no internet connection after combofix

Hi,
I have a badly infected computer.
Intially ran Malwarebytes and it found and removed some infections.
Also ran TDSS, it also found a rootkit.
And lastly ran Combofix. Combofix reports zeroaccess rootkit.
After Combofix says it removed it. I don't have internet connection. I can't turn on Windows update or even turn off the screensaver.
In services Computer Browser is set to Automatic when I start it...it instantly stops.

Please help

 

Hi and welcome to Major Geeks, bpstrat!

Please read and follow the instructions in this thread: READ & RUN ME FIRST Malware Removal Guide

 

Thanks for the reply.
I have read and did the steps that I was allowed to in the intro.
Still not connected.
After disabling CD Emulation with DeFogger I did not get a prompt to reboot.
Should I reboot anyway?

 

I need the logs from what you were able to do in order to assist you. You mentioned you ran TDSSKiller and MBAM. I need those and c:\MGlogs.zip

Yes.

 

Thanks for your help.
Here are the log files.

 

http://img834.imageshack.us/img834/2930/fixiticon.gif Please download Microsoft Fix it 50203 and transfer it to the desktop of the computer with the issue.

• Double-click it to run.
• Reboot when asked to.

__

Whether or not the above fixes the internet connection, follow these steps:

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Microsoft Fix It ran and asked to reboot, so I did.
Still no internet connection.
Then I ran OTL with the code.
Here is the log.

By the way I ran these in normal startup mode not safe mode is this correct?

 

Yes.

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• ALOT Appbar
• Java(TM) 6 Update 30

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
NetSvcs: websensedcagent -  File not found
NetSvcs: tfsnopio - %systemroot%\system32\sysmonlog.dll File not found
NetSvcs: olcamsrv - %systemroot%\system32\fuj02b1.dll File not found
NetSvcs: logmein -  File not found
NetSvcs: grmnusb - %systemroot%\system32\savscan.dll File not found
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\sysmonlog.dll -- (tfsnopio)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\fuj02b1.dll -- (olcamsrv)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\savscan.dll -- (grmnusb)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Ruth\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\S-1-5-21-1659004503-1677128483-839522115-1004\..\SearchScopes\{0879771F-0EBD-4495-84ED-8A325A3080FB}: "URL" = http://search.avg.com/route/?d=4cc6d01a&v=6.10.6.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-1659004503-1677128483-839522115-1004\..\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}: "URL" = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=78C713D001CC5B6C16AC0180&install_time=2011-08-15T16:57:42Z&src_id=30050&camp_id=3085&tb_version=1.1.0000.2(B)
IE - HKU\S-1-5-21-1659004503-1677128483-839522115-1004\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2418376
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10q_ActiveX.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10q_ActiveX.exe (Adobe Systems, Inc.)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/03/19 22:15:50 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Ruth\Desktop\xl199qlt.exe
[2011/11/27 01:28:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\4LsaN.com.b
[2011/11/27 01:25:49 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\L61c7D3.dat
[2011/11/27 01:13:39 | 000,012,336 | -HS- | C] () -- C:\Documents and Settings\Ruth\Local Settings\Application Data\k4ep4sg4u0s8ijiuni02cwb0py4p1tb1nq774
[2011/11/27 01:13:39 | 000,012,336 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\k4ep4sg4u0s8ijiuni02cwb0py4p1tb1nq774
@Alternate Data Stream - 85 bytes -> C:\Documents and Settings\All Users\Desktop:$SS_DESCRIPTOR_PVX2VCGFMVF9V8N4TKBRVDNGCMPLJ4M9YWLP9TMVVJVKJF5VPJV7
[COLOR="DarkRed"]:files[/COLOR]
rd /s/q C:\WINDOWS\$NtUninstallKB45884$ /c
type C:\temp633.bat /c
C:\temp633.bat
type C:\temp757.bat /c
C:\temp757.bat
type C:\rkill.log /c
C:\rkill.log
C:\Documents and Settings\Ruth\Desktop\fixme.reg
C:\WINDOWS\system32\4LsaN.com.b
C:\Documents and Settings\Ruth\Templates\k4ep4sg4u0s8ijiuni02cwb0py4p1tb1nq774
C:\Documents and Settings\Ruth\Local Settings\Application Data\k4ep4sg4u0s8ijiuni02cwb0py4p1tb1nq774
C:\Documents and Settings\Ruth\Desktop\xl199qlt.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\alotappbar
C:\Documents and Settings\Ruth\Local Settings\Application Data\Conduit
rd /s/q "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\3DWSP6QK" /c
rd /s/q "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\BURN6C87" /c
rd /s/q "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\IUFXWVFW" /c
rd /s/q "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\P27DZ5VP" /c
rd /s/q "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active" /c
C:\$AVG
C:\$AVG8.VAULT$
C:\WINDOWS\system32\ping.exe.exp.log.old
C:\WINDOWS\system32\ping.exe.exp.log
fsutil reparsepoint delete C:\WINDOWS\$NtUninstallKB45884$ /c
rd /s/q C:\WINDOWS\$NtUninstallKB45884$ /c
ipconfig /flushdns /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0879771F-0EBD-4495-84ED-8A325A3080FB}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I noticed OTL also made a text file called extras. I will attach it also.
Thanks for your time.

 

Followed your instructions
uninstalled ALOT Toolbar and JAVA update 30.
noticed in add/remove that Malwarebytes reports last used 11-11-2009 (even though I used it today)?

I inserted the text in the code box and clicked RUN FIX.
OTL seems to be hung...bottom of screen says....Killing processes DO NOT INTERRUPT...

Has been that way for ~25 minutes....?

 

Try the same fix while in Safe Mode. See: How to start your computer in Safe mode

 

Booted into safe mode and OTL (with code) ran successfully.
Asked for reboot..allowed it to reboot to normal.
Here are the updated log files....so far still no internet connection
Thanks for your quick replies

 

Try what is listed here first:

http://windows.microsoft.com/en-US/windows-xp/help/networking/repair-network-connection

__

If that does not work, then proceed with these instructions:

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

 

SUCCESS!!!!
Tried the MS instructions no difference

followed your instructions..deleted registry key...etc
Can now access internet.
I have only booted to safe mode with networking so far. (afraid to go to normal until you say so).

Wow dude you are awesome.

Should I boot to normal and try anymore scans or test Windows update?

 

Yes you can return to Normal Mode.

Do not run any additional scans yet.
Let me know what malware problems remain, if any.

Also do this from Normal Mode:

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Here is the latest log file.

 

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

Any other issues? Looks like Windows Update should be working now. Test it out to make sure.

Your latest logs are clean.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

It seems to be running better than it ever has.

I cleaned out malwarebytes with mbamclean then did new install and it updated for the first time.
I went to windows update and had to use MicrosoftFixIt 0777 to allow windows update....that worked and windows is up to date now.

Downloaded AVG Free 2012 and am scanning now.

Although you didn't advise me to run ComboFix... I already had run it before I opened this thread. Should I do the uninstall anyway?

Thanks so much for your expertise.

 

Yes but disable AVG temporarily before you attempt to uninstall ComboFix

You're welcome. Glad to hear things are running well now.