zeroaccess!inf no internet Driving me mad

zeroaccess!inf Has caused me a few headaches today but after running SuperAntiSpyware its gone....Phew....BUT its left my nic in a mess by the looks of it, constantly identifying, anyone got any ideas, I can post logs of check anything you want.

 

Update, SEP still thinks ive got a problem so all log files attached if someone can help id be very grateful COMBOFIX said the TCP/IP stack was infected, after the reboot its logged in and im seeing the bluecombofix blue screen popping up very fast and the cpu is working over time, i cant kill the process either

 

Logs attached

 

UAC was the cause ;0) Its running through now on stage 5 anyway.....may get a cuppa. Will upload the log once complete if i still have problems.

 

Combofix log attached, I noticed the following files were also being reported in SEP if that helps

c:\windows\system32\ASNDIS5.dll
c:\windows\system32\TMHIDSRV.dll

 

iexplore.exe illigal operation attempt on a registrykey that has been marked for deletion.....think im getting there

 

Rebooted and all the origional problems return

 

Hello Bling1981,

http://img600.imageshack.us/img600/2693/mgtools.gif You still need to run MGtools.exe. Read this on how to run it: Using MGtools

Afterwards, scan with this:

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  msconfig
  safebootminimal
  activex
  drivers32
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach OTL.txt to your next message. (How to attach)

 

Thisisu thanks for the response really aprechiate your help.

Logs attached as requested

 

No problem.

I still need the MGlogs.zip file. It should be at the root of C: (C:\MGlogs.zip)

 

Attached ;0)

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:
Java(TM) 6 Update 26

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] --  -- (zenos1)
SRV - File not found [Auto | Stopped] --  -- (EraserSvc11122)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (VGPU)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (rootrepeal)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (catchme)
NetSvcs: zenos1 -  File not found
NetSvcs: snoopfreesvc -  File not found
NetSvcs: sonywbms -  File not found
NetSvcs: STV680m -  File not found
NetSvcs: spmgr -  File not found
NetSvcs: ac97intc -  File not found
NetSvcs: osaio -  File not found
NetSvcs: jsdaemon -  File not found
NetSvcs: dnsexit -  File not found
NetSvcs: aiclient -  File not found
[2012/03/07 16:48:46 | 000,000,000 | ---D | C] -- C:\ProgramData\ParetoLogic
[2012/03/07 14:27:34 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[COLOR="DarkRed"]:files[/COLOR]
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys
c:\windows\system32\drivers\afd.sys|C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys /replace
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys
xcopy /y C:\Windows\System32\drivers\netbt.sys C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070 /c
xcopy /y C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a /c
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
xcopy /y C:\Windows\ERDNT\cache\tdx.sys C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2 /c
C:\Windows\System32\ASNDIS5.dll
C:\Windows\System32\TMHIDSRV.dll
rd /s/q c:\windows\$NtUninstallKB53314$ /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"=-

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

All done.... machine is coming back to life too.....

 

• Now press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Type in cmd and press ENTER.
• This opens a command prompt window.
• Now type in these two commands, pressing ENTER after each one.
  • ipconfig /flushdns
  • netsh winsock reset
• Then reboot your PC before proceeding to the below steps

http://img850.imageshack.us/img850/4124/mbam.gif Please update MBAM and run another Quick Scan.
Attach the new log when finished. (How to attach)


___

• 1E Agent
• 1E NomadBranch GUI
• 1E NomadBranch

Are these programs you use? ComboFix quarantined many files related to these programs. We can restore them if you want.

Let me know what problems you are still experiencing, if any.

 

HI there, yes those are applications i use on a daily basis, can we get them recovered?

 

Yes.

http://img194.imageshack.us/img194/4930/combofix.gif Dequarantine using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C\ProgramData\1e
Quit::

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\DeQuarantine.txt
Attach this log to your next message. (How to attach)

 

Here are the next steps to be completed after you have completed all of the above:

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

Ok after running a flushdns and netsh winsock reset and rebooted im back to not having internet acess, constantly identifying dam viruses

 

Hi, go ahead and run the instructions in post #17.

Did you run the ComboFix script yet? If not, don't run it yet. We may need to use ComboFix again in the future. The items will remain in Quarantine.

There still may be some rootkit activity.

 

Brilliant thankyou ill run through this later day when im back home.

regards

Jason

 

All done and uploaded....your a legend!!

 

CVPNDRVA - Anything to do with cisco vpn?

 

That is exactly what it is related to.

These logs are clean. If your internet is still not working, run the below:

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Attached

 

http://img17.imageshack.us/img17/3214/baticonvista7.gif I have attached fix.zip.

• Inside is fix.bat
• Extract fix.bat to the desktop with the internet issue.
• Now right-mouse click fix.bat and select "Run as Administrator".
• Notepad should appear and say 1 files(s) copied.
• Now reboot your PC and test for internet connectivity.

 

Ok great internet connectivity back now, shall i follow the previous note about reenabling the applications?

 

Hi,

Yes, see the below:

http://img194.imageshack.us/img194/4930/combofix.gif Dequarantine using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C\ProgramData\1e
Quit::

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\DeQuarantine.txt
Attach this log to your next message. (How to attach)

__

http://img850.imageshack.us/img850/4124/mbam.gif Please update MBAM and run another Quick Scan.
Attach the new log when finished. (How to attach)

Let me know how the system is running after you have completed these steps.