Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Networking since Gaurd Online and Zeroaccess


  • This topic is locked This topic is locked
11 replies to this topic

#1 Don2222

Don2222

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 13 October 2011 - 07:05 AM

Hi, I have been following posts on here to help with my Guard Online fake AV. It also came with Zeroaccess so took 3 days to just get the PC working and programs running. It would stop all AV software even in Safe mode. Most of what I have done had to be done in safe mode as there were about 10 fake processing running when booting in normal so the PC just wouldn't do anything.

Anyways I've run Trojankiller and TDSS killer which got rid of the Zeroaccess but most other programs were halted with a shutdown half way through so I manually deleted some files that had been created the day I got the problems and eventually managed to run the DDS and GMER. I have since run Combofix too and attach the logs.

I have no Networking so cannot connect to the internet and the TCP/IP protocol driver shows up as not present in device manager non plug and play drivers. (error code 24). As does the IP Netwrok Address Translaotor and the IPSEC driver. I have tried running the microsoft windows fixit tools for network errors but to no avaial.

I am thinking something has been deleted from the registry that should be there to enable networking to be loaded.

I notice someone else has had an interenet issue after having Guard Online too. Your help would be greatly appreciated as I could do with using this PC asap although I appreciate you are busy.

Many Thanks,

Don

Attached Files



BC AdBot (Login to Remove)

 


#2 Don2222

Don2222
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 14 October 2011 - 05:19 AM

Thought I should add the MBAM log too. :thumbup2:

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 AM

Posted 17 October 2011 - 12:26 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Go to this page and see if you can reset your proxy setting and get your internet connectivity back.
http://www.bleepingcomputer.com/virus-removal/remove-av-guard-online
===

Open notepad and copy/paste the text in the quote box below into it:

Driver::
70151599
MpKsl0eacfed8
MpKsl13b9b471
MpKsl33863d2c
MpKsl39b851ce
MpKsl3b61195b
MpKsl92ab58c4
MpKsl9b0d764c
MpKsla68f5e09
MpKslcaa9f4a3
MpKsld58ef19c
MpKsldafba4a3
MpKsle5cb98ce

RENV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM      .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM    .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM   .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM  .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\HP\HP UT\bin\hppusg .exe
c:\program files\HP\ToolBoxFX\bin\HPTLBXFX .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Microsoft ActiveSync\wcescomm  .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\windows\winsett  .exe
c:\windows\winsett .exe
c:\windows\system32\VTTimer .exe
c:\windows\system32\VTtrayp .exe


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please let me know what problem persists.

#4 Don2222

Don2222
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 20 October 2011 - 06:58 AM

Thanks Nasdaq,

I'm away on holiday at the moment and away from the affected PC. I'll do as you say on Monday when I'm back and post the log then. Sorry for the delay and thanks for your help.

Edited by Don2222, 20 October 2011 - 06:59 AM.


#5 Don2222

Don2222
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 26 October 2011 - 06:32 AM

Hi Nasdaq,

I re-ran combifix as instructed and my pc froze. After rebooting I had no config/system files so I have just reinstalled windows and the networking is now working, although I'll have to install and update everything again.

Do you need anything else to make sure it is still clean?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 AM

Posted 26 October 2011 - 08:14 AM

When ready run the DDS tool and post the log.

Let me know what problem you are having if any.

#7 Don2222

Don2222
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 26 October 2011 - 09:05 AM

OK I've attached the DDS and Attach files. I'm struggling to install any software as I keep getting error messages. The XP version I have is quite old SP1 so I tried installing SP3 from the microsoft download and it comes up with it not being a valid system 32 file or suchlike.

The installations you see in the DDS log actually havent installed. I cant install IE8 for example. Is there an order I should do this in.

Oh and is there a way to find the drivers for the graphics and sound cards? I'm not sure what they are. I'll have a look at the old logs as they'll probably be there. I assumed they'd automatically load as plug and play.

Thanks again

Don

Attached Files



#8 Don2222

Don2222
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 26 October 2011 - 10:13 AM

It's now shutting down unexpectedly when I try and install programs. Could the trojan or AV Guardonline still be lurking?

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 AM

Posted 26 October 2011 - 01:33 PM

No processes or services are listed on the DSS log.

Is this computer running in Normal Mode?

I think that you must install SP2 before installing SP3.

http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3
===

The drivers are possibly available on the Manufacturer's site.
You will need the model of the cards.

#10 Don2222

Don2222
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 26 October 2011 - 02:13 PM

Thanks, yeh have done SP2 and IE8 as well as the antivirus now and yes it was run in normal mode, it seems to just reboot when running the DDS. I'll try it again with the AV disabled.

#11 Don2222

Don2222
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 26 October 2011 - 02:20 PM

Success this time. What do you think?

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 AM

Posted 27 October 2011 - 08:26 AM

Looking good.

I suggest your restore the Microsoft Hosts file.

Go to: http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=
Download the program HostsXpert to restore the default hosts file back onto your machine.
Unzip the program and execute it.
Select
"Restore MS Hosts File".
Close the application.
=*=

Picture of HostsXpert
http://www.mvps.org/winhelp2002/hoster.gif
==

A good host file will protect your from navigating to unwanted site.

You can us this one.

  • Run HostsXpert.exe
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.
Note: If a custom Hosts file was in place, also edit those entries back in.
*/*
I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

All you need to know about the hosts file.
http://www.mvps.org/winhelp2002/hosts.htm
==

Any other issues?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users