My afd.sys was disabled while removing malware. Now I have no internet

I have followed the instructions to remove MalWare and have attached the logs.
My internet is still not working.

Thank you in advance for any help!

 

Hello cala1981,

http://img194.imageshack.us/img194/4930/combofix.gif Download and run ComboFix

• Refer back to How to use ComboFix and attach c:\ComboFix.txt when finished. (How to attach)

 

I have ran ComboFix several times and each time it sits at the "scanning for infected files" screen for quite a long time until it ultimately freezes the machine.

It does give me the message that it is "infected with RootKit zero acces" and then a message that "rootkit is detected". I click OK to both each time and then it continues to sit at the blue scanning screen.

I have ran it again and it is currently doing the same thing. Should I continue to try and run the program or is there something else I should try?

Thanks again in advance for the help.

 

FYI, I also get an error code when trying to turn off/on windows firewall.

Error code 0x80070424

Not sure if this is a separate issue or linked to this.

 

They are linked.

Let's try the below:

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thanks Thisisu.

Attached are the logs from TDSSKiller, aswMBR and OTL. OTL also created a file calleed Extras.txt so I have attached that as well.

I appreciate all of your help.

 

Hi,

Please uninstall AVG 2012 before proceeding.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• AVG 2012

Then download and run avg_remover_stf_x86_2012_1796.exe

Let me know when you have done this.

 

Do not run the below until you have completed the above post.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Fred Calabrese\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - Extension: AVG Safe Search = C:\Users\Fred Calabrese\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
[2012/02/20 13:47:10 | 000,000,000 | -H-D | C] -- C:\$AVG
[2012/03/13 17:34:58 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_trash_log.cmd
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[COLOR="DarkRed"]:files[/COLOR]
C:\Windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
del /a/f/q "C:\Users\Fred Calabrese\AppData\Local\Temp" /c
C:\Windows\Temp\mwrxjl
C:\Windows\Temp\wbikmf
C:\Windows\Temp\afrybb
del /a/f/q C:\Windows\Temp /c
C:\ProgramData\AVG2012
C:\Users\Fred Calabrese\AppData\Roaming\AVG2012
C:\Program Files\AVG
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
c:\windows\system32\drivers\afd.sys|C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys /replace
xcopy /y C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e /c
call c:\MGtools\FixWFW.bat /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Attached are the 2 files.

Internet working like a charm!

You are my new hero.

What should I do with all of the downloaded Malware programs, should I re-install AVG or do you recommend a different AV program, and what settings need to be restored/changed back if any?

Thanks again. Does this forum take donations?

 

Great

I will get to this a bit later on. For now do not do anything other than what is requested. We still have some work to do e.g. restoring your Windows Firewall.

http://img194.imageshack.us/img194/4930/combofix.gif Attempt to run ComboFix using these directions:

• Download a new copy of ComboFix.exe to your desktop. Delete your old copy of ComboFix.exe.
• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /killall
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

 

And here I thought we were done.

Ran ComboFix and got these notifications:
You are infected with Rookit.ZeroAccess! It has inserted itself into the tcp/ip stack.

then ab 6 or 7 minutes later:
Rootkit is detected. Be patient this may take some moments.

its been sitting on the scan screen for about 40 minutes. Hasn't frozen, but isn't displaying the "Completed Stage #" as shown in the how to. It is just the initial message that it should take 10 minutes.

I'm leaving it and letting it do it's thing. How long should it be taking?

 

It is still sitting at that screen. Been over an hour. :confused

 

When you got that popup that said you are infected with rootkit ZeroAccess, did you press OK to the dialog box?
What about when you got the "Rootkit is detected" dialog box? Did you press OK to that too?

http://img443.imageshack.us/img443/6015/cftcpipstackzaccessv.png

If you have not pressed OK yet, please do so now.

If ComboFix still does not proceed, I will make another OTLfix for you that should address the remaining problems.

 

Yes, I press OK in each dialogue box. That's when it returns to the scanning screen.

 

Ok, exit out of ComboFix.

Let's run this first and then we will work on the Firewall.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\IBM_LLC2.dll -- (camdrl)
[COLOR="DarkRed"]:services [/COLOR]
camdrl
[COLOR="DarkRed"]:files[/COLOR]
xcacls.exe C:\Windows\$NtUninstallKB61568$\4093510526 /p Administrators:f SYSTEM:f /y /c
xcacls.exe C:\Windows\$NtUninstallKB61568$ /p Administrators:f SYSTEM:f /y /c
fsutil reparsepoint delete C:\Windows\$NtUninstallKB61568$\4093510526 /c
fsutil reparsepoint delete C:\Windows\$NtUninstallKB61568$ /c
rd /s/q C:\Windows\$NtUninstallKB61568$\4093510526 /c
rd /s/q C:\Windows\$NtUninstallKB61568$ /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img850.imageshack.us/img850/4124/mbam.gif Update MBAM and run a Quick Scan
Attach the latest log from MBAM when finished. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

here is otl log. others to follow

 

1 more

 

last one

 

Nice! That took care of the remaining ZeroAccess traces. We are almost done

Onto repairing Windows Firewall:

• Open the following folder: c:\MGtools
• Look for the following registry file: FixW7FWdrv.reg
• Once you find it, double-click it. You will be asked if you want to merge the contents of the file into the registry, choose Yes. Let me know if it successfully merged or not.

 

this is the error message that was dusplayed:

cannot import. not all data successfully writren to the registry. some keys are open by the system or other processes.

 

Ok, complete the below:

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

After running windows repair, i rebooted ans upon restarting, got this error message. Adobe distiller. Error 5. Unable to create temporary folder.

 

log attached

 

• Open the following folder: c:\MGtools
• Look for the following registry file: FixW7BFE.reg
• Once you find it, double-click it. You will be asked if you want to merge the contents of the file into the registry, choose Yes. Let me know if it successfully merged or not.

 

sucessfully meeged to the registry!

 

Same thing except with a different file this time:

• Open the following folder: c:\MGtools
• Look for the following registry file: FixW7FW.reg
• Once you find it, double-click it. You will be asked if you want to merge the contents of the file into the registry, choose Yes. Let me know if it successfully merged or not.

 

merged

 

Last one:

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000\Control]
"ActiveService"="mpsdrv"

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save to the desktop.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

 

saying its not a registry script. can only import binary registry files

 

My mistake. I have edited what was in the code box in the above post. Refresh your browser and try again.

 

that worked

 

:cool

Now reboot your PC and verify if Windows Firewall is working or not.

Let me know if this still appears too.

 

firewall fixed!

adobe error still happened.

 

Great

http://www.vistax64.com/vista-security/96380-acrobat-distiller-error-acrobat-8-1-vista.html - I would read this.

You may also want to try Windows Repair Portable -> Reset File Permissions. (but only check this one).

You're welcome. No we do not accept donations. Tell your friends about MajorGeeks and/or like us on Facebook

This is all described below:

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

thank you again!

 

You're welcome

 

I use Dropbox at my office and it is not connected on this machine. It will not let me uninstall the program either.

Any thoughts?

 

Try to see if it will uninstall with Revo Uninstaller.

 

It is giving me an error code when I try to install Revo:

Error! Cant initialize plug-ins directory. Please try again later.

------------------

When I use Add/Remove Programs to uninstall Dropbox:

Error launching installer

------------------
When I use Add/Remove Programs to uninstall Malwarebytes:

Setup was unable to create the directory
"C:\Users\FREDCA~1\AppData\Local\Temp\is-8120E.tmp

 

Does the fact that my dropbox is no longer synced make sense?

 

I am not familiar with this software, it would be best to ask this question in the Software forum.

 

The problem is not linked only to Dropbox. The whole system is acting funny. When I try to print to pdf in Microsoft word, I am getting an error message as well.

Unable to create the temporary folder. Error 5. Access is denied.

 

I'm not sure why this would have started after Windows Repair.

Can you attach a new MGlogs.zip for review?

Something else you may want to try is creating another user account with administrative privileges and see if you are able to install/remove programs from there.

 

MGLogs attached!

 

I would give this a try: http://www.mydigitallife.info/how-to-take-ownership-and-gain-full-control-permissions-in-windows/