Solved Search redirection virus/rootkit

[Piecake]

Connection is still dead.
Command prompt ipconfig outputs remain the same.
DHCP still fails to start because the dependency service doesn't exist.
Net is still down

I am -assuming- the root of this is DHCP service being down. Event viewer is showing service failures across the board that rely on it.

Notable service failures:

Bits-Client - The BITS service failed to start. Error 0x80072742.
The Server service depends on the Server SMB1.xxx Driver service which failed to start because the dependency service or group failed to start.

 

[Broni]

The dependency service does not exist or has been marked for deletion

Restart computer one more time.

 

[Piecake]

Restart computer one more time.

Restarted, but the issue is still there.

 

[Broni]

Did you edit your post # 26?
I thought, I saw:

The dependency service does not exist or has been marked for deletion

 

[Piecake]

Did you edit your post # 26?
I thought, I saw:

I haven't edited any posts without adding Edit: to the section I was changing. But I also haven't removed any information.

Anyway, the dependency is failing to start for DHCP is what that was about.

 

[Broni]

OK, check following service:
- Network Store Interface Service

If that doesn't help...

Go Start>Run ("Start Search" in Vista/7), type in:
sfc /scannow
Click OK (hold CTRL, and SHIFT, hit Enter in Vista/7).
Have Windows CD/DVD handy (with Vista/7, most likely, you won't need it).
If System File Checker (sfc) will find any errors, it may ask you for the CD/DVD (rarely in Vista/7 case).

 

[Piecake]

Network Store Interface Service is running just fine.

I did the sfc.exe scan, and it found nothing.

 

[Broni]

Do you have any errors in Device Manager?
Try to reinstall your network driver.

 

[Piecake]

Still nothing after driver reinstall. I've also tried setting all of my network information manually for ipv4.

 

[Piecake]

Update:

AFD isn't listed in my services tab or my Device Manager Non-Plug and Play Drivers. I get the feeling that my system doesn't even know it has afd.sys on it. Is there any way to resolve this?

Edit: Is there any way you can export this registry portion of your computer?

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ AFD

Mine is full of the same error code I got when I experienced a BSOD during the combofix script to repair AFD earlier. I believe if the registry for AFD can be repaired, maybe the problem will be resolved.

 

[Broni]

Can you re-run SystemLook script first (my reply #4)?
I'd like to see, if afd.sys is in the right place.

Attached is zipped afd.reg

 

[Piecake]

Attached system look log.

 

[Broni]

OK. At this point, I think, it may be a better idea to use a system restore to some day before all problems started and we'll rescan your computer afterward.

See, if you can use some restore point.

 

[Piecake]

attempting the restore now

 

[Broni]

OK.........

 

[Piecake]

I ran the Windows recovery console from a repair CD and it said that it automatically detected a problem on my system. I told it to go ahead and work its magic.

I am now online on the machine that we have been working on, without system restoring.

 

[Broni]

Wow! Good news

We have to rescan now....

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

========================================================================

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[Piecake]

Scans completed

 

[Broni]

All look good

Any current issues? What about redirection, this whole thread started with?

Delete your Combofix file, download fresh one, run it and post fresh log.
IMPORTANT! Combofix should create new restore point, BUT, just in case, I want you to manually create one BEFORE you run Combofix.

 

[Piecake]

No redirection, no random popups, nothing!

I'll run a fresh Combofix when I wake up and post logs first thing in the morning. Gotta get some shut-eye.

Thanks for continuing help.

 

[Broni]

You're very welcome

 

[Piecake]

Combofix log attached.

 

[Broni]

Looks good too

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Piecake]

Only one notepad window opened upon the scan finishing, OTL.txt. File attached.

Combofix uninstalled successfully.

 

[Broni]

You're running extremely low on C drive free space:

Drive C: | 596.07 Gb Total Space | 11.27 Gb Free Space | 1.89% Space Free

You have to start moving some stuff out of it, or some next day your computer may not boot anymore.

=======================================================================

We need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  [1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
  @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:05EE1EEF
  @Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:888AFB86
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.