Can't aquire internet address after Zeroaaccess removal

I am working on a Toshiba laptop that my brother has allready removed the zero access Rootkit using combo fix. Now we are trying to get the internet to work and the conection just says "aquiring internet access" or something close to that.

I have found several threads I guess you call them talking about the same problem and am wondering if I can use one of these procedures or should I run one of the log programs and post a thread? I have never used this thread thing so I am a bit bewildered.

I am going to look at the tutorial videos but wanted to know if each case is different seeing that different hardware is involved.

When I start going into the register I get kind of nervous.
Last night I went through one or two of them and the rascal still isn't working.

Any Help would be much appreciated.

Thanks MarkS

I hope can get back here to find a reply.

 

Hi and welcome to Major Geeks, MarkS!

Each case is slightly different. It is not advised to run fixes that were intended for someone else.

Please go through this thread so we can help you with YOUR computer: READ & RUN ME FIRST Malware Removal Guide

 

Hi MajorGeeks Support Forums,
Thank you for the reply. Have done the following,

Please go through this thread so we can help you with YOUR computer: READ & RUN ME FIRST Malware Removal Guide
(http://forums.majorgeeks.com/showthread.php?t=35407)
***************
logs are attached,
any help will be very apprecitated thanks Mark

 

Hi Mark,

Please also attach the requested logs from:

• MBAM
• RootRepeal

Are you still having trouble connecting to the internet? Your logs show that you have full internet connectivity on both your wired and wireless connection. Let me know after you attach the logs requested.

Thanks

 

Hi ThisisU,
attached are the logs requested. I also have attached a couple of pics.
the 1st one is the screen I was getting when running mbam. Now that the internet connection is working I was able to update the database. I ran mbam this morning and it went well. I have attached the mbam log file.

Yesterday I tryed the manual steps to fix the corupt database but it didn't seem to work because this morning I couldn't find a log so I ran it again and updated when it asked me. I am dissapointed in myself that I didn't catch this yesterday. I guess I was confused and thought the MGlog was the mbam. Sorry.

Also I have attached another pic on the instructions and I don't see a step on running rootrepeal. I see the download and did download it but didn't run it I guess. I ran it this morning and have attached the log. Did I miss the step to run it on the intructions?

Yes we can connect to the internet now. We didn't even bother to check on it but when my brother Hobart got home he noticed to our supprise that somewhere along the way connection was retored. The only thing we did that I can tell might have done something was we manually restored the Windows Monitor screen. Somewhere in the process we told to do that if not found. I was going to resend a message telling you that the connection was working but we thought it best to have you look at things to make sure everything is okay. I was going to do that today but you beat me to the punch.

This has been a kind of fun experience seeing positive results. I am tanted when it comes to computer trouble shooting. I normally get to desired outcome with much distress and wasted time. I have allways dreaded when trying to do something like this because of the time it takes

I have to commend you guys on your websight and intructions. Very clearly done. Only thing that could be a problem is cockpit error on my side.

Thanks and have a blessed day Mark and Hobart.

 

Hello Mark and Hobart,

I highlighted it in red from the attachment you provided:

http://img718.imageshack.us/img718/2271/60708325.png

__

Here are the additional steps I'd like you to go through before I can declare your system clean.

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[/COLOR]
c:\windows\winstart.bat
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\HERB\Local Settings\Application Data\www.terrasofta.com
[COLOR="DarkRed"]Folder::[/COLOR]
c:\documents and settings\HERB\Local Settings\Application Data\70d34b54
[COLOR="DarkRed"]RegNull::[/COLOR]
[HKEY_USERS\S-1-5-21-823518204-1060284298-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]
[COLOR="DarkRed"]Suspect::[/COLOR]
C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
C:\TDBIDXL.DAT

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

thisisu
Super Malware Fighter!

Thank you for the prompt response good day!:-D
Your instructions couldn't be more clear! Don't know why I couldn't see the run rootrepleal when it was right in front of me!

We did the suggested steps and have attached to logs.

computer is running great so far. We were able to do everything from it, seeing that the internet works now.

Assuming everything is hunky dory now and not going to suspect web sights, what should we have running for protection in the future.

Hobart has a been using something called eset32 or nod32 or something that is a virus checker I guess.

I personally am using Noton security suite on my machine. Whats all this nonsense about a spyware checker and malware checker and firewall checker. it seem like the list goes on and on. I tried to help one of my paranoid friends out and he had about a dozen screens poping up about check this or that. I told him he doesn't need all that stuf. Am I right?

Will just one anti-virus checker like Norton and the firewall windows provides be enough? I am very confuse on this subject so any help would be very much appreciated...

Thanks for all you help Mark and Hobart.:-D

 

:cryi forgot the attachments!!!....

 

Hi Mark and Hobart,

These logs look good but I noticed in the TDSSKiller log you did not follow all the instructions.

http://img196.imageshack.us/img196/3557/tdsskiller.gif Please re-read and follow these instructions: TDSSKiller - How to run

Remember to include "Verify Driver Digital Signature" and "Detect TDLFS file system" before scanning.

I will address your other concerns after you have done this

 

Sorry about the screw up. This time I can blame brother hobart. He was
at the stick when KILLER was run.

This attachment should be better.
Thanks Mark

 

Try again

 

try this please

 

Good job
All clean
The questions you asked earlier should be addressed in the below steps/links
__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Okay Thanks a bunch! God bless all you fellas!

 

You're welcome

 

Hello, This is Hobart(Herb),

Thank you so much for getting my Toshiba laptop working again.
My brother Mark executed most of the commands you told us to do because he is more skilled at computers than I am.

He told me it is ready to go but when I read the directions you sent to finish the process, you stated if we downloaded combofix to the desktop, uninstalling it the way you said would reset to microsoft defaults.

I think I originally downloaded conbofix to a downloaded program folder then Mark sent a short cut to the desk top.

Than I think Mark downloaded it again to the desktop later in the process.
He did follow your instructions to uninstall it from the desktop so hopefully all those defaults are set correctly.

If by chance there is still a copy downloaded in the downloaded programs file, can we just delete it?

Hobart

 

Hi Herb,

Yes, you can.

 

Thank you so much for all your expertice given to help me out of this mess I got myself in too by looking at the wrong kind of sites on the internet.

You are a blessing from the Lord.

God bless you in your efforts to help others, too.

Herb

 

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

Thisisu,
In light of the above statement from your sites How to Protect yourself from Malware, and Cleaning a Compromised System, is it safe to say that my Toshida Laptop computer is safe to use again for sensitve bank downloads and other things where?
Thank you again,
Herb (hobart)