Network connections and sound not working after malwarebytes

[dahernandez]

Well I had what I thought was just a startup problem after running malwarebytes but I think it may be more... my original message from the OS forum

So recently my computer (XP sp3) was hit hard by a bunch of spyware over a couple of days, I ran malwarebytes and it asked me to reboot to finish cleaning and when it did my start menu and desktop icons did not show up and I would get an error message saying init32.exe had to be shut down and if I wanted to send an error report and I hit yes and it seemed to send however nothing else seemed to happen. Then by using task manager and selecting new task explorer.exe my icons and start menu would pop up however my internet and sound would not work. I used system restore and finally found one that allowed my internet to work and then reran malwarebytes and super antispyware and it asked me to restart which I did and then the same thing would happen. I tried system restore again however now it wouldnt let me go back as far as I did before It only allows me one restore on feb 3rd I tried it however after it restarts it says the restore did not work. I keep running super antispyaware and malwarebytes however it says my computer is clean however I havent been able to update them, so Im not sure if something else is wrong thats either unrelated or that occured as a result of the cleaning or system restore. I have ran both scans and system restore in normal and safe mode.
Thanks ahead of time I'm totally stumped and need my pc asap for school.

If an admin would like to combine the posts and delete the quote be my guest.

Well I ran malwarebytes again and it found something even though my computer apparently was not able to connect to the internet. super antispyware found nothing and when I try to run trend micro pccillin (which is oudated since my trial ran out last august) it says it cant run. I tried to instal AVG but it said i should remove my previous antivirus before and when I tried it said it could not be done. I was able to install HJT however I have no clue what to check to clean if anyone can look through my log I also included the most recent malwarebytes log.

so no one can help me?

well update even though it said I shouldn't install it until I remove my previous antivirus I went ahead and installed avg and it caught quite a few tihngs so I restarted and everything was still the same. However this time when I tried to use system restore it worked and I actually had sound again although my network still didn't work, so I reran everything and caught a bunch of things and it asked me to restart again and when I did it was back to the same thing no sound no network no desktop icons no start menu and the init32.exe error. So I tried to restore again this time the restore failed but all of a sudden my internet worked so I hurried and updated avg and avg kept catching infections after the update however it was catching weird infection constantly it said programs that I've had on my computer and know are clean are infected so now I'm confused, I figured something else had gone wrong and quickly restarted my computer in safe mode and I'm running everything again. Can no one help me? Im a poor college student and cant afford professional help.

 

[mflynn]

Yes

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

You have alreay done the MBAM but update it and run another quickscan and attach that log!.

Then from the 8 Steps get us a SAS run log.

Mike

 

[dahernandez]

I have done the 8 steps and I can't update anything because my network connection does not start up. I am rerunning avg mam and sas and I'll repost any logs I am in safe mode atm because of the weird behavior I had in my last post.

You probably want to do the 8 steps linked above if you havent already and post your logs, hopefully we can get this fixed, I have posted on other forums and if I find anything that works I'll post back.

 

[mflynn]

Are you doing these in Safe Mode networking and do you have Internet access there?

Mike

 

[dahernandez]

Are you doing these in Safe Mode networking and do you have Internet access there?

Mike

Yes I am in safe mode with networking and no internet. And when I'm not in safe mode and open network connections and try to use the troubleshoot it never pops up.

 

[mflynn]

Boot to Safe Mode and do all below.

In your case I am assuming you are using another computer and a Flash drive to get these things on the effected computer.

So save the below to a notepad file and take to the effected computer and copy from the notepad file. Do not create a bat or cmd file from this it is designed to be pasted directly to the command prompt!

This should fix your Internet!

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del  /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Reboot let me know!

Mike

 

[dahernandez]

should I reboot into safe mode again or normal mode?

 

[mflynn]

Try Normal and if Internet is fixed go straight into the 8 Steps.

If it did not fix the Internet do the below using the same as the last copy paste operation.

Do not do below if Internet is working!

Drag mouse with left button down the lines below across then paste each line below 1 at a time to an open CMD prompt and hit enter, ignore any errors for now.

@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.txt
;Saves ip settings
netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
;saves log of current settings
netsh winsock reset catalog
;resets Winsock
netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
;winsock after rest
netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
;reset TCP stack
exit
exit

Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread.

Mike

 

[dahernandez]

well i did the first one and rebooted and had no luck initially so I rebooted into safe mode and did the second one and when i rebooted my internet started working again. So i just finished updating malwarebytes and I'm going to update everything and rerun the steps 1-8 did you still want me to post the contents of lsp and tcp.txt however?

 

[mflynn]

Nah not unless we have more Internet access issues.

Keep up the good work, get me those logs!

Mike

 

[dahernandez]

well it took me a few days to post back here because of school but mainly because scans took so long to complete. so after i updated avg went crazy finding basically every .htm file on my computer as a virus html/framer so knowing that some of the programs were safe I decided to go into safe mode and run avg there the first log is that one avg only ran in cmd promt it said because of the safe mode. then i restarted and ran malwarebytes and spybot s&d which took a very long time to scan because avg kept popping up with those .htm viruses the next log is the malwarebytes from that scan however by the time both those scans finished and cleaned everything i attempted to run avg scanner and sas and neither would run so I was forced to restart and as soon as I hit new task explorer.exe about 50 or more dos windows popped up and close almost immediately with varying names from cmd.exe to command.exe and possibly a couple more variations of the word command and finally my start menu and desktop icons came back up and the internet was gone again but I assumed since I already updated this wasnt as big a deal as getting my computer clean so i ran avg and it caught somewhere in the area of 10,000 infections but almost all were those html/framer viruses and all those files are just being deleted since the avg vault was full almost after a few minutes of running. then after I cleaned those I ran another malwarebytes and sas but when I came back from school there had been a power outage and so I don't think it finished before my computer was turned off. So I turned it back on and something that hadn't happened since initially my computer was infected happened. as it was starting instead of the normal blue background startup it was a black background with an old windows looking window that had the users and password to be inputed which never happened before as I dont have a password so i just hit ok and started with explorer.exe again and then my sound came back all of a sudden but no internet and my taskbar didnt have the normal xp look but the classic look which seemed odd and when I opened my ctrl panel it said it was set to the normal xp not the classic, of course those cosmetic issues didnt bother me as much as getting my computer fixed so I ran avg found around 6000 more infections again mostly if not all those html ones and I saved that log and uploaded it(had to split it up into 2 files because it was so big) and then ran malwarebytes and that log is next then ran sas and it found nothing and the entire time this was running spybot almost every few seconds kept giving me popups asking me if I wanted to allow or deny some changes being made to my registry so i kept hitting deny assuming whatever malware I have is trying to change it but it kept popping up. so after all that I restarted again and the window asking for my password at startup didnt show up and after I new task and did explorer.exe the taskbar was still the classic view but the sound was gone again and no internet so i ran avg and it found much much fewer but still around 50 or so of those html and then I ran malwarebytes and it found nothing as well as sas and spybot only had about 2 or 3 of those popups asking me to allow or deny changes So I figure I'm on the right track as fewer and fewer things are being caught. I restarted this morning and I'm attatching the hjt log and avg did popup 3 of those html right at startup without me running a scan and spybot had only one popup of which I denied something trying to change startup.exe "...some % things" to "startup.exe" "..same things". So I'm going to leave avg running again while I go to class and hopefully by the time I get back I'll have even less things that it finds wrong but it still seems like the underlying cause is still there and doesnt seem to be caught by anything and is responsible for this init32.exe error at startup, also whenever I do start and new task explorer.exe my icons and taskbar do not show up until after i receive the init32.exe error. I've tried stopping the process before the error and still nothing shows up until i receive the init32.exe error. Thanks again if anyone can help out and to mflynn who's been very helpful when I get home i'm going to retry those cmd prompt to try and get my internet back again and try updating again.

hjt log since I exceeded the 5 upload limit on the previous post

 

[mflynn]

Actually I wish you had run the 8 Steps and gotten me the logs first. I hope you did not lose much.
There is a possibility that AVG is corrupted and under the control of Malware which would make some of these False positives.

You need to UPDATE then run MBAM again Quick Scan as it had a lot and I feel there are more.

And you never sent an SAS log. So update it and run it and post log.

Then do the below (only after all above is complete)

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[dahernandez]

I will do that when I get back from school, malwarebytes is updated as of 3 days ago but I'll get my internet back up and update it and sas again, also I did not post an sas log because sas did not find anything, i didnt think it saved logs if nothing was found. As far as avg being corrupted thats what I initially thought and I posted on the avg forums asking if that was possible and they just deleted my post and when I pmd an avg team member he said it was deleted because whatever I posted was ridiculous and believed to be me just badmouthing them to other forum members so I went ahead and let avg delete all those htm files. Even if I did lose files they were mostly some type of help files for programs and thats really not that important I can reinstall programs I'm more concerned with making sure my computer is safe and working properly again without losing any of my media/school files.
Thanks again for your help mflynn.

 

[mflynn]

All right good to know you did in fact run SAS!

Well it (the AVG finds) does look out of the ordinary.

After you get me the requested MBAM SDFix and ComboFix logs and they are processed to clean, I am going to suggest we replace the AVG which shows to be Ver. 7.5 with Avira which is as good as the best and way better than AVG!

But do not do that yourself do it under my guidance.

Mike

 

[dahernandez]

Ok so I ran the first code to restart my internet then restarted and my original xp style taskbar was back no longer the classic view and the local area connection icon popped up and said i was connected like normally however when I tried to open firefox it continually crashed and when I opened IE it showed a very suspicious looking error page who's troubleshooter tried to have me send 'microsoft' some information to better there service or something like that. Anyways I tried to update but both mbam and sas said there was either no internet or they were blocked by the firewall. So I restarted into safe mode and internet was working fine there although firefox still kept crashing but IE worked and I was able to update both mbam and sas then i ran full scans first with sas which found a few things and then ran mbam and found nothing so there was no mbam log. I have since restarted and am running quick scans of both currently in regular mode, still no internet or not able to reach the update servers in normal mode but my sound finally came back!!!!!! So i'm running those scans and the other things you've said and I will post back, so far right after start mbam found 5 infections. Also I know you have told me nothing about spybot but I do have it and it keeps bugging me telling me that something is trying to create a new entry in windows/system32/...various file names the first one up is reader_s.exe and if I want to deny or allow I'm not hitting either since it'll just make a ton more pop up and slow down my scans. AVG again is going nuts telling me there are .htm viruses and I am no longer telling it to delete just closing the window.
Thanks again Mike!

Well mbam found 26 infections then I started sas and my computer crashed (blue screen of death) So I'm restarting and re running the scans here is the mbam log

 

[mflynn]

Whoa!

Unplug your network able while doing the below.

Ok I hate to ask you to do this but you need to run each of SAS MBAM ComboFix and last SDFix one after the other.

Run MBAM check log if not clean run again until it is clean or finds something it can not clean. With cable disconnected do not worry about logs. Do it like this for each of the programs above.

Once you are thu this the reboot reconnect the cable log here and install Avria update and do full scan clean all it finds.

Only after you have the protection of Avira uninstall the AVG!

Mike

 

[dahernandez]

Ok cable is unplugged but just to clarify, you want me to run sas over and over until it no longer finds anything wrong and not worry about saving logs then run mbam over and over until it finds nothing wrong and not worry about logs then run combofix and then SDfix? isnt combofix like hjt where it saves a log and needs someone experienced to review it before telling it to remove anything? so just run combofix and save log but have it do nothing then run all the sdfix steps? are quick scans ok for mbam and sas? and what if they require restarts to finish cleaning?

Ok well I cannot run sas without my computer crashing.

 

[mflynn]

Save the combofix log I will get it when we plug cable back in. Run combofix only once!

As for the SAS try it in Safe Mode but if it fails again skip it and do the other runs. But if it runs in Safe mode till clean then run once more in full if it will.

Plug in cable and log in here get Avira and update and run it!

Mike

 

[dahernandez]

Ok ran sas in safe mode 3 times with last 2 times clean then tried in normal mode with crash again so I moved on to mbam and I have been running it all day and I keep getting the same 2 infections caught mbam says they were succesfully quarantined and removed but everytime without fail they continue showing up

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

should I move on to comfix and sdfix?

 

[kimsland]

Yes you can move on to ComboFix
But also do this, anytime, download this tool: http://www.dougknox.com/xp/utils/XP_FixLogon.zip
This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.

 

[dahernandez]

Ok the fixlogon found nothing needing repair I then proceeded with combofix log attatched and I'm currently installing sdfix then i'll install avira



EDIT: I installed sdfix rebooted to safe mode and upon starting it my computer crashes same as with the sas before, I've tried it twice now and both times crashed.

 

[kimsland]

Yes I see that

Please uninstall Trend Micro PC-cillin Internet Security
If Trend does not un-install properly, you can do the following:

*Start->Run-> C:\Program Files\Trend Micro\Internet Security 12\TISSuprt.exe
The Trend Micro Diagnostic Toolkit window will appear. Click on the Uninstall tab
Click on the Un-install button
Click on the Un-install button again when asked if you want to continue with the un-installation
Restart your computer

* Note: If the Trend Micro Diagnostic Toolkit window does not appear
Run: C:\Program Files\Trend Micro\Internet Security 12\PCCTool.exe

Or read here for more info: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1036064&id=EN-1036064

---------------

Finally, once it is gone, then install Avira free AntiVirus

Re-open Malwarebytes; update it again; and then run another full scan (I'm thinking there may still be more uncovered malwares to remove)

--------------

Doing the above will stop the restarts and clean your system a lot more effectively than Trend

 

[mflynn]

When finished run ComboFix again the last had found/removed items. We need to confirm they are gone and find no more.

We are after a clean log!

Mike

 

[dahernandez]

should I also remove avg or only remove it after I've installed avira?

also I started this morning and back to some old behavior sound gone no network connection and black screen with old windows startup window asking me to put in my password along with the classic view taskbar after I do run explorer.exe so I'm going to have to run that first code to get everything back and im guessing rerun mbam and sas.

 

[mflynn]

Get me the Combofix log.

Then

Install Avira first then uninstall AVG then full scan in Avira.

Ignore the other sound etc for now 1 thing at a time we need to be clean of Malware first!

Mike