Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Internet after AV Guard Online Attack


  • This topic is locked This topic is locked
21 replies to this topic

#1 Techdude1

Techdude1

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 09 November 2011 - 02:18 PM

Hi. I'm frustrated. I cleaned a relative's PC (Toshiba running Win 7) of all the malware. Rootkits using tdsskiller and Sirefef Trojan using A2.
Kaspersky Virus Removal Tool handled all the heavy lifting disinfecting backdoors etc. I originally deleted Av Guard manually along with all its ancillary files. Mbam found a malware trace and PUM.Bad.Proxy in the registry. After all that, STILL no internet. The Clear internet will not connect.
I've seen other folks with the same issue. I even uninstalled Clear and reinstalled it. Nothing. I then even did a System Restore back to before the malware attack happened. I've checked and reset IE, flushed and manually checked the DNS, restarted the internet in services, reset TCP/IP as well as other things. Nothing. Could you please tell me how other folks got their internet back?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:10 AM

Posted 09 November 2011 - 03:41 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Techdude1

Techdude1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 11 November 2011 - 02:21 PM

Hello again. As you can see I have no logs to post. Please hear me out. I posted no logs because as someone who has cleaned machines many times, I am sure it is in fact clean. I am posting here today because Combofix is the MAIN utility people use for the most vexing malware situations.
I have discovered what the problem is. Certain variations of AV Guard Online skunk TCPIP.sys. This renders the internet dead. I'm going to have to use a Windows repair CD in order to replace it.
I am wondering if it is at all possible for Combofix, in a future issuance, to safely replace this file itself..without a repair cd. This rogue is a menace. I'm asking the Combofix team to step up and be the first to address this frustrating situation. You guys are the Rolls Royce of anti-malware applications. For the good of the PC loving general public, I am asking you to remedy this menace. No other anti-malware app can.

I would appreciate your consideration in this matter. Thanks, Techdude1.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 PM

Posted 12 November 2011 - 03:57 PM

Hello, this problem is very common with Sirefef aka ZeroAccess infections and has nothing to do with Combofix. Most commonly seen other security applications delete not only the infected driver file, but also the associated registry entries. In order to fix this, the deleted service needs to be identified and restored.

Is this a 32 bit or 64 bit version of Windows 7?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Techdude1

Techdude1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 15 November 2011 - 05:08 PM

Hello and thank you for replying! Sorry it took so long for me to reply. It is a 32bit version of Vista. If i said Win 7 earlier..I apologize.
In my earlier post i only meant to ask the Combofix team to remedy this internet situation by safely cleaning the Sirefef trojan without damaging/deleting the attached system file. Other security apps either can't or won't. I know the Combofix team can. They are Legend.

The approach I've been told to take is to use a Win Vista repair cd and run chkdsk /p along with a few commands. Hopefully this will work.
I just checked the pc and the tcpip.sys file is still in system 32/drivers. It must have been damaged by Sirefef. I thought A2 had deleted tcpip along with the trojan, but I was wrong. If you have any advice for me regarding this situation, I am all ears. Perhaps you know of a better way to fix the internet. The instructions I have been given are somewhat complicated.


Thank you for your consideration Elise, Techdude1.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 PM

Posted 16 November 2011 - 02:28 AM

Hello,
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Techdude1

Techdude1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 18 November 2011 - 01:43 PM

Hi again. I've never heard of Farbar, but I will download it and run it on the affected machine. Will get back to you as soon as I can. Thanks.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 PM

Posted 18 November 2011 - 01:58 PM

This tool looks for all internet related services and files on your computer. Farbar is a long-time contributing staff member at BC who developed this tool.

I'll wait for the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 PM

Posted 22 November 2011 - 06:53 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Techdude1

Techdude1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 22 November 2011 - 06:30 PM

Hi! I'm still here. I just ran the scan on the affected pc. I read the report that the Farber scan created and that led me to look in "services" under DHCP. When I tried to start it I got the following message..."Windows could not start the DHCP Client service on local computer error 1075".
"The dependency service does not exist or has been marked for deletion". I believe the dependency service in this case is the Ancillary Function driver for Winsock.
Farbar Service Scanner
Ran by aNNa (administrator) on 22-11-2011 at 14:58:00
Windows Vista ™ Home Premium Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service might not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service might not exist.


File Check:
===========
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Google site is accessible.
Yahoo site is accessible.

**** End of log ****

I ran an additional Farber scan with "Include files" checked and it read pretty much the same except it included a few more MD5 is legit lines of text. I also just ordered a Vista Repair CD. I fear I will need it. Ugh, Vista. I hope this report provides some insight into what the culprit is.
Thanks again for your support. You are most kind.

Regards, Techdude1.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 PM

Posted 23 November 2011 - 07:45 AM

Yes, it appears that the TDX service, which is required for an internet connection, has been deleted.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Press Windows key + R, type notepad and press enter. Copy/paste the following text into Notepad and save it as fixme.reg to your desktop.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx]
"DisplayName"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
"Group"="PNP_TDI"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,74,00,64,00,78,00,2e,00,73,00,79,\
  00,73,00,00,00
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Tag"=dword:00000004
"Type"=dword:00000001
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Description"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx\Enum]
"0"="Root\\LEGACY_TDX\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Exit notepad and right click on fixme.reg > select Run as Administrator. You'll be asked if you want to merge the script with the registry. Confirm. When done restart your computer and let me know if the internet works now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Techdude1

Techdude1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 23 November 2011 - 10:07 AM

Hi. I clicked on the link and scrolled down to ERUNT and it said "neither is for Vista". Is it safe for me to utilize this device anyway?

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 PM

Posted 23 November 2011 - 10:30 AM

Yes, this works find for Vista, to be sure I tried it myself on Windows 7, and it runs just like it should. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Techdude1

Techdude1
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 23 November 2011 - 11:53 AM

Okay. I will follow your directives. Due to my schedule, i will not be able to run the scan for a day or two. The computers owner lives a mile away and I must run errands today. Will get back to you as soon as I can. Thank you for your continued patience.

Regards, Techdude1

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 PM

Posted 23 November 2011 - 11:58 AM

No problem, thank you for letting me know! :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users