restoring files after removing rootkit

If you want us to check your system for malware, please do the following:

READ & RUN ME FIRST. Malware Removal Guide

 

Please go here and follow the fix:

http://blog.malwarebytes.org/news/2013/05/malwarebytes-anti-rootkit-beta-1-06/

 

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Attach the new C:\MGLogs.zip

 

1. Go to Start ==> Run (or Windows key+R)
   
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
   
   
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
   
   
3. Go to Start ==> Run (or Windows key+R)
   
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
   
   
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
   
   
   Now click on the attachment for AFD.zip and install it.
   
   ADF.zip
   
5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
6. 
   Then attach the below logs:
   
   • C:\MGlogs.zip
   
   

 

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
  
  
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

 

@TimW, C:\windows\System32\drivers\afd.sys is missing and needs to be replaced. See the backups showing in nwktst.txt

Also the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT registry key does not seem correct per what is in netinfo.txt . You should restore this key.

 

Please download ComboFix to your desktop. Turn off any AV software you have before you run it. Do not run it.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

ClearJavaCache::
KILLALL::
FCopy::
C:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys|C:\windows\System32\drivers

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now download this file to your desktop and double click it. Let it merge with the registry:

NetBT.reg

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Attach the new C:\MGLogs.zip.

Tell me how things are running.

 

Please run the below anti-rootkit tool from Malwarebytes.

http://blog.malwarebytes.org/news/2013/05/malwarebytes-anti-rootkit-beta-1-06/

Attach a log from the above.

After seeing this log, we will create a new fix.

 

Uninstall >> Ask Toolbar

We will run another fix with ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay now the afd.sys file has been replace and the AFD service is running. The DHCP service is still disable as are many other servcies because you are using MSConfig to stop many things.

Now you need to run MSconfig and put your PC into normal startup mode. Then reboot you PC. After reboot you will need to do the below again.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs: ​

• C:\MGlogs.zip

 

Please download each of the registry patch by whatever method you are currently downloading files:

Win7DHCP

After downloading the file, copy it to the DESKTOP folder on the problem PC.
Then right click on the file and select Merge. Say yes to any prompts about allowing these to be added to your registry. Tell me if you have any problems. Also be sure to tell me if it was successful. If it was not successful, stop here and tell. Only continue with the below if the Merge was successful.

Then reboot your PC

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). ​

Then attach the below logs: ​

• C:\MGlogs.zip

 

Try it now. There was a filename difference on the server.

 

No! It led you to a file named Dhcp.reg that you just needed to save not open. However since you have managed to save it anyway and it did merge, I can see that this fixed your DHCP service which was not running.

Have you rebooted your PC and can you get network access now? All of the services related to this that were previously broken, are now running.

 

Please download each of the below registry patches by whatever method you are currently downloading files:

Win7AFD

Win7LegAFD

Win7BITS

Win7BROWSER

Win7LegBowser

Win7HTTP

Win7LegHTTP


After downloading file, copy each one to the DESKTOP folder on the problem PC.
Then one at a time right click on each file and select Merge. Say yes to any prompts about allowing these to be added to your registry. Tell me if you have any problems and for which ones. Also be sure to tell me which say that they were successful.

Then reboot your PC.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs: ​

• C:\MGlogs.zip

Question: Is your copy of Windows for a non-English version? I'm wondering why I see so many non-printable charactersin your logs.

 

Yes it does for some things.

Again as I said previously, they do lead to files. You can see this by just holding the mouse cursor over the link without clicking. It shows the file path. The problem is in which browser you are using ( which are you using? IE10 ?) Or how you have it setup or how you are using it. You need to select Save or Save As not Open and not Run.

This happens a lot with Legacy Registry keys as they are protected in normal instances. It does not appear that the merging of all the registry keys had the desired effect. The services I was trying to fix did not change. For one example, the HTTP service is still not running as is the case for quite a few others.

Let's try a few things before we have to suggest resorting to a reinstall to fix Window.

You should still have Windows Repair the TimW had you run previously. I want to run it again but differently.

First reboot your PC into safe boot mode.

• Now run Repair_Windows.exe by using right click and select Run As Administrator
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished. If it does not reboot, reboot it yourself back into normal mode to continue with the below.

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

I want to get the results from the above before moving on with my next steps. The above will not necessarily have correct your problems.

 

I'm not sure that we are going to be able to fix this. There appears to be too much damage to a large number of Windows System services and/or files. However let's give the below a try.

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
IE - HKU\S-1-5-21-1915086945-3399148273-3522386295-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18776
IE - HKU\S-1-5-21-1915086945-3399148273-3522386295-1001\..\SearchScopes\{2D2153A0-262B-4C6C-A0C6-2529E4BB7019}: "URL" = http://search.naver.com/search.naver?where=nexearch&sm=osd&ie={inputEncoding}&query={searchTerms}
IE - HKU\S-1-5-21-1915086945-3399148273-3522386295-1001\..\SearchScopes\{8AEC7299-5E33-4A36-A1BF-9BFAB68D488F}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^U3&apn_dtid=^OSJ000^YY^CA&apn_uid=064632B8-EB8D-4ED5-B70C-DE7359D602D0&apn_sauid=E3FD5A34-E4D9-4AED-8DBF-A5DDC1D976B2
CHR - Extension: Ask Toolbar = C:\Users\김기대\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Ask Toolbar = C:\Users\김기대\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Ask Toolbar = C:\Users\김기대\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.0_0\
CHR - Extension: Ask Toolbar = C:\Users\김기대\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjdepfkicdcciagbigfcmdhknnoaaegf\1.1_0\
CHR - Extension: Ask Toolbar = C:\Users\김기대\AppData\Local\Google\Chrome\User Data\Default\Extensions\mokpohfbhdeohjajejejgppfhmmkdfgg\1.0_0\
CHR - Extension: Ask Toolbar = C:\Users\김기대\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1915086945-3399148273-3522386295-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1915086945-3399148273-3522386295-1001\Software\Policies\Microsoft\Internet Explorer\Restrictions present
[2013-06-04 18:34:22 | 000,000,579 | ---- | C] () -- C:\Users\김기대\Desktop\afd.zip


:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000
"EnableLUA"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser]
"DisplayName"="@%systemroot%\\system32\\browser.dll,-100"
"Group"="NetworkProvider"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%systemroot%\\system32\\browser.dll,-101"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000003
"Type"=dword:00000020
"DependOnService"=hex(7):4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,\
  6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,\
  00,61,00,6e,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,00,00
"FailureActions"=hex:84,03,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  62,00,72,00,6f,00,77,00,73,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001
"MaintainServerList"="Auto"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\TriggerInfo]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\TriggerInfo\0]
"Type"=dword:00000004
"Action"=dword:00000001
"GUID"=hex:07,9e,56,b7,21,84,e0,4e,ad,10,86,91,5a,fd,ad,09
"Data0"=hex:31,00,33,00,39,00,00,00,54,00,43,00,50,00,00,00,53,00,79,00,73,00,\
  74,00,65,00,6d,00,00,00,00,00
"DataType0"=dword:00000002
"Data1"=hex:31,00,33,00,37,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
  74,00,65,00,6d,00,00,00,00,00
"DataType1"=dword:00000002
"Data2"=hex:31,00,33,00,38,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
  74,00,65,00,6d,00,00,00,00,00
"DataType2"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\TriggerInfo\1]
"Type"=dword:00000004
"Action"=dword:00000002
"GUID"=hex:38,ed,44,a1,12,8e,e4,4d,9d,96,e6,47,40,b1,a5,24
"Data0"=hex:31,00,33,00,39,00,00,00,54,00,43,00,50,00,00,00,53,00,79,00,73,00,\
  74,00,65,00,6d,00,00,00,00,00
"DataType0"=dword:00000002
"Data1"=hex:31,00,33,00,37,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
  74,00,65,00,6d,00,00,00,00,00
"DataType1"=dword:00000002
"Data2"=hex:31,00,33,00,38,00,00,00,55,00,44,00,50,00,00,00,53,00,79,00,73,00,\
  74,00,65,00,6d,00,00,00,00,00
"DataType2"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP]
"DisplayName"="@%SystemRoot%\\system32\\drivers\\http.sys,-1"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,48,00,54,00,54,00,50,00,2e,00,73,\
  00,79,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\drivers\\http.sys,-2"
"ErrorControl"=dword:00000001
"Start"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\SslBindingInfo]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\UrlAclInfo]
"http://*:2869/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,\
  00,02,00,1c,00,01,00,00,00,00,00,14,00,00,00,00,20,01,01,00,00,00,00,00,05,\
  13,00,00,00
"http://+:80/Temporary_Listen_Addresses/"=hex:01,00,04,80,00,00,00,00,00,00,00,\
  00,00,00,00,00,14,00,00,00,02,00,1c,00,01,00,00,00,00,00,14,00,00,00,00,20,\
  01,01,00,00,00,00,00,01,00,00,00,00
"http://*:5357/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,\
  00,02,00,34,00,02,00,00,00,00,00,18,00,00,00,00,20,01,02,00,00,00,00,00,05,\
  20,00,00,00,21,02,00,00,00,00,14,00,00,00,00,20,01,01,00,00,00,00,00,05,13,\
  00,00,00
"https://*:5358/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,\
  00,02,00,34,00,02,00,00,00,00,00,18,00,00,00,00,20,01,02,00,00,00,00,00,05,\
  20,00,00,00,21,02,00,00,00,00,14,00,00,00,00,20,01,01,00,00,00,00,00,05,13,\
  00,00,00
"http://+:47001/wsman/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,00,14,\
  00,00,00,02,00,58,00,02,00,00,00,00,00,28,00,00,00,00,20,01,06,00,00,00,00,\
  00,05,50,00,00,00,86,2a,ee,21,d7,5b,09,b0,a4,5b,6c,ad,bb,83,93,4d,ea,67,90,\
  18,00,00,28,00,00,00,00,20,01,06,00,00,00,00,00,05,50,00,00,00,43,b4,fa,f1,\
  d3,d4,54,34,a8,d5,3e,4a,53,0a,6c,1f,3d,ee,9b,b2
"http://+:5985/wsman/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,00,14,\
  00,00,00,02,00,58,00,02,00,00,00,00,00,28,00,00,00,00,20,01,06,00,00,00,00,\
  00,05,50,00,00,00,86,2a,ee,21,d7,5b,09,b0,a4,5b,6c,ad,bb,83,93,4d,ea,67,90,\
  18,00,00,28,00,00,00,00,20,01,06,00,00,00,00,00,05,50,00,00,00,43,b4,fa,f1,\
  d3,d4,54,34,a8,d5,3e,4a,53,0a,6c,1f,3d,ee,9b,b2
"https://+:5986/wsman/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,00,14,\
  00,00,00,02,00,58,00,02,00,00,00,00,00,28,00,00,00,00,20,01,06,00,00,00,00,\
  00,05,50,00,00,00,86,2a,ee,21,d7,5b,09,b0,a4,5b,6c,ad,bb,83,93,4d,ea,67,90,\
  18,00,00,28,00,00,00,00,20,01,06,00,00,00,00,00,05,50,00,00,00,43,b4,fa,f1,\
  d3,d4,54,34,a8,d5,3e,4a,53,0a,6c,1f,3d,ee,9b,b2
"https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/"=hex:01,00,04,80,00,\
  00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,02,00,5c,00,03,00,00,00,00,00,\
  28,00,00,00,00,10,01,06,00,00,00,00,00,05,50,00,00,00,7e,a6,c8,cc,2a,ae,a7,\
  2f,c1,eb,fb,e1,ba,e3,6b,c0,da,d0,2b,af,00,00,18,00,00,00,00,80,01,02,00,00,\
  00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,00,00,00,10,01,01,00,00,00,\
  00,00,05,12,00,00,00
"http://+:10243/WMPNSSv4/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,01,00,00,00,00,00,28,00,00,00,00,20,01,06,00,00,00,\
  00,00,05,50,00,00,00,39,0b,9a,8d,3e,6d,c7,2d,58,a4,ad,d2,48,66,ef,3b,c8,b6,\
  4a,ab
"https://+:10245/WMPNSSv4/"=hex:01,00,04,80,00,00,00,00,00,00,00,00,00,00,00,\
  00,14,00,00,00,02,00,30,00,01,00,00,00,00,00,28,00,00,00,00,20,01,06,00,00,\
  00,00,00,05,50,00,00,00,39,0b,9a,8d,3e,6d,c7,2d,58,a4,ad,d2,48,66,ef,3b,c8,\
  b6,4a,ab
"http://+:80/116B50EB-ECE2-41ac-8429-9F9E963361B7/"=hex:01,00,04,80,00,00,00,\
  00,00,00,00,00,00,00,00,00,14,00,00,00,02,00,1c,00,01,00,00,00,00,00,14,00,\
  00,00,00,20,01,01,00,00,00,00,00,05,14,00,00,00
"https://+:443/C574AC30-5794-4AEE-B1BB-6651C5315029/"=hex:01,00,04,80,00,00,00,\
  00,00,00,00,00,00,00,00,00,14,00,00,00,02,00,1c,00,01,00,00,00,00,00,14,00,\
  00,00,00,20,01,01,00,00,00,00,00,05,14,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,70,00,05,00,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,9d,00,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
  00,14,00,9d,00,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,9d,00,\
  02,00,01,01,00,00,00,00,00,05,03,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Enum]
"0"="Root\\LEGACY_HTTP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay since this does not appear to be due to any remaining malware, the options I would suggest are:

• Check Device Manager for any hardware issues especially with networking interface
• see if an older restore point from before the infection exists that you could try using
• Windows Repair - see http://www.sevenforums.com/tutorials/3413-repair-install.html
• Reinstall

 

Actually using the Recovery Disks ( if the user made them or received them with the PC ) is a reinstall back to factory ship state.

That means you still have to get all of the Windows updates ( likely many of them ), you have to reinstall everything you may have put on the PC since delivery, you have uninstall all the junk that the PC vendor put on the PC that you do not want....etc. Basically you are starting over.

Quite a few PCs also come with a factory recovery partition on them which can also be used to restore back to factory ship state. I DO NOT RECOMMEND using this though. The reason is that if malware or anything else has corrupted this partition, you will trash your PC and will need a full Windows installation disk along with necessary drivers disks to reinstall and most people will not have this Windows disk due PC vendors not giving you one. The software for these recovery partitions is poorly written and poorly tested. It does not actually verify the integrity of the Recovery Parititon before trying to use it. The end result is that you windup reimaging your hard drive to an empty state. This does not happen all the time but it does happen. I have seen it occur several times. If the PC vendor gives you the ability to make these recovery disks, you should make them after first setting up a new PC. It can be very useful in the advent of major malware issue or a hard disk crash.

Thanks! Two of my favorites:

• American Cancer Society
• Make A Wish Foundation