Network and windows firewall disabled - windows XP

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by misterg, May 19, 2010.

  1. misterg

    misterg Private E-2

    As of about 2 days ago, my IBM Thinkpad started having problems with trojan detections by Avast!. About the same time, the ethernet connection became disabled, messages started appearing that the windows firewall was disabled, the CD/DVD drive stopped working.

    Two entries had appeared in the DNS server fields of the network card TPC/IP properties. I cleared these and reset it to DHCP.

    I did a HJT scan and found some suspicious entries which I removed. A file atapi32i.sys had to be deleted on boot by HJT, but it is back now :(

    I copied a clean version of atapi.sys and made it read only which restored the CD drive and allowed me to run wfc / scannow which I thought would cure the problem. It appeared to work OK, but a few minutes after re-booting the firewall message re-appeared, and there was still no network connectivity.

    I confess to running rootrepeal and combofix before starting on the instructions in the sticky. I un-installed Avast at that time, as I couldn't seem to disable it to combofix's satisfaction.

    Attempts to enable the firewall it via the security centre and control panel remain unsuccessful; the ethernet port detects cables being plugged in and out, but is unable to obtain an IP address. This is with 2 different cables & 2 different routers, both of which have been verified as OK. Hardware manager says that the 'device is working properly'

    Running through the instructions:
    I had to manually update Super Anti-Spyware and MAM.

    After running SAS, I went through the winsock stack repair in the instructions, but this didn't restore the ethernet connection.

    MAM threw up some errors:

    Window title: "vbAccelerator SGrid ll Control"
    Window contents: "Run-time error '0'" & OK button.

    Clicked OK, then:

    Window title: "Malwarebytes Anti-Malware"
    Window contents: "Run-time error 440"
    "Automation error" & OK button.

    Clicked OK

    On re-boot, I got the message "Windows cannot find c:\program" & OK button

    Clicked OK.

    At stage 2 of combofix I got the error:

    "PEV.cfxxe has encountered a problem and needs to close" On the 'more information' link, it was a protection fault caused by a file in {username}\local settings\temp

    Clicked close, and combofix continued.

    Logs as request - thanks in advance for your help.
     

    Attached Files:

    misterg, May 19, 2010
    #1
  2. misterg

    misterg Private E-2

    And..
     

    Attached Files:

    misterg, May 19, 2010
    #2
  3. misterg

    misterg Private E-2

    For "wfc / scannow" read "sfc /scannow" in the original post.

    Also, I ran the windows malicious software removal tool after I first had problems, and it claimed to remove 'Alureon.A' After the problems persisted, I also ran it in safe mode.

    This was all before I started on the instructions here.

    Sorry :-o

    Not going to do anything else until I hear from you though :)
     
    Last edited: May 19, 2010
    misterg, May 19, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome, I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. :)
     
    Kestrel13!, May 20, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Don't forget when we have made some progress you're going to have to install some anti virus as currently you have none.


    1. Is this a folder you created yourself?

    2. Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      c:\windows\system32\MpEngineStore\MpKsl6308076b.sys
    • At the upload site, click the browse button.
    • Next click Submit file
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    3. Could you please get this: MpKsl6308076b.sys into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:

    log retrievable @ C:\collect.zip

    4. You have SpyBot Search & Destroy's TeaTimer function running. This could get in the way of any fixes I give to you so please refer to this link for how to disable it:

    How to disable Spybot's TeaTimer


    5. What do you know about this service that is running and it's corresponding file?

    6. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
YE

FileLook::
c:\windows\system32\MpEngineStore\MpKsl6308076b.sys
c:\windows\system32\advapi32i.exe
c:\windows\system32\advapi32i.exe srv

DirLook::
c:\program files\blah~
c:\program files\Windows Service
c:\windows\system32\MpEngineStore

File::
c:\documents and settings\HLGrocott\Application Data\ofubwi.dat
c:\docume~1\ADMINI~1\LOCALS~1\Temp\YE.exe

Folder::
c:\documents and settings\All Users\Application Data\Symantec

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"=-
"Adobe Reader Speed Launcher"=-
"SunJavaUpdateSched"=-
"Symantec PIF AlertEng"=-
"WireLessKeyboard"=-
"WireLessMouse"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    7. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this, also include the jotti results, the collect.zip, and answer any questions that I asked. :)

    8. Let me know how the machine is running now.
     
    Kestrel13!, May 20, 2010
    #5
  6. misterg

    misterg Private E-2

    Fully understood.

    yes - it was a slightly earlier install of malwarebytes anti malware.

    I currently have no functioning network access on this machine. I was going to see it I could submit the zipped file, but see below:

    At this point I disabled TeaTimer and re-booted (I was pretty sure I had already done this as part of the preparation..? )

    This didn't do anything - (I copied the command via a text file, so I'm pretty sure it isn't a typo). I looked for the file manually via explorer and the command screen. DIR comand in that directory lists 0 files (& 4 directories).

    Done - I thought I had already done this. as part of the preparation, but maybe not??

    Only that internet searches suggest that it's associated with malware, and that it is persistent. I originally removed it with HJT (took out the registry entries associated with it and deleted it on boot), but now it's back. I'm not aware that there's any software on the computer that is associated with it.

    Log attached - I got the 'PEV.cfxxe has encountered a problem..." at stage 2 (as before) - clicked OK and combofix continued.

    Hopefully done.

    In view of not being able to locate that first file, I haven't re-booted the machine, and will leave it on unless you tell me otherwise.

    Thanks :)
     

    Attached Files:

    misterg, May 21, 2010
    #6
  7. misterg

    misterg Private E-2

    Forgot to say - still can't enable windows firewall, or get any network connectivity (Still haven't re-booted since ComboFix's re-boot)
     
    misterg, May 21, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Right click the below file and send to zipped file.


    • Go to start > run > and type services.msc
    • Once the list of services is showing please look for this service:
    • MpKsl6308076b

    and tell me what information is available.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
RemoteAccessERSvc

Folder::
c:\program files\Windows Service

File::
c:\windows\system32\advapi32i.exe srv 
c:\windows\system32\advapi32i.exe
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the zipped file if successful and let me know about the service I asked about.

    How is the machine running now?
     
    Kestrel13!, May 21, 2010
    #8
  9. misterg

    misterg Private E-2

    The file isn't there - the c\windows\system32\MpEngineStore directory has no files, just 2 directories (the 'History' directory has a 'Reboot' sub-directory):

    c\windows\system32\MpEngineStore\History
    c\windows\system32\MpEngineStore\History\Reboot
    c\windows\system32\MpEngineStore\RebootActions

    All appear to be empty.

    I couldn't find that service. I exported the list of services and have attached it to this post


    I still get the 'PEV.cfxxe has encountered a problem...' message at stage_2. (This stops Combofix until I press the [CLOSE] button on the pop-up). On the 'more information' link, the file c:\documents and Settings\{my username}\temp\4084-appcompat.txt was listed. On the 'technical information' link from this there is a very long list of modules. I didn't copy & paste these as I was concerned about upsetting ComboFix.

    Pressed 'close' and Combofix continued. Log attached.

    Firewall still can't be enabled, and still no network connectivity.

    If I go to control panel->Windows firewall I get the message:

    "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) Service? [YES] [NO]"

    If I click [YES] I get a message saying:

    "Windows is starting the Windows Firewall/Internet Connection Sharing (ICS) Service"

    Followed by:

    "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) Service [OK]"

    If I plug the network cable in, it stalls at 'Acquiring network address'.

    Likewise if I re-enable the wireless networking, it connects but stalls at 'Acquiring Network Address'

    Please note that I haven't re-booted since ComboFix - please let me know if it would be OK to do so. (Otherwise, I'm leaving the machine switched on & un-touched).

    Thanks.
     

    Attached Files:

    misterg, May 21, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmmm, well this is showing in your logs:

    We can try this and I can then check logs afterwards, but I may be sending you to another forum to resolve what problems remain.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
MpKsl6308076b

File::
c:\windows\system32\MpEngineStore\MpKsl6308076b.sys
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Any better?
     
    Kestrel13!, May 21, 2010
    #10
  11. misterg

    misterg Private E-2


    I tried the mgtools\zip command again, but nothing. In both the command window and explorer, the directories appear empty. I have attached the result of executing 'dir >ls.txt' in the MpEngineStore directory.

    ComboFix produced the same pop-up error box again: 'PEV.cfxxe has encountered an error and needs to close. We are sorry for any inconvenience...etc.' this is after stage_2 completed. It doesn't continue unless I click [CLOSE] on the error message.

    Logs attached - thanks for you patience & perseverance :)

    There is no change to the computer - should I have re-booted after MGTools?
     

    Attached Files:

    misterg, May 21, 2010
    #11
  12. misterg

    misterg Private E-2

    Just FYI - I will be away until this time tomorrow. Thanks for your help so far. If you are confident that the PC is free from malware, I can try and repair the network,etc. separately.
     
    misterg, May 21, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Have you tried connecting with a hard wired connection? Your logs are clean. Perhaps you can try deleting your nic card and see if it re-establishes itself on a reboot. You can also see if SAS will repair the connection if you go to preferences / repairs and scroll down to the repair the network item.
     
    TimW, May 21, 2010
    #13
  14. misterg

    misterg Private E-2

    Still here ;)

    Yes, I've been trying both the wired & wireless network cards. If I wasn't worried about malware, I would just try to re-install the network card.

    Any ideas about why windows firewall can be enabled? Is it possible that the firewall itself is damaged?

    How about using sfc ?

    Thanks to you all for your help
     
    misterg, May 21, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I didnt see anything in your logs to indicate any of your networking cards being removed.

    Yes, of course, you can go to start / run / and type:
    sfc /scannow

    Another option is to get a wifi usb device and see if you can connect. It's just odd that both wired and wireless would both die at the same time.

    You can also go to the manufacturers website and download the NIC drivers for your system and replace the old ones.
     
    TimW, May 21, 2010
    #15
  16. misterg

    misterg Private E-2

    I hadn't tried un-installing the NIC until just now (no change). The computer has both wired & wireless networking & both behave the same - i.e. appear to function & connect normally, but be unable to acquire an IP address.

    edit: DOH! just understood what you meant. I do have a dongle which I could use - sorry :-o

    Have just tried 'MicrosoftFixit50203.msi' to repair the winsock from:

    http://support.microsoft.com/kb/811259

    but no change.

    I note that 'tdsmapi' service is disabled in hardware manager (hidden service) - I don't know what it is, and windows is "Unable to enable" this service. Maybe nothing.

    Still can't enable windows firewall, but will do some more research on that.

    Thanks for your help.

    Will try sfc now.
     
    Last edited: May 21, 2010
    misterg, May 21, 2010
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As Kestrel13! suggested, it may be time for you to post in the software forum for further assistance.
     
    TimW, May 22, 2010
    #17
  18. misterg

    misterg Private E-2

    OK, thank you all - It looks like I'm back in business:

    For the record....

    I didn't get anywhere re-installing the network card, or network protocols. So I switched attention to the firewall. Trying to start the firewall service directly from the services applet got the message:

    "Error 10050 a socket operation encountered a dead network"

    Searching on this error suggested that the cure was to re-install SP3 upgrade to windows XP.

    (Which I got from here)

    And I'm pleased to say that after installing it everything appears to be back to normal.

    AVG installed & gives a clean scan.

    Spybot S&D updated & re-enabled.

    System restore toggled & new restore point created.

    As far as I'm concerned, the thread can be closed.

    Many, many thanks for the time that you all put in here.

    Regards

    misterg.
     
    misterg, May 23, 2010
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Kestrel will be pleased to hear this!! You are most welcome!! Safe surfing! :)
     
    TimW, May 23, 2010
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes that is good news :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, May 24, 2010
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds