Uuggghh! another zero access victim!

Well, over the holiday weekend this bugger added me to the victim list.
I'm on a dell xps, XP media center sp3. I was researching cell phones and started to get redirected, I don't recall clicking on anything obvious to pick this up.

Ran MBAM and SAS, Found Zaccess and removed it then rebooted--no internet. Long story short--No internet, no firewall, no system restore..etc.

Being a typical PC (ab)user i tried the same minor fixes evryone else was trying. Winsock repairs, tcp/ip, Tdsskiller, etc. I learned alot from Majorgeeks and i thank you all for that, but i underestimated this one. Zero access, left me with some damage,and missing services, that i don't know how to repair. After 7 years and three moves, I no longer have the reinstall cd.

So far I ran MBAM and SAS. I did not remove the quarintined files yet. I will if you want me to.

I ran combofix twice, It said to do that for zero access. both logs attached.
Ran MBR, and rootrepeal.

I also ran MGTools, but ran into some issues. I don't believe it ran correctly. In the command prompt window it said something like it's not an internal or external application? for each tool trying to run. I'm sorry for not catching what it said, i didn't want to run it again to find out. No MGTools zip was made and/or located. I have been downloading programs to a memory stick and moving it to the disabled PC. Maybe this is where the problem with MGTools lies...I don't know. Looking forward to your help, and thank you in advance.

 

Logs for Combofix, rootrepeal

 

Hi cunfuewzd,

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp /s
  hklm\system\currentcontrolset\services\afd /s
  hklm\system\currentcontrolset\services\netbt /s
  hklm\system\currentcontrolset\services\tcpip /s
  hklm\system\currentcontrolset\services\ipsec /s
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Hi, Thisisu

Thank you for your time, I know your all very busy. I appreciate your help.

Should I delete quarintined files in MBAM and SAS?

I ran TDSSkiller twice prior to your help, and now one more time just now. All 3 logs are attached.

Ran OTL and both logs attached.

Thank you, cunfuewzd

 

OTL logs

 

No, leave them there for now. After we are finished with malware removal you can empty the Quarantine folders if you'd like.

========WARNING========
The below is specifically for cunfuewzd's computer
Do NOT run the below if you are not cunfuewzd
Doing so may damage your PC!
========WARNING========

Attached is ipsec.zip

Inside is:

• ipsec.reg
• fixme+restart.bat

Extract both files to the infected computer's desktop.

First double-click ipsec.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the fixme+restart.bat file by double-clicking it.
Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach the fixme_results.txt file the .bat file created.

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 24

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
O3 - HKU\S-1-5-21-2228858709-2211194154-1704814173-1008\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
O3 - HKU\S-1-5-21-2228858709-2211194154-1704814173-1008\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2011/12/24 10:20:14 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\x4tlANs1W.dat
[2004/08/10 06:00:00 | 000,269,824 | ---- | C] () -- C:\WINDOWS\System32\sbe(6).dll
[2004/08/10 06:00:00 | 000,269,824 | ---- | C] () -- C:\WINDOWS\System32\sbe(5).dll
[2004/08/10 06:00:00 | 000,269,824 | ---- | C] () -- C:\WINDOWS\System32\sbe(4).dll
[2004/08/10 06:00:00 | 000,269,824 | ---- | C] () -- C:\WINDOWS\System32\sbe(3).dll
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\$NtUninstallKB46578$
c:\documents and settings\NetworkService\Local Settings\Application Data\K6CE6.com
c:\windows\system32\K6CE6.com
xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
ipconfig /all /c
ipconfig /release /c
ipconfig /flushdns /c
ipconfig /renew /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
ping google.com /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Ok, ran ipsec.reg. It merged successfully. No internet

Ran fixme+restart. no internet. txt log attached

Removed Java 6 24

Ran OTL fix succesfully. Log attached

Updated to current Java

MGTools ran correctly this time. zip attached

Still no connection. Thank you, Cunfuewzd

 

Retry attaching the OTL fix log.

 

I think this one's it

 

I would like you try the below.

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

 

OK, I blew it!:-o

deleted registry keys

Changed primary install to 0x80

Installed C:\WINDOWS\inf

Uninstall button was available, however this is where i blew it. In local area connection properties I unchecked all but internet protocol (TCP/IP) Then uninstalled. I didn't realize the highlighted area was on client for microsoft networks..and that is what got deleted. The file for internet protocol tcp/ip is still on the pc after reboot.

How should i proceed

 

Should be pretty easy to restore.

Open Network Connetions -> Local Area Connection -> Right-mouse click -> Properties -> "Install..." -> Highlight "Client" -> Add... -> Client Service for NetWare -> OK

Try that and let me know if you have any additional problems.

 

I did netware like you said, upon reboot a select netware screen popped up then after a few minutes my desktop screen showed up. Shoud i have selected client for microsoft networks instead?

 

Yes, sorry!

 

Also you can uninstall the Client Service for NetWare you just added.

 

OK, Changed back to "networks". The PC still boots differently now. It doesn't show the user login screen. Just a black screen with a small windows xp box asking for my password.

continued on with post #10

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

"Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK."

At this point I received a network connection popup stating "could not add the requested component. The error is: An extended error has occurred."

 

Not sure which settings exactly you want but here is how you customize them.

Start -> Control Panel -> User Accounts -> "Change the way users log on and off".

 

Verify that you are selecting "Internet Protocol (TCP/IP)" and not "Microsoft TCP/IP v6".

 

Yes, tried it twice. Should i redo post #10 again top to bottom?

 

Ok good.

Yes go ahead, but this time when you are editing Nettcpip.inf you are going to change 0x80 back to 0xA0. Then remember to save the changes.

All the other steps are the same.

I have another idea if this fails but go ahead and try this first.

 

OK, reran post #10. to this point. deleted keys then changed back to 0A0 and saved. I tried to install, select protocol, add, have disk, C:\WINDOWS\inf , this resulted in the same error as before. "an extended error has occured"

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

 

Open a Command Prompt window and then copy paste the following command (Edit -> Paste)

esentutl /p %windir%\security\Database\secedit.sdb >> "%userprofile%\desktop\database.txt"

Press OK at the warning.

Then attach the database.txt file on your desktop.

 

Ok, command copy and pasted to command prompt. And database txt file saved to desktop is attached

 

Attach that database.txt file

 

just edited last post

 

Here is the next command to enter:

esentutl /r edb /l %windir%\security /s %windir%\security >> "%userprofile%\desktop\recovery2.txt"

Attach recovery2.txt when finished.

 

command entered, recovery txt attached

 

Sorry that was the wrong syntax, I updated my post to reflect the changes on the recovery command.

Attach recovery2.txt when finished.

Edit: Going out for a bit.

After you attach recovery2.txt try to complete the tasks where you had trouble before ("an extended error has occured")

Let me know if you can Add them without issue now.

 

You got it THISISYOU! PC is now seeing network/internet.:drool Love'n it! Thank you! Log is attached. Enjoy ur time out.

Please let me know if there is anything else i need to do to finish up, ie. empty QT, Toggle restore, windows updates, etc,

Thanx again, CUNFUEWZD

 

That's great news! :cool

Are you having any other problems? MGtools was recently updated so please follow these instructions so I can review your latest logs.

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Things seem to be working fine here.

How do i go about checking system restore without going through with creating a restore point and then restoring to it?

Reran MGTools, log attached.

 

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Since you ran ComboFix from F:, you will need it to copy and paste it to your desktop ( on the C: drive ) for the cleanup steps below so it uninstalls properly.

The rest of your logs look good.

The System Restore points are in this folder: C:\system volume information

According to your logs, you have 12 different restore points / snapshots. The oldest one is dated 2011-12-28 16:21:56

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

All is well so far. Thanx again for your time and help.
Wish you and your family the best for the new year!...Cunfuewzd

 

You're welcome

Thank you and Happy New Year to you too.