No internet access after Malware removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by unjdm, May 14, 2011.

  1. unjdm

    unjdm Private E-2

    Greetings:

    Thanks to all who help out in this place!

    I am working on a friend's laptop. She indicated that she had gotten a windows popup window saying that she was infected and had clicked "ok" only to realize that when windows challenged her that she backed out. Afterwards she indicated that she wasn't able to access the internet.

    Following your " READ & RUN ME FIRST Malware Removal Guide (incl. spyware, virus, trojan, hijacker) " sticky I've been able to seemingly recover the system (I'm able to get to Users to create an administrative account now, get to "system restore", etc.) though I didn't keep a specific record of each step of the process. Her McAfee has shown back up, but I can't seem to completely diable it to run ComboFix. I've killed all but the mcshield process through the task manager, but don't see any way to close/kill it.

    I was unable to remove Wild Tangent from the Add/remove program list. MalwareBytes was unable to update due to no internet connectivity, but it found and removed a number of infections. I've also installed/run SuperAntiSpyware, security360, CCleaner, ComboFix (with the McAfee warning due to its staying on), Defogger.

    I went into networking help and they suggested that due to the insidious nature of malware/virus/trojans that possibly I had missed something and that I should come here.

    Any suggestions on next steps would be greatly appreciated.
     

    Attached Files:

    unjdm, May 14, 2011
    #1
  2. unjdm

    unjdm Private E-2

    I just uncovered my first Combofix log, but the system won't allow me to attach it. I'll rename log.txt and try again. Nope, it won't take. If you need it, let me know.
     
    Last edited: May 14, 2011
    unjdm, May 14, 2011
    #2
  3. unjdm

    unjdm Private E-2

    additional combofix log files
     

    Attached Files:

    unjdm, May 14, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to attach the requested logs from SUPERAntiSpyware and Malwarebytes.

    We did not ask you to install IObit 360 and you should only be doing what we ask and nothing else. Uninstall this program.

    Your networking issue may not be due to malware. Your logs show no signs of any network interface cards. Neither wired nor wireless. Although there is one startup process that we showing that was there to load a process for a BroadCom wireless care, but no wireless interface shows in the logs. You will have to look in Device Manager for Network Adapters and see if any show and possibly reinstall them.

    Also note, you need to put ComboFix.exe on the Desktop, not in the below location:
    f:\malware detection programs\ComboFix-32bitONLY.exe
     
    Last edited: May 14, 2011
    chaslang, May 14, 2011
    #4
  5. unjdm

    unjdm Private E-2

    Thanks for responding. Some of the things that I had tried (such as IObit360, the latest Stinger, AdAware, etc.) came before I found your website or instructions. If they found nothing, like the IObit program did, then they've already been removed. The other programs didn't install, they just ran from the USB drive or from the desktop. I ran the combofix twice. Once from the desktop, once from the USB. I'll rerun from the desktop one last time and will forward that file to you. The laptop overheated while running SuperAntiSpyware program and I neglected to go back and rerun. Thanks for pointing out that the log was missing. I have attached the log file showing tracking cookies and rootkit & trogen agents. I did allow it to make corrections to the problems and rebooted.

    As info: Once the system came back to some semblance of normal, I was finally able to uninstall the Tangent set of programs successfully.

    This system has both an ethernet card (Broadcom 440x 10/100 integrated controller) and Dell wireless adapter (1370 WLAN mini-pci card) that were working before the infection. In looking in the device manager, they both are shown as "working properly." I have re-downloaded the drivers from Dell, but will wait until I hear from you before I re-install.
     

    Attached Files:

    unjdm, May 14, 2011
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm still not convinced that your inability to connect to the internet is due to malware. But let's cleanup a few things and also run another scan.

    Now run TDSSKiller as instructed in the below link:

    TDSSkiller - How to run


    If it finds any problems, make sure that you reboot before continuing with the below.



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
    O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
    O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

    After clicking Fix, exit HJT.

    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Uninstall the below software:
    Java 2 Runtime Environment, SE v1.4.2_03
    Viewpoint Media Player <-- should have been uninstalled in step 5 of the READ ME



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 15, 2011
    #6
  7. unjdm

    unjdm Private E-2

    Chaslang:

    I'll work on this tonight when I get home from work. In the meantime: After the last scans by MB and SAS came out pristine and while waiting on your last note I applied the Dell drivers to both the Broadcom and Dell/Intel cards and my internet access was reestablished.

    What you do is a thankless job... and I wanted to let you know that I am grateful for your guidance in re-establishing this machine to an absolutely clean state!

    Thank you!
     
    unjdm, May 16, 2011
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Excellent. That is what I expected. ;)

    You should still finish my instructions anyway since those items do need to be performed anyway.
     
    chaslang, May 16, 2011
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds