Virus Removed, but Network Connection Firewalled

[JSHjet]

Hello guys,

My PC was infected with the virus Win32:Rootkit-gen[Rtk].  It resided in C:\Windows\System32\xa.tmp.
The symptom that alerted me to the infection was a pop-up saying I was infected and needed to install this program...etc...
I immediately hit the reset button and booted into safe mode to prevent further damage.

(Right now, I'm able to access the internet through Safe Mode and logged in as Administrator.
This is the only mode that the internet works in.)

It seems to have been successfuly removed by Avast, however it left behind some damage.
In Control Panel/Network Connections, it says my Connection is Connected, but Firewalled.

I used WinSockXPFix to try and fix the problem, but that failed to work.

Can you guys help me get my Network Connection fixed?
There doesn't appear to be any other damage.


Thank You Very Much!!

-O/S is Windows XP SP3.
--I scanned with Lavasoft Ad-Aware, Spybot S&D and Avast.  All come up clean now.

[Pondus]

--I scanned with Lavasoft Ad-Aware, Spybot S&D and Avast.  All come up clean now.

Have you tried MBAM http://filehippo.com/download_malwarebytes_anti_malware/

[JSHjet]

I just installed and scanned with Malwarebytes in Safe Mode/Admin.  It found 0 infections.

I also downloaded SuperAntiSpyware and tried to install it.  However, I got a message saying this...>

Windows Installer
The system administrator has set policies to prevent this installation.

Why would it let me install Malwarebytes, but not Superantispyware?  Any idea's next?

[Jtaylor83]

Download ComboFix here or here.

Save as ComboFix as a different name or ComboFix will not work. Save it onto Desktop.

Close all windows before running ComboFix.

Double-click on ComboFix and at the Security Warning, click Run.

At the Disclaimer, Click Yes.

ComboFix will create a restore point and back up your registry.

A message will say "This Machine does not have the 'Microsoft Windows Recovery Console' installed", click Yes to install.

Once the Recovery Console is installed, click Yes to continue.

Once ComboFix has finished scanning, it will create a log. Post or attach the ComboFix log.

[Pondus]

Malwarebytes is not recomended to be run in safe mode

http://www.malwarebytes.org/forums/index.php?showtopic=5590

http://www.bleepingcomputer.com/forums/index.php?s=&showtopic=259717&view=findpost&p=1435912

[JSHjet]

-I ran Malwarebytes again in normal boot mode.  It found 0 infections.

--I found out that SuperAntiSpyware cannot be installed in Safe Mode, because the Windows Installer Service does not work in Safe Mode.
So, I installed SuperAntiSpyware in normal mode and ran a scan.  It came up with 11 items called Unclassified.Oreans32, in the registry.
I'm not sure if this is malware or not, but I quarantined it for now.

---I feel 90% sure, that all malware has been removed at this point. I just want to make sure.

----I have got the internet working in Normal Mode now.  SuperAntiSpyware has a Repair Broken Network Connection fuction, so I decided to try it.
It didn't work by itself. Here's what I did to fix the Network Connection.

1) Open Internet Explorer in normal boot mode.  Click on Tools/Internet Options/Advanced/Reset.
This will reset the internet settings.

2) Next I opened SuperAntiSpyware.  Click on Preferences/Repairs/Repair Broken Network Connection (Winsock LSP Chain)/Perform Repair.
It will repair the Network Connection and ask you to reboot.

These 2 steps fixed my internet connection in Normal Mode.

**So, at this point I don't have any known symptoms of infection.  The internet is working and I don't notice any other problems.
It's possible that this virus could have changed other important settings that I don't know about!!

Is there any proper way to go about checking for any further damage?
Also, is SuperAntiSpyware meant to be used in Normal or Safe Mode?


Thank You!!

[Pondus]

Also, is SuperAntiSpyware meant to be used in Normal or Safe Mode?

Of what i have seen on BleepingComputer forum they always recomend running
Malwarebytes / superantispyware in normal mode 
Norman malware cleaner / Dr.WebCureit in safe mode

Is there any proper way to go about checking for any further damage?

Post a HijackThis log that somone her can look at
http://filehippo.com/download_hijackthis/

[JSHjet]

Just an update.  My virus problem is 100% fixed.  Using the steps above.
Programs used: Avast Home; Spybot Search and Destroy; Lavasoft Ad-Aware; Superantispyware and Malwarebytes.

Here's what was found by these programs.
Avast Home: Win32:Rootkit-gen[Rtk] (Located at C:\Windows\system32\xa.tmp)
Spybot Search and Destroy: Win32.Fakealert.ttam , WinSpywareProtect and Fraud.Sysguard
SuperAntiSpyware: Unclassified.Oreans32 (Located at: HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_Oreans32)
Ad-Aware and Malwarebytes: Nothing.

I have one last question.  While trying to remove the virus's, I turned off System Restore.
I like it turned off, because I never have to clean up the crap it creates.  Is it a good idea to leave System Restore turned OFF?
I don't think it would be of much use anyway.

Thank You All!

[JSHjet]

Bump

[Hermite15]

no it's not a good idea to turn system restore off. It can "save your life" in many situations, something broken after a failed or corrupted software install, something broken in Windows etc...Of course delete any restore point that has been created since the infection you got, but keep using sys restore after that. It's also a matter of HDD space. Restore points don't use much space on XP , but they do in Vista (somewhat less in Seven), use diskcleanup from time to time to delete all but the last restore point to regain some space if needed, but again, don't turn it off, it can be really useful.

[DavidR]

@ JSHjet
I have had system restore switched of for many years, but would I recommend you do that without having something to replace it, absolutely not.

If your concern is the space that it takes up you can reduce the size it takes up (rather tan the default size setting) and as Logos suggested periodically clean it out.

[JSHjet]

Alright, I guess I'll turn System Restore back On.
What % of Disk Space do you recommend I set it to?  Right now, it's at 12%.

Also, I was wondering... Since some virus's embed themselves in the System Restore.  Does turning System Restore off prevent these infections?

[YoKenny]

I make mine 5%

I remove all but the last Restore point before I do a defrag.

I don't use Ad-Aware any more as it has out lived its purpose and it is not worth the system resources it consumes nor the hard disk space it consumes.

[DavidR]

12% of what, that is the question ?

With a big hard disk 12% is absolutely ridiculous 12% of 250GB is still enormous at 30GB. Personally I can't see any good reason for it to exceed 1GB which is still big, all that happens is as it reaches that level old restore points are dropped. Even 2GB, whatever that is as a percentage of the Hard Disk/s should be more than big enough for any eventuality.

Viruses don't embed themselves in system restore (which isn't a physical location) or the System Volume Information folder/s (where system restore places restore points). They end up in the System Volume Information folder restore point as a result of being deleted/modified in the system folders, that is what system restore does, tries to give a fall back position to recover (restore) files which may have accidentally been deleted or become damaged. System Restore hasn't the slightest idea that what it might be saving was malware, etc.

[JSHjet]

It's 12% (18GB) of a 150GB HDD.  So, 2% (3GB) should be a fine setting?

Thanks for the answers.