2012 security suite attacks....

Welcome to Major Geeks!

Please put ComboFix.exe directly onto your Desktop as instructed. You ran it from here >> E:\ComboFix.exe


Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.


See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion


Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

PLEASE COMPLETE ALL of the above including attaching of the 3 logs. Then move on to the below instructions.

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. After restart please run Farbar Service Scanner again and save the fss.txt log to attach below.
6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
   
   
   Then attach the below logs:
   • the new fss.txt log from Farbar's Service Scanner
   • C:\MGlogs.zip

 

Okay then just skip the rest of this part and just get the new logs from Farbar's Service Scanner and the new MGlogs.zip file to and attach them.

 

Also rerun TDSSkiller and delete the below items if they still appear.

Code:

14:18:55.0812 2680 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
14:18:55.0812 2680 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip 

 

Okay! We will be coming back to this later. And we will be rebooting anyway during the below fix.

Download the below file and save it to the C:\MGtools folder. It must be save here for the later fix with Avenger to properly find it.

dhcp_netbt_tcp-XP.reg

Now download The Avenger by Swandog46, and save it to your Desktop.

See the download links under this icon

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Upon reboot, you may see a message about Windows registry editor adding/merging in the dhcp_netbt_tcp-XP.reg patch. Make sure you allow it to add it in if prompted.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Now run the C:\MGtools\FixNet.batfile by double clicking on it. This is going to run a few repairs on network settings and the it should automatically cause your PC to reboot. After this reboot, continue on with the below instructions.

Now download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now double click on resetperm.cmd to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.
  [*]Once it finishes, reboot your PC again!!!!
  

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Sorry. Just double click on it to run it.

 

Now reboot your PC into safe boot mode and see if you can run the below. Note that since you previously had started these steps, the 0xA0 may already be 0x80 . Just follow along with the steps to make sure everything is as expected.

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. Restart in normal boot mode and continue with the below.
6. Please run Farbar Service Scanner again and save the fss.txt log to attach below.
7. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
   
   
   Then attach the below logs:
   • the new fss.txt log from Farbar's Service Scanner
   • C:\MGlogs.zip

 

As long as you have rebooted before doing what I have in message # 17 and then make sure that you reboot again as requested in step 5.

 

Yes! Try safe mode with networking.

 

Okay this may be our last option before requiring a reinstall of your PC since you cannot run the instructions in message # 17.


Let's delete your network adapters from Device Manager.

• Open Device Manager by hold down the WIndows logo key and at the same time press the Pause/Break key. Then in the popup window select Device Manager
• Then navigate to and expand ( click the + icon to expand ) the Network Adapters area of Device Manager
• Loccate the below two network adapters that you say were listed
  • Intel(R) PRO/Wireless2915ABG Network Connection
  • Intel(R) PRO/Wireless2915ABG Network Connection #2
• And one at a time right click on each and select Uninstall ( but do not delete the drivers/software )
• Then reboot your PC.
• Upon reboot, it should re-detect the hardware and reinstall the drivers for the adapter.
• Let me know how this goes.
• After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
  
  
  Then attach the below logs:
  • C:\MGlogs.zip

 

Well it had no effect though. We still need to get the procedure from message # 17 to work. Will that run now?

 

Also one more set of instructions to follow right now.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot your PC.

After reboot, please run Farbar Service Scanner again and save the fss.txt log to attach below

Also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• FSS.txt
• C:\MGlogs.zip

 

Yes since it was not possible in safe mode and likely still is not.

 

Yes this is Windows Defender which is part or Microsoft Security Essentials and it is currently broken along with many other system services and drivers.

Could we copy files from this PC? Yes! But the problem is we don't know which ones to copy. When we fix one, others break. You could have dozens or more files that are infected. We cannot tell. Also you have dozens of registry entries that are broken and they keep changing. When we fix one, others break. For example:

In the logs from message # 29 the below services were all fine:

And only the below ( IPSec ) was broken

Then after you fixed IPSec with message #31, IPSec is good
but the below are now broken:

So basically, all we are doing is going in circles because you have to many problem
files and too many problem registry entries. And since the infection appears to be
blocking the ability to run fixes we need to run ( like the c:\windows\inf\nettcpip.inf
procedure ) we are just not getting anywhere.


Does System Restore run? If yes can you try doing a restore back to a point several days before these problems began? We will be lucky if you even have any restore points that will work. Your logs do show restore points back to Nov 17, 2011. How about trying the restore point from 2-7-2012? Experience has shown this does not seem to fix the networking issues but maybe it will fix some of the many other broken services.

 

This would not do anything since you already booted up it this mode any time you booted in normal boot mode. And thus there is no change.

Of course you are... for the reasons I mentioned. When one item is fixed, others get broken.

I'm sorry but you just have too much damage to Windows to fix this. It is time for you to backup anything you need and then format and reinstall. You will need your Windows CD to do this.

 

Well that is not good especially since you do not have a factory recovery partition installed. Normally Dell would give you one or the other.

Not likely for a variety of reasons.

• The serial number (activation code ) you need is for Windows XP and cannot be used on Windows Home.
• The Windows Home serial number is assigned to another PC already
• You will not have all the drivers you will need to properly configure your laptop and its hardware. You need disks that came with the PC and need internet access to download them if you don't have them.

Let's try a few more things. But first I want to collect some additional info.

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

 

Based on these last logs you have lots of drivers and services disabled that should not be. And to make things worse, many of the files needed for them are missing. As I was stating earlier, this is looking like there is just too much damage to Windows to fix this. Without your reinstall CD's from Dell or an original Win XP CD, you most likely cannot fix this. I have been trying additional things since you do not have your CDs, but this may be futile. Let's try another idea or two but I hope you have backed up anything important you need already before things possibly get worse and you cannot boot at all.

See if you can find and delete the below files. If you don't find them or cannot delete them, just continue on:
C:\Documents and Settings\user\Local Settings\Application Data\q627c3m4061358n50t62
C:\Documents and Settings\All Users\Application Data\q627c3m4061358n50t62
C:\Documents and Settings\user\Local Settings\Application Data\4o8dd5y80jo00c4a2tdod0i741466er6s8n6h8pv7n
C:\Documents and Settings\All Users\Application Data\4o8dd5y80jo00c4a2tdod0i741466er6s8n6h8pv7n

Download and save the current version of combofix.exeto your Desktop as the following fix will depend on it being on your Desktop. No download and save the below to your root folder ( C:\ ) where we had you save MGtools.exe too.

XPZAfix

Now locate the XPZAfix.exe file and double click on it to run it. It will extract some files and registry patches into the C:\MGtools\temp folder and will attempt to automatically run ComboFix and apply a fix. Hopefully this runs and ComboFix then reboots your PC.

If it does run, then after the reboot run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\combofix.txt
• C:\MGlogs.zip

Also for a future possible reference, you can download your network card drivers from Dell from the below location:

http://www.dell.com/support/drivers/us/en/19/DriverDetails/DriverFileFormats?DriverId=R257684&FileId=2731111613

And other drivers/files can be download at the below link. You just need to know which ones your PC needs since they possibly make various versions of the Latitude D610 PC

http://www.dell.com/support/drivers/us/en/19

 

It does not appear that it helped anything. Last try!

Uninstall Win XP SP3. See:http://support.microsoft.com/kb/950249

Then redownload XP SP3 from the below link and reinstall.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24

After the reinstall, make sure you have rebooted, then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

That's correct! No change.

You can retry the fix from message # 17 now ( the one using the c:\windows\inf\nettcpip.inf ) If it still cannot be completed as written. We have exhausted what we can try especially without a Windows XP Pro boot CD. You will have see if you can purchased a CD to attempt a full reinstall and then after reinstall download and install all necessary drivers.

 

You're welcome. Did you give message # 17 another quick try just in case?

 

Most likely all it found were the things we have already removed/fix and that were in quarantines already. But there may be a few things from it still active in a few system files. Since you could not get all the fixes/steps to run properly and because of the significant damage to your PC we just could not get anywhere. The problems you are having are due to what this infection had done to your PC. The damage was all caused by this infection. You could scan over and over and over again now and you may still find some miscellaneous things related to this infection, but the fact remains that the damage is likely too great to repear.

That is what I asked you to do a few messages back. I said to uninstall SP3 and then download SP3 and reinstall. I thought you had already done this when you said "I doubt anything good happened. "