Internet is not working/ Bluescreen error

Hi. My laptop running Windows Vista Ultimate SP2 got infected with the rootkit Zero Access.
Internet is not working, and when I log onto the administrator account or a limited account (the one I used the most to prevent attackers from having administrator rights) I created the OS crashes with a blue screen error some minutes after loading the windows, usually 2 minutes after displaying the welcome window, but that doesn't happen on the Guest account or when I
start in safe mode.
I have followed all the instructions from the READ & RUN ME FIRST Post. But I could only do them in safe mode because of the blue screen errors in Normal mode. Also RootRepeal found 2 errors, so I could not save the report:
Attempt to write to address: 0x00000004
Attempt to read to address: 0x00000004

Here are the logs:

 

also I forgot to say, the bluescreen error says: irql not less or equal.

 

Please retry attaching the logs. (How to attach)

 

The files are now attached.

 

Try to run these from Safe Mode:
BitDefender Uninstall Tool
Kaspersky Remover

And try to uninstall Microsoft Security Essentials

Then see if you can boot into Normal Mode.

If you cannot, then run the below CFScript from Safe Mode. You may need to reboot back into Safe Mode so that ComboFix can finish properly and produce a log. So be prepared to F8 back into Safe Mode after Stage 50 if needed.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
asjvqnqz
naqszcfk
pbdrmovp
0055d00b
MpKsl0bc56120
MpKsl3165a968
MpKsl48827dab
MpKsl6391fbd0
MpKsl814868c3
MpKsl87369b47
MpKslb2d2580e
MpKslb506e9c9
MpKslc56be216
MpKsldea826a6
MpKslded25571
MpKsle35ae3bd
MpKslef6d7d4d
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9yw70iu0.default\
FF - prefs.js: keyword.URL - hxxp://search.imesh.com/web?src=ffb&systemid=1&q=
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\asjvqnqz.sys
c:\windows\system32\drivers\naqszcfk.sys
c:\windows\system32\drivers\pbdrmovp.sys
c:\windows\system32\drivers\avckf.sys
c:\windows\system32\drivers\avchv.sys
C:\Users\user\AppData\Local\{6B91F147-9665-489A-B49D-BC09CE312D59}
C:\Users\user\AppData\Local\{A34B2D96-11D0-474E-89F4-A8DAF67AFA68}
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\drivers\afd.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\users\Machava\AppData\Local\0055d00b
C:\Users\user\AppData\Local\{5DD863A0-2289-4869-B33A-DA42F866CCBA}
C:\Users\user\AppData\Local\{CC6BEE4A-9ED7-4B9C-93B2-039A2DD8164E}
C:\Users\user\AppData\Local\{D51C29CB-92CF-4A69-840A-E95D046C8877}
C:\Users\user\AppData\Local\{E190BFD4-FE4A-484B-BD78-2EA7495CA24B}
C:\Users\user\AppData\Local\{EC5CAAC8-7474-4388-B630-1DC056F774D4}
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0016\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0017\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0018\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0019\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0020\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[COLOR="DarkRed"]SecCenter::[/COLOR]
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

 

Hi. Sorry for taking too long to answer. Had some internet access problems.
I followed your instructions, ran the removal tools, but couldn't uninstall microsoft security essentials because the installer doesn't run in safe mode. I still can't boot into normal mode. I ran combofix again with that script you provided, but I'd like to mention there was no ComboFix.txt on my desktop as you stated

only on C:\.

Here's my last combofix log:

 

http://img17.imageshack.us/img17/3214/baticonvista7.gif Open Notepad and copy paste the information in the code box below into it.

Code:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer" /VE /T REG_SZ /F /D "Service"
net start msiserver

Now File -> Save As -> All Files -> Name it: startmsi.bat
Save it to your desktop or some place you can find it.
Run this while you are in Safe Mode with Networking by right-mouse clicking it and selecting "Run as Administrator".

Now attempt to uninstall MSE again from Safe Mode with Networking.
Let me know if you were successful or not.

I would also like you to run the following whether your were successful or not.

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Hi. I was not succesful trying to uninstall Microsoft Security Essentials after running that file you told me to create. I don't know if it is that what that file does but I had already tried to manually enable the windows installer service but MSS kept saying "can't install in safe mode".
I ran OTL, I have the logs attached to this post. I'd like also to thank you for taking time to help me, I really appreciate what you guys do here in MajorGeeks.

 

did it say "Windows installer service is starting..." ? Did you run it before you attempted to uninstall MSE? Doubting MSE is causing the issue at this point. Would have just liked to have gotten rid of it.

Continue with the below:

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)


Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (gtstusbser)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (cpuz132)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (blbdrive)
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
[2011/12/30 05:50:41 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2012/01/02 21:10:04 | 000,000,000 | ---- | M] () -- C:\Users\user\AppData\Local\{6B91F147-9665-489A-B49D-BC09CE312D59}
[2011/12/30 05:36:49 | 000,054,911 | ---- | M] () -- C:\ProgramData\1325215930.4888.bin
[2011/12/30 05:36:49 | 000,033,365 | ---- | M] () -- C:\ProgramData\1325215930.3416.bin
[2011/12/30 05:36:49 | 000,006,810 | ---- | M] () -- C:\ProgramData\1325215930.1876.bin
[2011/12/30 05:36:49 | 000,003,805 | ---- | M] () -- C:\ProgramData\1325215930.3832.bin
[2011/12/30 05:23:59 | 000,000,000 | ---- | M] () -- C:\ProgramData\1325215434.4528.bin
[2011/12/30 05:19:53 | 000,088,741 | ---- | M] () -- C:\ProgramData\1325215032.bdinstall.bin
[2011/12/29 18:08:52 | 000,637,145 | ---- | M] () -- C:\ProgramData\1325174586.bdinstall.bin
[2011/12/29 15:58:03 | 000,105,071 | ---- | M] () -- C:\ProgramData\1325128633.5104.bin
[2011/12/29 15:58:00 | 000,830,075 | ---- | M] () -- C:\ProgramData\1325128633.4824.bin
[2011/12/29 07:20:51 | 000,000,586 | ---- | M] () -- C:\ProgramData\1325128633.5244.bin
[2011/12/29 07:20:35 | 000,033,539 | ---- | M] () -- C:\ProgramData\1325128633.5544.bin
[2011/12/29 05:57:14 | 000,005,072 | ---- | M] () -- C:\ProgramData\1325128633.5096.bin
[2011/12/29 05:57:14 | 000,001,670 | ---- | M] () -- C:\ProgramData\1325128633.4364.bin
[2011/12/29 05:21:03 | 000,001,698 | ---- | M] () -- C:\ProgramData\1325128633.5488.bin
[2011/12/29 05:17:43 | 000,004,351 | ---- | M] () -- C:\ProgramData\1325128633.5536.bin
[2011/12/29 05:17:20 | 000,009,321 | ---- | M] () -- C:\ProgramData\1325128633.5400.bin
[2011/12/29 05:06:49 | 000,157,072 | ---- | M] () -- C:\ProgramData\1325127773.bdinstall.bin
[2011/12/29 05:02:52 | 000,029,660 | ---- | M] () -- C:\ProgramData\1325127772.bdinstall.bin
[2011/12/28 05:52:56 | 001,229,722 | ---- | M] () -- C:\ProgramData\1325035635.bdinstall.bin
[2012/01/03 05:06:26 | 000,000,000 | ---- | C] () -- C:\Users\user\AppData\Local\{A34B2D96-11D0-474E-89F4-A8DAF67AFA68}
[2012/01/02 21:10:04 | 000,000,000 | ---- | C] () -- C:\Users\user\AppData\Local\{6B91F147-9665-489A-B49D-BC09CE312D59}
[COLOR="DarkRed"]:files[/COLOR]
C:\Windows\System32\drivers\afd.sys|C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys /replace
xcopy %temp%\smtmp\1 "%programdata%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%appdata%\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%programdata%\desktop" /s /i /h /y /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi. Internet is finally working again! .
I ran OTL, clicked OK to reboot. Logged On again in safe mode with networking, but Notepad didn't Open. after 15mins waiting I went to the folder you indicated me and found the log, and then ran the batch file from MGTools. After finding both logs I tried to connect to internet and it was working again. Then I restarted and booted in Normal mode and got no bluescreens, and internet still works, even the fingerprint service is working again (before it would say "please wait..." so I had to use password to log in). Many thanks.
But I'd like to say Windows Firewall does not work.

Here are the logs:

 

http://www.runemasterstudios.com/graemlins/images/thumbsup.gif

Yes I see the problem, continue on with the below:

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Repair WMI
  • Remove Policies Set By Infections
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

http://img35.imageshack.us/img35/1911/miniregtool.gif Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
  

• Check List Permissions radio button.
• Press Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

Hi. I ran Windows Repair and MiniRegTool sucessfully. I forgot to tell you that when I first got the problem of internet not working system restore would always fail to complete, I don't know if it's working now. Once again, thanks for taking time to help me.

 

Hi,

Now run the c:\MGtools\FixWFW.bat by right-mouse clicking it, then selecting "Run As Administrator".
This will only take a split second to run. Wait about 5 seconds and then reboot your PC.

Once you have rebooted and are back into Windows -- test your Windows Firewall.

Then run the run the below:

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt to your next message. (How to attach)

 

Hi. Windows Firewall service is working again.

Here's the log from FSS:

 

Great

You are running a slightly older version of MGtools. Please complete the following directions:

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

updated MGTools and ran again.

Here's the log:

 

Please download and run the attached file: sysrestore.bat as Administrator (right-mouse click and select "Run as Administrator") from your desktop. (you have to extract it from the .zip file first)
Then attach the log it creates (sysrestore.txt) to your next message. (How to attach)

 

Hi, here's the file as you requested.

 

Looks good. The dependencies of System Restore should be starting on their own now.

The rest of your logs are clean. You can test out toggling System Restore at some point in the step #9 below. However, I do not recommend that you actually use System Restore to restore your system to a prior date (since you are clean now).
All we want you to do is flush/delete the old restore points (the possibly infected ones!)

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!