After MBAM scan, network adapters quit working...

[jeremy w]

Hi im having quite a problem here... My laptop has recently been infected with some pretty severe malware. After doing all kinds of scans with MBAM, Adaware, Spybot, HijackThis, SuperAntiSpyware, etc etc I realized there wasnt much hope due to the severe damage to my registry that was caused. I purchased the full version of MBAM, and I noticed after I did a thorough scan that my internet stopped working. Upon further investigation, I realized that somehow a series of extra network adapters had been installed (presumably by the malware). In particular, it created a duplicate version of my wireless network adapter. This additional driver made the network adapter essentially useless. My computer could no longer detect any wireless networks and I could not connect to the internet. I tried to uninstall the extra "ghost" hardware if you will, but I get an error saying it cannot be uninstalled because the system needs this device to start-up. After a lot of searching online, I couldn't come up with a solution.

I am running a Macbook pro that uses Windows XP via Boot Camp, and when I boot up in OS X everything runs flawlessly. Its too bad I use a lot of software that is Windows-based otherwise id be home free in OS X. So ultimately I came to the decision there was no better option than to completely delete the Windows partition, recreate it using the Boot Camp Utility in OS X, reformat the hard drive to NTFS, then reinstall windows to ensure this malware was COMPLETELY removed. Sounds like a flawless plan right?

Well I did all of that and the very first thing I did in my new fresh copy of Windows was install MBAM. Then I thought, what the hell, I might as well do a scan just for the heck of it. You have to figure, on a BRAND new copy of Windows XP without ever surfing the web or installing anything the machine HAS to be 100% malware free. I was connected to my wireless network however at this point. Well somehow MBAM found a slew of trojans and such...

After the befuddlement wore off, I then realized my network adapter stopped working yet again. I went into the device manager, and I had the exact same problem as before... new duplicate ghost hardware shows up that blocks my good device from working. I will include a screen shot of this problem below. Notice there are two Broadcom devices shown. The top one is the good one, and the bad one is in the red box. For some reason it has the exact same name yet adds the "-" on the end of it. I will also attach the MBAM log that resulted from this scan.

To further the mystery, I also have a desktop that I decided I would scan. I installed MBAM on it and performed a full scan. I hadnt done any sort of virus scan on this machine in quite some time, so as expected, there was many, many instances found that MBAM cleaned up. After the scan and reboot, what do you know... my desktop did the EXACT same thing as my laptop did. All sorts of new network adapters that block the good ones from working.

I dont know if somehow my desktop and laptop got infected by the same bug that is causing this, or it has something to do with the result of an MBAM scan, but I cant fix this problem for the life of me. Its driving me insane because I essentially have two useless internet-less computers that cannot be fixed.

If there is anything you can do to help it would be GREATLY appreciated! I am very lost at this point as to where to go and what to do...

Thanks!

mbam_log_2009_02_05__01_06_21_.txt

mbam_log_2009_02_05__01_06_21_.txt

[EliteKiller]

Post the logs since it may be detecting FP's.

Is your desktop a Mac as well? Under 'Other Devices' I see SMBus Controller which indicates that you need to install the appropriate chipset drivers. Afterwards you should be able to install the NIC drivers.

FWIW I've run MBAM on hundreds of PC's (zero Mac's) and never had it uninstall drivers or cause resource conflicts.

[jeremy w]

Is your desktop a Mac as well? Under 'Other Devices' I see SMBus Controller which indicates that you need to install the appropriate chipset drivers. Afterwards you should be able to install the NIC drivers.

FWIW I've run MBAM on hundreds of PC's (zero Mac's) and never had it uninstall drivers or cause resource conflicts.

The desktop is a Dell only running Windows XP. Ive been running Windows under Boot Camp for about 9 months, and for some reason, that SMBus Controller has always shown up there, not sure why but the drivers Apple supplies for Windows dont handle that... But it does not show this on my desktop, which leads me to believe that the problem is not related to a lack of drivers.

Any thoughts as to how MBAM discovered trojans and malware immediately following a fresh install of Windows? Im hoping this bug somehow didnt work its way into the hardware on both of my machines. Also, if someone were to hack into my system, would that enable them to work their way into all the computers on my network? This would make sense if my desktop and laptop were both infected by the same thing.

[EliteKiller]

Any thoughts as to how MBAM discovered trojans and malware immediately following a fresh install of Windows?

Was your pc connected to the internet? Are you behind a firewall or router? They could be false positives (FP's) so we'll need you to post the scan log(s) to confirm or deny.

[jeremy w]

Was your pc connected to the internet? Are you behind a firewall or router? They could be false positives (FP's) so we'll need you to post the scan log(s) to confirm or deny.

Yes both computers were connected to the internet at the time of scan. Im not using any sort of firewall and the router im using is an Airport Express. Is what I posted above not the correct scan log? I attached one to my first post, if this is not what you are looking for let me know where I can find the correct log.

Thanks again.

[EliteKiller]

Sorry, I totally missed the link to the log.

[nosirrah]

There is a nasty infection that binds this extra networking driver to your system in a way that is very difficult to completely remove without damaging things .

I am looking for a work around but for now system restore should get you back to a stable registry , pick a point before the trouble began .

[jeremy w]

Sorry, I totally missed the link to the log.

Thats where it really gets annoying... im sure its the same bug thats causing this but all of the system restore points are gone when I try to revert to an earlier date. My desktop, that should have dozens, if not hundreds, of restore points had none when I went on yesterday to try to set it back. My laptop was the same situation before I reformatted and reinstalled Windows, all of the system restore points were gone. I tried again last night after reinstalling windows and there was actually a few there, but when I went to restore it wouldnt let me click the "next" button, which im guessing is yet another result of this bug.

It truly is unbelievable to think that there are people out there who devote all of their time to creating these types of things that are nothing but a nuisance to the rest of the world. Its so counter-productive it makes my head hurt. Much thanks to you all that are a big part of preventing and putting a stop to it!

[AdvancedSetup]

No guarantee that any of these methods will work but you can give them a try.

Depending on what is wrong there are 3 methods of repair that you can often try to re-establish connectivity.

METHOD 1

LSP-Fix

Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access

LSP-Fix Home Page

Using LSP-Fix to remove Spyware & Hijackers

METHOD 2

WinSock XP Fix 1.2

It can often cure the problem of lost connections after the removal of Adware components or improper uninstall of firewall applications or other tools that modify the XP network and Winsock settings.

If you encounter connection problems after removing network related software, Adware or after registry clean-up; and all other ways fail, then give WinSock XP Fix a try.

Download WinSock XP Fix 1.2

METHOD 3

Microsoft KB article to reset TCP/IP

One of the components of the Internet connection on your computer is a built-in set of instructions called TCP/IP. TCP/IP can sometimes become corrupted. If you cannot connect to the Internet and you have tried all other methods to resolve the problem, TCP/IP might be causing it.

Because TCP/IP is a core component of Windows, you cannot remove it. However, you can reset TCP/IP to its original state by using the NetShell utility (netsh)

How to reset Internet Protocol (TCP/IP) in Windows XP

[jeremy w]

I have tried all three of these with no succes... any other thoughts?

Thanks again for your help.

[AdvancedSetup]

Well you should be able to right click on the bad one and tell it to uninstall

But, if this infection is still alive on your system it might put it back.

You should also fix that SM Bus controller. If it's an intel chipset then get the Intel Chipset Driver and try installing that to see if it fixes it, if not try the MFG website.

[jeremy w]

Well making a little bit of progress... I got the bad ones to uninstall in Device Manager by first going into the registry and deleting the registry files for the bad devices. But you were right... as soon as I uninstall, the bad one goes right back in.

Any thoughts of how I can target the bug on my computer to get rid of it?

[AdvancedSetup]

Not at this time. I've not seen it myself and Bruce (the developer) is aware of it and I'm sure he's looking in to how to fix it in the safest method possible.

I'll have to wait for his comments on this.

Ignoring that it puts them back I would still post a request for help in the HJT forum to have some scans run to locate and remove the offending code and then from there see what can be done to cleanup the mess it made.

[elorei]

I am in the exact same boat. I ran the removal progy, it deleted on reboot a few nasties, and then when I reboot, my network is shot, exact same as above, with additional network adapters followed by a "-". Cannot remove the extra network adapters, windows thinks they are needed for bootup.

The network adapters (the fake ones) all have addresses that are PASSTHRUMP (ROOT\MS_PASSTHRUMP\0002), not a normal address. When malware bytes removed backdoor.bot, it only affected an area of the registry in services (registry keys), hkeylocalmachine\system\currentcontrolset\passthru (and again for control set 01 and 02).

Also, upon removal, a new folder was added to my drived called avenger, which windows replicated upon a system restore. I am now unable to do system restores at all.

I would give you logs, but the comp has no internet connectivity anymore. Desperately need help.

[elorei]

There is a nasty infection that binds this extra networking driver to your system in a way that is very difficult to completely remove without damaging things .

I am looking for a work around but for now system restore should get you back to a stable registry , pick a point before the trouble began .

The extra network drivers do not pop up *UNTIL* you run MBAM and restart the comp to delete locked items. Hope that helps.

[elorei]

More info, in case it helps.

I used the netsh command to reset tcpip and winsock.

Rebooted, system came up and hard shut down from a RCP. Restarted comp, no RCP, but no explorer. Went to registry and removed the key for explorer from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

So far, so good.

[elorei]

An addendum, the extra network adapters are still there in devman and are still irremovable, however, they seem to no longer have any effect at all on connectivity; leading me to believe the extra adapters are a red herring, and the real culprit is a mangled TCPIP.

[jeremy w]

More info, in case it helps.

I used the netsh command to reset tcpip and winsock.

Rebooted, system came up and hard shut down from a RCP. Restarted comp, no RCP, but no explorer. Went to registry and removed the key for explorer from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

So far, so good.

Thats really strange im having some of the same sypmtoms... I thought I had fixed it, the internet was actually working, but then I restarted the computer. When it turned on, after I choose which account log into it doesnt load any icons or the task bar (which I guess means explorer.exe didnt start). I used control alt delete to manually run explorer.exe. About 20 seconds after this, the computer restarted itself and when it came back on Windows loaded fine. Unfortunately it came back on and were back to the same problem. Ill try the netsh thing that you did and see if I have any luck...

Meanwhile, is your computer still going fine?

[elorei]

Meanwhile, is your computer still going fine?

So far it seems fine, however after doing this, MBAM is once again finding backdoor.bot in my registry, and even has found a nice rootkit.pakes.....both of which I am afraid to remove, for obvious reasons, hehe.

[Fatdcuk]

Hi elorei,

If you locate the driver being flagged as Pakes and upload to Virustotal for 39 second opinions.

http://www.virustotal.com

I believe the one i encountered 2 days ago was taking 9/39 flags @VT.

If it is being comfirmed then i know it is safe to have that malware driver removed.

[elorei]

The driver listed as Pakes will not allow itself to be uploaded to virustotal, nor copied, moved, etc.

The file being found by MBAM for the backdoor is ndisio which is a known nasty, however, it is not listed in explorer at all (all system and hidden files are showing).

[BCIengineer]

Sounds like you have been hit by a new PE virus that came out last week. McAfee's name for it is w32/virut.n.

Info about the nasty on Trend: http://blog.trendmicro.com/virux-cases-escalate/

It will infect pretty much every .exe and .scr file on your computer. Some people have said it lives through deleting the partition, which may have been the case for you. I had to format several of my clients PC's because at first McAfee could not clean the virus and instead deleted the files. Not good when it is every .exe on your PC. I also formatted the MBR on my rebuilds, and have not seen any sign of the virus yet.

It connects to a IRC server to allow remote commands to be sent to your PC. I think that is where the rootkits and backdoors are coming from. I have been able to clean (I hope) the virus from most of my client's PCs, using McAfee with at least the 5519 DATs, Malwarebytes, and combofix.

If you do ipconfig at a command prompt all you see is one line "Windows IP Configuration," right?

WinsockXpFix was fixing the issue for me, but I think it breaks again on reboot. It does not get rid of the bogus network adapters though, and the problem does seem to come back.

Hope this helps someone come up with a solution.

[GT500]

... Some people have said it lives through deleting the partition, which may have been the case for you. ...

Some malware can infect common routers, and then easily reinfect Windows machines through security vulnerabilities in Windows networking. Resetting the router usually clears it.

[BCIengineer]

Here is some output from running netsh int ip reset

reset Linkage\UpperBind for ROOT\MS_NDISWANIPX\0000. bad value was:

REG_MULTI_SZ =

Passthru

reset Linkage\UpperBind for PCI\VEN_14E4&DEV_1677&SUBSYS_01791028&REV_01\4&1D7EFF9E&0&00E0. bad value was:

REG_MULTI_SZ =

Passthru

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:

REG_MULTI_SZ =

Passthru

[BCIengineer]

I'm sorry this instructions are not more thorough and step by step, but I am in the middle of getting a client's network back up and running.

To get rid of the bogus network adapters, I searched the registry for ms_passthrump. I deleted all the key's that had that value. At one point you it will say you cannot delete a key. Then go to Device manager and uninstall the rouge device. It will also tell you that you can not uninstall the device, but the device will disappear. You should then be able to delete the key also.

Again I apologize for not being more thorough, and I do not recommend taking these measures if you are unsure of what you are doing in the registry.

I will try to get a more descriptive process up later.