Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran TDSS Killer and now can't get online. Please Help!


  • Please log in to reply
13 replies to this topic

#1 Frosty1

Frosty1

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Conejo Valley, CA
  • Local time:11:16 AM

Posted 12 January 2012 - 07:02 PM

Hi Guys,

Removed the Antispyware 2012 Virus by following instructions in the removal guide.

Ran TDSS Killer, found the virus and removed it. (found something in the afd.sys)

Now can't get online and cannot acquire ip address. Please Help!

Btw, running windows xp.

Here are parts of the TDSS Killer log...(too long,cant figure out how to attach .txt file so here are the parts)

AFD (3026669a090dbbcd8214388ee1a3b70d) C:\WINDOWS\System32\drivers\afd.sys
13:59:50.0609 3484 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3026669a090dbbcd8214388ee1a3b70d, Fake md5: 1e44bc1e83d8fd2305f8d452db109cf9
13:59:50.0609 3484 AFD ( Rootkit.Win32.ZAccess.aml ) - infected

Detected object count: 1
14:00:01.0000 3472 Actual detected object count: 1
14:00:15.0328 3472 Backup copy found, using it..
14:00:15.0343 3472 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot
14:00:17.0609 3472 AFD ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure
14:01:47.0531 2204 Deinitialize success

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:16 PM

Posted 12 January 2012 - 07:52 PM

Download

http://download.bleepingcomputer.com/farbar/FSS.exe


and run it on the infected PC.


* Click on "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply

#3 Frosty1

Frosty1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Conejo Valley, CA
  • Local time:11:16 AM

Posted 13 January 2012 - 02:08 AM

Farbar Service Scanner
Ran by (administrator) on 12-01-2012 at 23:05:19
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd: "system32\drivers\tskDA.tmp".


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:16 PM

Posted 13 January 2012 - 09:33 AM

To be on safer side before running registry fixes i would suggest you to

Download

http://www.snapfiles.com/get/erunt.html

Install it and backup your registry to C:/Windows/erdnt

Now,download afd.reg

http://www.mediafire.com/?067al4xazmyl0gx


If it opens as notepad

Just rename

afd.reg.txt to afd.reg

Launch it,click YES when you receive a prompt

Restart your PC and check your browser

Good luck

Edited by narenxp, 13 January 2012 - 09:34 AM.


#5 Frosty1

Frosty1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Conejo Valley, CA
  • Local time:11:16 AM

Posted 13 January 2012 - 05:13 PM

Both LAN and WLAN connections will now pick up an IP address but I still can't get online.

Any other ideas???

Thanks

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:16 PM

Posted 13 January 2012 - 06:42 PM

Can you post the new FSS log?

#7 Frosty1

Frosty1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Conejo Valley, CA
  • Local time:11:16 AM

Posted 13 January 2012 - 07:19 PM

Farbar Service Scanner
Ran by (administrator) on 13-01-2012 at 16:08:38
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:16 PM

Posted 13 January 2012 - 07:24 PM

Download

Winsock fix

Launch it ,Click on FIX

Restart your PC after it gets completed

Check your browser.If that doesnt work try this


PLEASE create a restore point before trying this

Please copy the entire contents of the codebox below into Notepad:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]





Open a notepad ,copy the script,save it as

Filename:winsock.reg
save as type:All files


Launch it and click YES to add it to registry

After that, Reboot your computer.

After the restart,

Go to Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, restart your computer and see if you can browse now.


Good luck

#9 Frosty1

Frosty1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Conejo Valley, CA
  • Local time:11:16 AM

Posted 15 January 2012 - 02:27 AM

Still can't get online.

Help!

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:16 PM

Posted 15 January 2012 - 02:47 AM

Please download GMER from here

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.

#11 Frosty1

Frosty1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Conejo Valley, CA
  • Local time:11:16 AM

Posted 15 January 2012 - 05:26 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-15 14:24:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1200BEVS-75LAT0 rev.02.06M02
Running: elcvzx2h.exe; Driver: C:\DOCUME~1\JACKBU~1\LOCALS~1\Temp\pglyapob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB57207$\2791533843 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\bckfg.tmp 923 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\cfg.ini 207 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\keywords 274 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\L\odetmngk 138496 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\80000032.@ 77312 bytes

---- EOF - GMER 1.0.15 ----

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:16 PM

Posted 15 January 2012 - 07:51 PM

Frosty1

File C:\WINDOWS\$NtUninstallKB57207$\2791533843 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\bckfg.tmp 923 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\cfg.ini 207 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\keywords 274 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\L\odetmngk 138496 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB57207$\3372488307\U\80000032.@ 77312 bytes [/b]



You are still infected

Read the preparation guide

http://www.bleepingcomputer.com/forums/topic34773.html

Create a new topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

Edited by narenxp, 15 January 2012 - 07:51 PM.


#13 Frosty1

Frosty1
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Conejo Valley, CA
  • Local time:11:16 AM

Posted 16 January 2012 - 01:47 AM

New Post...

http://www.bleepingcomputer.com/forums/topic438357.html

Thanks for your help!

Edited by Frosty1, 16 January 2012 - 01:47 AM.


#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:16 PM

Posted 16 January 2012 - 02:05 AM

Good luck :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users