BleepingComputer.com: Security Sphere 2012 infection on XP.

Hi,
My friend's XP PC got infected tonight with this nasty malware.

So I followed the instructions on your site at this page:
http://www.bleepingcomputer.com/virus-removal/remove-security-sphere-2012

The main issue is that I cannot get the internet to connect on that PC to update the Malwarebytes tool, receiving the message:
PROGRAM_ERROR_UPDATING (11004, 0, No address found)

I used RKILL and TDSSKiller.

The first scan by Malwarebytes detected one file - but nothing on rerunning.

I also used the Microsoft instructions http://support.microsoft.com/kb/2540100 which detected one rogue entry, and I also removed that.

Would appreciate any advice on how to proceed and what logs to collect.

Many thanks for your help.

Update:
Followed all the instructions and added a new database file via USB, cleared out 2 more trojan files. Rebooted and reset the Hosts file (via USB again).

No obvious infection showing up, but still unable to connect that PC to the internet by wireless or cable.

Any advice on diagnostics to fix that greatly appreciated. Thanks.

Please download Farbar Service Scanner

http://download.bleepingcomputer.com/farbar/FSS.exe

and run it on the computer with the issue.


* Press "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply.

Thanks,
Here is the fss log:

Farbar Service Scanner
Ran by catherine (administrator) on 29-12-2011 at 22:49:07
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Download

http://www.mediafire.com/?kegsoy6pzq5168b

Launch it and click YES to import it to registry

Restart your PC and check your browser

Good luck

This post has been edited by narenxp: 29 December 2011 - 06:23 PM

Thanks Narenxp

I ran the Registry edit - but still no success. It sees the router but fails to acquire a network address. Grrr.

Should I either rollback (system restore) or get ready to reinstall XP?

Can you post the new FSS log?

Thanks

Here you go mate...

Farbar Service Scanner
Ran by catherine (administrator) on 30-12-2011 at 21:38:37
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Download

Winsock fix


Launch it ,Click on FIX

Restart your PC after it gets completed

Check your browser.If that doesnt work try this


PLEASE create a restore point before trying this


Please copy the entire contents of the codebox below into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]

Open a notepad ,copy the script,save it as

Filename:winsock.reg
save as type:All files


Launch it and click YES to add it to registry

After that, Reboot your computer.

After the restart,

Go to Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, restart your computer and see if you can browse now.

Good luck

This post has been edited by narenxp: 30 December 2011 - 05:08 PM

Thanks again.
Tried those - still no joy connecting to network.

I also notice an error message in Security Centre (service currently unavailable) and that the Windows Firewall service is not starting, and will not start when tried - probably a related issue?

Sigh. :-)

Press Windows + R key and type

cmd and click ok

Now run these commands

net start afd

net start dhcp

Do you receive errors?

Yes - Errors received:

net start afd
System error 2 has occurred
The system cannot find the file specified

net start dhcp
System error 1068 has occurred
The dependency service or group failed to start

Open command prompt again and run this command

sfc /scannow

After it gets finished,restart your PC and check the browser

Good luck

This post has been edited by narenxp: 31 December 2011 - 02:16 PM

Thanks - tried running it.

Unfortunately it seems to require a WIndows CD-ROm, which was not shipped with the PC. I guess all this PC has is a recovery Windows image in a HD partition.

What a mess!

No issues

Launch the FSS again and type

afd.sys in the BOX

Click on search files

Post the generated log