[emeraldnzl]

Hi Bhinsz84,

A number of experts have had a look at this and we have some things to try.

Firstly lets remove some tools and the driver sptd.sys and rerun Combofix but in a different way. I was of the opinion that spd.sys wasn't infected because of some of the tools we have run but I am told that one infection can still hide behind it so...

Lets carry out these actions:

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Step 2

• Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Next

Please download the OTM by OldTimer.

• Save it to your desktop.
• Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :processes
  killallprocesses
  
  :Files
  C:\WINDOWS\system32\Drivers\sptd.sys
  
  :commands
  [Reboot]
  

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Finally in this post

Download Combofix from again either of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2



Rename ComboFix to Confuse.exe

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Double click on Confuse.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for review.

[Advertisements]

error thrown while uninstalling combofix - it did not stay up long enough for me to read it - it was a series of letters and numbers with no meaning that windows was unable to find.

OTL was deleted as a trojan when we ran the dr. web program - re downloaded it from the malware cleaning guide and ran it. otl asked for restart which i did.

ram otm - here is the text from the log file

========== PROCESSES ==========
All processes killed
========== FILES ==========
C:\WINDOWS\system32\Drivers\sptd.sys moved successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.17.2 log created on 05112011_185952

on combofix run - downloaded and renamed - ran it - no errors - log is attached.

[Bhinsz84]

error thrown while uninstalling combofix - it did not stay up long enough for me to read it - it was a series of letters and numbers with no meaning that windows was unable to find.

OTL was deleted as a trojan when we ran the dr. web program - re downloaded it from the malware cleaning guide and ran it. otl asked for restart which i did.

ram otm - here is the text from the log file

========== PROCESSES ==========
All processes killed
========== FILES ==========
C:\WINDOWS\system32\Drivers\sptd.sys moved successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.17.2 log created on 05112011_185952

on combofix run - downloaded and renamed - ran it - no errors - log is attached.

[Bhinsz84]

forgot to attach the log. ooops.  combofixlog.txt   27.77KB   141 downloads

[emeraldnzl]

OTL was deleted as a trojan when we ran the dr. web program

Yep, this one was OTM.

Now a few things to try:

Step 1

Reset Winsock & TCP:

Go to Start > Run > CMD > OK to open a command prompt.

Please type in the following two lines (note the gaps...they should be there), press the [Enter] key after each line:

 netsh  winsock  reset  catalog

 netsh  int  ip  reset  reset.log

Now reboot your computer.

Please post the contents of reset.log in your next reply, you can find it at the root of your C: drive.

Step 2

If you still haven't got connection try downloading Firefox, transferring and installing on the ailing computer.

Firefox may be downloaded from here.

Tell me if that works.

Lastly if you still aren't connecting

Tell me what happens when you type in one of google's IP addresses into a browser?

74.125.53.103
and hit Enter?

[Bhinsz84]

deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25F79FBE-10F7-4C22-AD2E-2EC2C56530BA}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25F79FBE-10F7-4C22-AD2E-2EC2C56530BA}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25F79FBE-10F7-4C22-AD2E-2EC2C56530BA}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25F79FBE-10F7-4C22-AD2E-2EC2C56530BA}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25F79FBE-10F7-4C22-AD2E-2EC2C56530BA}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{25F79FBE-10F7-4C22-AD2E-2EC2C56530BA}\UdpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C9D6C6A4-94BA-4208-A6B1-AD1DB12CAFA0}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C9D6C6A4-94BA-4208-A6B1-AD1DB12CAFA0}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C9D6C6A4-94BA-4208-A6B1-AD1DB12CAFA0}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset Linkage\UpperBind for ROOT\MS_NDISWANBH\0000. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_8086&DEV_294C&SUBSYS_00018086&REV_02\3&61AAA01&0&C8. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
REG_MULTI_SZ =
PSched

<completed>

[emeraldnzl]

Any change... if not move on to the next action.

[Bhinsz84]

still not connecting with any browser including firefox - i inserted the ip for google and google search page came up on all three browsers , firefox, chrome, and IE

[emeraldnzl]

i inserted the ip for google and google search page came up on all three browsers

That's what it does on my machine but I can connect to the internet as well. I am consulting to see what others think about that but meantime I am wondering if something is stopping you connect say some malware we have missed or maybe a security program we haven't accounted for.

Let's do this:

FIX

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix button.




Save the log as before and post in your next reply

[Bhinsz84]

aswMBR version 0.9.5 Copyright© 2011 AVAST Software
Run date: 2011-05-11 21:22:17
-----------------------------
21:22:17.796 OS Version: Windows 5.1.2600 Service Pack 3
21:22:17.796 Number of processors: 2 586 0xF0B
21:22:17.796 ComputerName: BRIANS UserName:
21:22:18.765 Initialize success
21:22:22.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-7
21:22:22.890 Disk 0 Vendor: WDC_WD6400AAKS-00A7B2 01.03B01 Size: 610480MB BusType: 3
21:22:22.906 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-12
21:22:22.906 Disk 1 Vendor: WDC_WD5000AAKS-75YGA0 12.01C02 Size: 476940MB BusType: 3
21:22:22.921 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T0L0-1d
21:22:22.921 Disk 2 Vendor: WDC_WD6401AALS-00L3B2 01.03B01 Size: 610480MB BusType: 3
21:22:24.968 Disk 0 MBR read successfully
21:22:24.968 Disk 0 MBR scan
21:22:26.984 Disk 0 scanning sectors +1250242560
21:22:27.031 Disk 0 scanning C:\WINDOWS\system32\drivers
21:22:31.109 Service scanning
21:22:31.937 Disk 0 trace - called modules:
21:22:31.953 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:22:31.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae33ab8]
21:22:31.984 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8ae3b948]
21:22:32.140 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-7[0x8ae3bb00]
21:22:32.312 Scan finished successfully
21:23:25.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.BRIANS\Desktop\MBR.dat"
21:23:25.062 The log file has been saved successfully to "C:\Documents and Settings\Administrator.BRIANS\Desktop\aswMBR.txt"



could not run a fix after doing the scan i could do a fix mbr which i did not do.

[emeraldnzl]

could not run a fix after doing the scan i could do a fix mbr which i did not do.

No need, it looks fine.

Now

With the help of some expert advice it looks like we might have narrowed the cause to a dns issue. Bit of work now to see exactly where it is broken.

First let's see what happens when we do this:

Open Notepad and navigate to

C:\WINDOWS\system32\drivers\etc\hosts

drag and drop the hosts file into notepad.

directly underneath the line 127.0.0.1 localhost add in 74.125.53.104 google.com then save the file

See if you can then get to google.com

Also do this:

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :reg
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider /s
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

[Bhinsz84]

no luck on the first



here is systemlook log

SystemLook 04.09.10 by jpshortstuff
Log created at 17:43 on 12/05/2011 by Administrator
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"= 0x0000000008 (8)
"DnsPriority"= 0x00000007d0 (2000)
"HostsPriority"= 0x00000001f4 (500)
"LocalPriority"= 0x00000001f3 (499)
"ProviderPath"="%SystemRoot%\System32\wsock32.dll"
"NetbtPriority"= 0x00000007d1 (2001)
"Name"="TCP/IP"


-= EOF =-

[emeraldnzl]

Hi Bhinsz84,

More things to do now.

Step 1

Run the System File Checker.

Follow these steps:

• Click Start > Run and type sfc /scannow (note the space, it should be there), and then press ENTER.
• Follow the prompts throughout the System File Checker process.
• Restart your computer when System File Checker process is complete.

Next

Download and run WinSockFix

After that

If you still haven't got connection go to Start -> All Programs -> Accessories -> Command Prompt. Once the command prompt loads, type the following command.

ping google.com

when the answer comes up.

Right click on the caption (title) of the Command Prompt (or MS-DOS) window to bring up a popup menu. Then select Edit then Mark in the popup menu.

Drag the curser across the area you want to copy

Right click on the caption (title) of the window to bring up a popup menu again. Then select Edit then Copy in the popup menu.

Open notepad and Paste (Ctrl+V).

Post back here.

Follow the same proceedure but this time use the Command

nbtstat -c

and then again using

nbtstat -r


Finally in this post

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :file
  c:\windows\System32\dnsapi.dll
  c:\windows\System32\dnsrslvr.dll
  :reg
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache /s
  
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

[Bhinsz84]

fatal system error running sfc scannow - bsod 0xc0000021 ( i think ) - on restart windows product activation error 0x80004005 a problem is preventing windows from accurately checking the license for this computer..... I cannot start windows - every time i try to go past the admin login on startup i get this error.

i went to recover consol and ran fixmbr to see if this would help - no dice. going to see if i can start up in safe mode now

[Bhinsz84]

able to start in safe mode, have not tried it with networking. tried to run sfc scannow from the command prompt and it throws error 0x000006ba rpc server is unavailable.

Time for me to re install ?

[emeraldnzl]

Might be worth trying Last known good configuration.

I have to go out now for about an hour I will check in as soon as I get back.