No LAN connection after removing Virus

Hi, I went on a website and got hit with AV Security 2012.
Right away Microsoft Security Essentials ran and deleted some things.
I then ran Malwarebytes and it deleted a few things.
I restarted the pc and the Av Security pop ups were all gone but I can't get a LAN connection.It just keeps saying aquiring network address.
TCP/IP and DHCP won't start and get error message
Error 1075-The dependency service does not exist or has been marked for deletion. Also the IP address just shows as all zeros like this 0.00.00

I can not get any connection of high speed or phone line and it even blocks the printer. My high speed is fine becuase I used it on Xbox and I am using it on this old junky computer from my garage right now.

I also got some error message about
.38.A.Exe
Ivvm.exe

A friend of mine came over and tried a bunch of commands but none worked.He then tried Combo-Fix and it corrected a couple things but nothing changed , except the 38.A.Exe and Ivvm.exe error messages never came back.

I really need help becuase this is above my head.
I was hoping member thisisu's could help me because I read some posts where he solved some people's problems that were very similar to mine but I am thankful for anyone's help.


Here are the Malwarebytes and Microsoft Security Essentials info of what was deleted.

 

Hi and welcome to Major Geeks, mikepeluso!

Please go through this thread first: READ & RUN ME FIRST Malware Removal Guide

 

I hope the logs are right. I wasn't sure about the MGlog

 

If I did anything wrong just let me know.
Thanks for the help

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Coupon Printer for Windows
• J2SE Runtime Environment 5.0 Update 6
• Java(TM) 6 Update 24
• Spyware Doctor 8.0 <-- if you did not pay for this, uninstall
• Viewpoint Media Player

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4


http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchAssistant = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\Andrew\My Documents\New Folder
C:\Documents and Settings\Andrew\My Documents\New Folder (2)
C:\Documents and Settings\Andrew\My Documents\New Folder (3)
C:\WINDOWS\system32\AI_RecycleBin
[COLOR="DarkRed"]Driver::[/COLOR]
nsak
NDISKIO
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Andrew\Local Settings\Application Data\2hP38sy7qD86M
c:\documents and settings\Andrew\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk
C:\Documents and Settings\Andrew\Local Settings\Temp\00001509.nmc\nse\bin\nsak.sys
C:\Documents and Settings\Andrew\Local Settings\Temp\00001509.nmc\nse\bin\ndiskio.sys
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\windows\system32\drivers\afd.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\documents and settings\Andrew\Application Data\Y6ddWKK7fL9hT
c:\documents and settings\Andrew\Application Data\yxxPP0ucS1ib3pG
c:\program files\DB6A3
c:\documents and settings\Andrew\Application Data\ZiibbF3pmG5aJ6E
c:\documents and settings\Andrew\Application Data\FqqjjwwVrzNtxuv
c:\documents and settings\Andrew\Application Data\HssWWK7fRLgTXjC
c:\documents and settings\Andrew\Application Data\K99gTTZqjYCeIrz
C:\Documents and Settings\Andrew\Local Settings\Application Data\Conduit
C:\Documents and Settings\Andrew\Local Settings\Application Data\hkmxyjgoh
C:\Documents and Settings\Andrew\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\QuickComplete]
@DACL=(02 0000)
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{813A7350-DC08-48FF-80D7-E89D8F405498}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

========WARNING========
The below is specifically for mikepeluso's computer
Do NOT run the below if you are not mikepeluso
Doing so may damage your PC!
========WARNING========

Attached is afd.zip

Inside is:

• afd.reg
• fixme+restart.bat

Extract both files to the infected computer's desktop.

First double-click afd.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the fixme+restart.bat file by double-clicking it.
Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach the fixme_results.txt file the .bat file created.

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

hi, after I ran fixme+restart.bat the only thing that seemed to changed was instead of it just saying aquiring network address it now says limited or no connectivity.
Also under packets received it says 2 instead of it always saying 0 for sent and received.


I believe I uninstalled everything. The spyware doctor gave me an error message so I did the manual uninstall.


I had one question, becuase I have to go from pc to pc I have to plug in the ethernet cable of my connection back and forth and I wanted to varify does my internet connection have to be hooked up on the infected pc for all the things you have had me do and will do? The reason I ask is because I think on the last combo-fix I forgot to plug it in when I did it.
If I did anything wrong just let me know.
Thanks again for all your help

 

Only on the parts that I ask you to test the internet afterwards. ComboFix ran fine.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
uSearchAssistant = 687474703a2f2f7777772e676f6f676c652e636f6d2f
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
[COLOR="DarkRed"]Driver::[/COLOR]
PCTCore
pctDS
pctEFA
cxnsnkdf
mgoiwnqp
sdAuxService
Browser Defender Update Service
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\tkpfbstw.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
[COLOR="DarkRed"]FCopy::[/COLOR]
c:\windows\system32\dllcache\ctfmon.exe | c:\windows\System32\ctfmon.exe
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\PCTCore.sys
c:\windows\system32\drivers\pctDS.sys
c:\windows\system32\drivers\pctEFA.sys
c:\windows\system32\drivers\cxnsnkdf.sys
c:\windows\system32\drivers\mgoiwnqp.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\program files\Spyware Doctor
C:\Documents and Settings\All Users\Start Menu\Programs\PC Tools Security
c:\program files\Common Files\PC Tools
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Dhcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dhcp]
"Start"=dword:00000002

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Test your internet afterwards

 

I just tried to post an important update that just happened to me but the post doesn't appear and I think it said a moderator had to approve.
I don't understand why that would be?

 

dropped CFScript.txt in to combofix and then around half way through it crashed to blue screen and now thats all I get after restarting.
I am summing up what it says

A problem detected and windows has been shut down
Check for viruses or remove newly installed hard drives/contollers. Run CHKDSK /F to check for hard drive problems
Technial info
stop 0x0000007b( 0xba4c3524,0xc0000034,0x000000000,0x00000000)

 

Let me know if you need the full message and what you think I should do next.

 

It may have got caught in the spam filter.

Can you confirm that Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt, Last Known Good Configuration all do not work? See >> Starting your computer in Safe mode

See if you can get into one of these modes first. If you can't we can backtrack to before you used that particular CFScript.

 

I tried them all and none work all I get is that blue screen

 

Have you run a chkdsk yet? If not, follow these instructions.

We need to make use of the Microsoft Windows Recovery Console that you already have installed.

When booting up, choose: Microsoft Windows Recovery Console
Read this for more information: How to use the Recovery Console command prompt
When you are at the command prompt window, type in the following commands pressing ENTER after each one:

• chkdsk c: /r
  Note: This will take a while as it goes through 5 stages.
• exit

Now retry booting into Windows.
-----------------------------------------------------------------------

If the above did not work, proceed with the below:

We need to make use of the Microsoft Windows Recovery Console that you already have installed.

When booting up, choose: Microsoft Windows Recovery Console
Read this for more information: How to use the Recovery Console command prompt
When you are at the command prompt window, type in the following commands pressing ENTER after each one:

• cd erdnt\Hiv-backup
• batch erdnt.con
  Note: The Erunt backups will begin copying.
• exit

Now retry booting into Windows.

 

ran earlier chkdsk/r it took like 3 hours, rebooted and still blue screen


just ran next step and still blue screen but I just wanted to make sure I did it right.
ran recovery console, selected windows

The screened looked this this

C:\Windows>cd erdnt\Hiv-backup
C:\Windows\ERDNT\HIV-BACKUP>batch erdnt.con
1 files (s) copied

It said the above line 10 times

Then I typed exit and rebooted

 

Yes you did it correctly.

Let's try the below:

Boot back into the Recovery Console and type in these commands pressing ENTER after each one:
Let me know what output you received from each command please.

• disable cxnsnkdf
• disable mgoiwnqp
• del c:\windows\system32\drivers\cxnsnkdf.sys
• del c:\windows\system32\drivers\mgoiwnqp.sys
• exit

 

The registry entry for the cxnsnkdf service was found
The service currently has start_type SERVICE_SYSTEM_START
The new start_type for the service has been set to SERVICE_DISABLED
The computer must be restarted for the changes to take effect
type exit to restart computer


The registry entry for the mgoiwnqp service was found
The service currently has start_type SERVICE_SYSTEM_START
The new start_type for the service has been set to SERVICE_DISABLED
The computer must be restarted for the changes to take effect
type exit to restart computer



when I put in the next command it said
no matching files were found.
That sounds like I eneterd it wrong.Here is what my screen looks like
C:\Windows>
Then do I enter
del c:\windows\system32\drivers\cxnsnkdf.sys
so it would look like this
C:\Windows>del c:\windows\system32\drivers\cxnsnkdf.sys

 

You did it correctly. Have you tried typing exit and rebooting to see if you can get into Windows? We just disabled two malicious drivers but there may be more that could be the reason you're not able to get into Windows. I have a feeling ComboFix had some trouble deleting certain drivers so let's do the below.

Remember you only have to do this if you still are not able to boot into Windows.

Download OTLPENet.exe to your desktop
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD

Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Please be patient while this loads.


Your system should now display a Reatogo desktop.
Double-click on the OTLPE icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Drag and drop the scan.txt I've attached into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
Press the http://img171.imageshack.us/img171/2405/runscanotl.png button to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive.
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Attach the C:\OTL.txt file to your next reply. (How to attach)

 

I hit exit and rebooted and still blue screen.

I don't have a burner drive in the old pc I am using now so I think the next step won't work if I need a burner drive.

 

Do you have a USB flash drive that you can use?
If so, read these instructions on how to create OTLPE onto a bootable USB drive.
Installing OTLPE on a Flashdrive


If you do NOT have a USB flash drive, go back into Windows XP recovery console and type the following command, then type out the results here

• listsvc

 

I am sorry about that it has been so long since I used this pc I forgot it does have a cd burner.He just can't burn dvd.
I will proceed with original plan.
thanks again

 

Ok I ran everything and I think it all worked.I attacthed the scan and I also will attach a note pad that popped up when I first clicked on the OTLPE in the next post

I also clicked on the firefox and I was able to get online.
when I checked connections it at first said 0's on stuff but then it changed and said under details
IP address 98.149.176.226
DHCP Server 76.85.238.49
they all have numbers not 0's

It say limited or no connectivity
under packets sent/recieved it says 2,000 on both

 

here is the other

 

While I make a complete fix, where did the other.txt log you attached come from? It looks like an OTL fix.

Apparently some of the PC Tool stuff got stuck in the registry. I remember you saying you had some problems removing it in an earlier post of yours. Hopefully if OTL is able to remove them you will be able to boot again.

 

I know this sounds strange but when I first clicked the OTLE desktop icon, this notepad just popped up on the screen and then I did the step you said to do

 

It looks like the commands I used in the fixme+restart.bat. Weird.. You still are not able to boot into Normal Mode correct?

 

Yeah the PC tool would not let me uninstall.So I uninstalled manually.
Would I have been better to just leave it on the pc rather than try to uninstall manually?

 

right, I still can't get on windows, I just get the blue screen

 

Ok attached is fix.txt

I need you to boot back into OTLPE using the same settings as before, except this time you will be dropping fix.txt into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
Once you have done this, click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
Part of the script is to reboot your computer. Allow the program to reboot but this time try to boot into Windows (do not boot off the CD again).

Let me know if you were able to get into Normal Mode or not.

From here we will continue working on your internet problem.

 

after I run the fix it says do you want the restart the computer now and click yes and then nothing happens.

How long should it take to restart?
Do I need to remove the cd.
Do I need to close anything or restart manually?
thanks

 

How long have you been waiting since saying Yes to reboot?

 

like 20 min

 

It should have finished by now.

Eject the CD and manually reboot

 

I manually restarted and still got the blue screen, I also tried safe mode and got blue screen still.


Let me know if/when you want to go to bed or sign off because I don't want to keep you up all night.We can work on this tommorrow or the next day.

Thanks

 

Try this fix (fix2.txt) that I've attached from OTLPE. Then click the Run Fix button as before.

 

I just ran it and then restarted pc but still blue screen

 

By the way, did you uninstall MSE or was that still functioning when you were able to boot into Windows.

Let's try to do this from the Recovery Console.

Enter these commands:

• disable sdCoreService
• disable sdAuxService
• disable Browser Defender Update Service
• disable pctEFA
• disable pctDS
• disable PCTCore
• disable WDICA
• disable PDRELI
• disable PDFRAME
• disable PDCOMP
• disable pctEFA
• exit (reboot)

--------------------------------------------------------------------
If the above does not work, I've attached another fix script (fix3.txt) that you can try to run from OTLPE. It may take longer than 20 minutes to complete.
--------------------------------------------------------------------
If you still have problems, run another SCAN from OTLPE but this time change Services and Drivers to "All" and attach its latest log. There is no custom scan script for this one.

 

Yes I believe I uninstalled MSE when you had me uninstall that list of other stuff earlier on.

I ran the Recovery Console
These worked and disabled:
disable WDICA
disable PDRELI
disable PDFRAME
disable PDCOMP

These said, could not be located
disable sdCoreService
disable sdAuxService
disable pctEFA
disable pctDS
disable PCTCore

and this one gave me instructions for the disable command.I think that the spaces in it caused that.I tried it without the spaces and I think it said could not be located
disable Browser Defender Update Service

 

I ran fix3.txt and rebooted, but still blue screen.
I just wanted to throw in one thing, on the Fix3.txt fix, it only took like a minute or two.I just wanted to add that incase it meant anything becuase you had said it could take a longer.
I am running the other scan now

 

here is the scan

 

oh here was the log created right after fix3.txt ran

 

Ok thanks for the information.

Here is another fix (fix4.txt) I'd like you to try running from OTLPE.

Send me the fix log when it's finished and run another OTLPE scan whenever you get a chance. But this time we want a custom scan.

Use the below script:

Code:

/md5start
acpi.sys
atapi.sys
intelide.sys
pciide.sys
pciidex.sys
/md5stop

 

ran fix4.txt, but still blue screen.
I ran the custom scan and both logs are at bottom

 

Can you give me the full message. This latest log looks clean. Does it mention any specific file in the BSOD?

Also describe to the best of your ability when the PC crashed. You said it was during the middle of ComboFix -- So around stage 25 the PC just bluescreened?

Another thing, you have not gone into the BIOs at all have you? I need to know if you did anything other than what I asked.

 

A problem has been detected and windows has been shut down to prevent damage to your computer
If this is the first time you've seen this stop error screen,restart your computer.If this screen appears again follow these steps:
Check for viruses on your computer.Remove any newly installed hard drives or hard drive controllers.Check your hard drive to make sure it is properly configures terminated.
Run CHKDSK /F to check for hard drive corruption, and then restart your computer.
Technical information:
Stop: 0x0000007B (0xBA4C3524, 0xC000034,0x00000000,0x00000000)


I was running combo-fix and I was watching it early on and then I went in to the other room and when I came back a couple minutes later it had blue screened.To my guess it was around the middle.I wish now I would watched every step, but I never thought this could happen.

 

I haven't done anything else or like in BIOs since I posted on this site.
Before I posted on this site, with a friend we ran some recovery console commands and tried replaceing some windows service pack 3 files.But
the computer worked fine before and after that.We just couldn't get a LAN connection to work or get an IP address. So I don't think anything done before I talked to you could have caused this because I restarted the PC alot and all programs worked fine after, except no LAN connection.

 

I am honestly not sure what is causing the BSOD now. The malicious drivers are gone as well as all the PC Tool and MSE drivers and services. I need more time to think about this.

 

Can you create a rescue disk by Kaspersky and run a scan on the entire OS drive?

See >> Kaspersky Rescue Disk 10

 

I have been trying all night to make the rescue cd but I am getting nowhere.
I downloaded a free trial of Kaspersky Lab/internet security because it said that was the easiest way to do it and went through there tools process and it said completed putting it on usb.I then loaded it on to infected pc and at boot menu selected usb but all I get a black screen that says GRUB4DOS and says hit TAB for commands , grub>

I also tried the disc version and after it goes through 80% it says I need Image Mastering API v2.0 (IMAPIv2.0) update to complete.
You must have Windows Server 2003 Service Pack 2 (SP2) installed to apply this update.Because I am using an old pc from my garage it has Windows XP HomeEdition Version 2002 service pack 3. So I guess thats a no go.
Is there another program that I could download and that would put it on the cd easily?
I found a list of these Nero Burning ROM, ISO Recorder, DeepBurner, Roxio Creator,
but I don't want to waste my time loaded them and then they say my old pc can't make the cd.

 

I don't think I am going figure out how to create the Rescue disc.I download the rescue disk file from kaspersky and saved it to desktop and then used burnaware to make boot iso and then burned it to cd and the pc couldn't read it. I sure wish it was as easy as the OTL burning to cd.

 

Try ImgBurn.

It's free and that's what was used whenever you created the OTLPE CD.

Here is the .iso file (kav_rescue_10.iso -- 210MB) you should be using: Download Link