with it like it is and maybe we will slowly enable some more later ( probably after Xmas day is over or late Xmas night ). Will not have much time to be here from after this post until then.


Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Register System Files
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
  

• Check List Permissions radio button.
• Press Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

Now click Start and type regedit into the Search box. You should see regedit.exe and its icon appear up above. Right click on this and select Run As Administrator to run the Window Registry Editor with Admin permissions.

• Then in the Registry Editor click File, Import.
• Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
• Then click the Open button and allow this to be added into your registry

Tell me what happend exactly. Like do you get any error messages or do you get a success message?

If you received a success message then repeat the above import but with below to files from the MGtools folder.

• fixW7FW.reg
• FixW7FWdrv.reg

Now reboot your PC, then download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• Results.txt log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

​

 

You're welcome. And Merry Xmas to you too.

It looks like it. We now have all of the below services running.

Code:

===================================================================================== 
Checking Base Filtering Engine Service State and Dependencies 
 
   Base Filtering Service is running  
   Remote Procedure Call {RPC}- Service is running  
   DCOM Server Process Launcher Service is running  
=====================================================================================  
Checking Windows Firewall Service -MpsSvc- State 
.
   Windows Firewall Service is running  
=====================================================================================  
Checking Windows Firewall Authorization Driver Service -mpsdrv- State 
.
   Windows Firewall Authorization Driver Service is running  

Please also download MBRCheck to your desktop.


See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the log from MBRcheck
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay that's better but sorry I had a typo in my last fix with ComboFix that caused all those c:\Users\Owner\AppData\Local\ folders not to be removed. We will have to run another fix below.


However, there is another possibly issue showing in your MBRcheck log that indicates that your Master Boot Record ( MBR ) may be infected.

• Do you have your Vista Boot DVD?
• Also is your PC still experiencing any malware problems?

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download another new version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You forgot to answer the three questions in my last message.