Need help- Logs attached

Hi. I had a root kit about 7 months ago and you guys helped me to get it all of my computer. Or so I thought I had. I logged into a user account on my computer today that doesn't get used often and saw that the icons were missing from the desktop and it was grey. I did all the steps in the read me first which restored my icons and didn't seem to find much. Although, hitman found something in my driver that I ignored but it sounded important. Can someone look over my logs and let me know what to do next? Thanks so much!

 

Hello,

Can you also attach the MBAM log?

 

Oh yes, sorry! :-o Here are the other logs!

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Coupon Printer for Windows
• Java(TM) 6 Update 32

__

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

__

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Missing Start Menu Icons Removed by Infections
  • Repair Winsock & DNS Cache
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Ok, I was able to do all those steps but after running the tweaking program and after the restart my computer no longer has an IP address. I tried fixing it, unplugging modem and router, giving it a static address, etc but nothing will work and I cannot connect to the internet. All of the other devices on the network still work so I think its only affecting the one computer (my home computer). I have attached the log for OTL.

 

Sorry to hear that you experienced that. This fix below may take care of that, if not, attach a new MGlogs.zip for me to review.

__

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop.


http://img205.imageshack.us/img205/1894/otl.gif Now reopen OTL
Then drag OTLfix.txt into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
You should see a bunch of text transferred over into the text-field.
Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Ok, I did all the steps but we still don't have an internet connection or IP address. Logs are attached.

 

Ok, let's see if this corrects it:

Open the Device Manager

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • devmgmt.msc
• Now press ENTER

• Collapse the Network Adapters list.
• Right mouse click: Intel(R) PRO/100 VE Network Connection
• Choose "Uninstall".
• You be asked to confirm your actions, choose OK and let it uninstall.
• If it asks you if you want to delete the driver software / files too, say No.
• When you have done this and Intel(R) PRO/100 VE Network Connection is no longer in the Device Manager list -- Press the Scan for hardware changes button (http://img803.imageshack.us/img803/2868/scanhardware.png) or Action -> Scan for hardware changes
• Allow it to reinstall your network adapter.
• Reboot for changes to occur.
• Test internet once you have rebooted.

 

No, there was not any change.:cry

 

Ok, try to merge the registry file I've attached to this message. It is inside the .zip archive.

 

Nothing.

 

What happened when you tried to merge it into the registry? What error message or successful message did you get?

 

It said "Information in C:\Documentsandsetting\Bonnie\Desktop\Legacy_NETBT.reg has been successfully entered into the registry."

 

That's good. Reboot your computer

__

Once you have rebooted, test for internet connectivity and:

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

The internet isn't working still after reboot. I attached the log.

I don't know if this helps at all but the last time you were helping me restore everything you said that the nebt service was missing on my computer even though my internet was working fine. You also said that the DHCP service was turned off because of it. I am not sure that I ever repaired that or not.

Thanks for helping me!!

 

Try again, it didn't attach.

No apparently we never repaired that because DHCP and NETBT are both not turned on even in your first set of logs this time around.

 

OOPS.

Do you want me to run the zip file to repair the netbt that you sent me last time?

 

Not yet, first we need to run this registry file I've attached to this message. If successful, reboot. If not successful, don't reboot but let me know which error message you received.

Don't get it mixed up with the one that has LEGACY in its name.

 

Ok I got a info in .... has been successfully entered into the registry message. I rebooted the computer and I HAVE AN INTERNET CONNECTION!!!:-D

 

Fantastic

How is the computer running at this point? Let's get a new set of logs to see what has changed

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Seems to be running good.

 

Logs look good too.

Code:

Checking DHCP, AFD, NetBT, TCP/IP, IPsec Service States 

   Dynamic Host Control Protocol -DHCP-     is running  
   AFD Networking Support Environment -AFD- is running  
   NetBios over Tcpip -NetBT-               is running  
   TCP/IP Protocol Driver -TCP/IP-          is running  
   IPSEC driver  -Ipsec-                    is running  

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe