Maleware Attack: Windows Firewall missing

Welcome to Major Geeks!

Why not? What does it say exactly? Are you sure you are trying to attach the C:\MGlogs.zip file and not the MGtools.exe file?


Please do the below so that we can boot to System Recovery Options to run a scan.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

No! Sorry about that. By mistake I posted in the instructions for a Windows 7 system. Since you have Vista, you would need to get to the System Recovery Options menu by booting from your Vista boot DVD. If you have this DVD, dont use it right now. I will tell you if/when we need. If you don't have the DVD, make sure you tell me that you do not have it.

Side note: Your hard disk is way to low on free space to properly run Vista. You need to free up a bunch of space or you need purchase a larger hard disk for this laptop and reinstall Windows on it. The below is what your logs show

Code:

Size 55.89 GB (60,008,951,808 bytes) 
Free Space 3.95 GB (4,237,950,976 bytes) 

Now download Yorkyt.exe Disinfection ToolSee the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Save the file to your hard disk; to your Desktop
• Right click the yorkyt.exe file and select Run As Administrator
• A reboot will be requested to install a driver.
• Another reboot will be requested to complete the disinfection.
• When the disinfection is completed, accept the message that will be displayed.
• Save the yorkyt log to attach here later.
• Now continue on with the below.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O4 - HKLM\..\Run: [PC Antivirus] "C:\Program Files\PC Antivirus\PCAntivirus.exe" /minimize
O23 - Service: Thkeys (BrSerIf) - Unknown owner - \\.\globalrootC:\Windows\system32\svchost.exe (file missing)
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now download The Avenger by Swandog46, and save it to your Desktop.

See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the log from Yorkyt
• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. You forgot to tell me how things are working.

If your Vista DVD was a full install disc and not just an upgrade disk, then it is probably a bootable disc. Read the below to understand what is meant by a bootable disc:

http://pcsupport.about.com/od/tipstricks/ht/bootcddvd.htm

 

Yes I know about the Firewall problems. I can see it from MGlogs.zip. We had to remove active malware before trying to fix these. This is residual damage from the malware and you have quite a bit of damage. Some of this damage may be the reason for your slow down. And it may not be easy to fix without a resinstall. The below registy key of yours is totally corrupted

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
//Netsvcs

Before we even attempt to fix this, you will need to backup all important data just in case things go wrong which could result in your PC not booting. So work on your backups now and then do the below which will start the fix process for your firewall only!!

Now run the C:\MGtools\FixWFW.bat file by right clicking on it selecting Run As Administrator.


Now download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now right click on resetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.

Now run the C:\MGtools\FixWFW.bat file again ( yes we are repeating this ) by right clicking on it selecting Run As Administrator

Please click Start and in the Start Search box type type services.msc into the box. When you see the services.msc icon appear up above in the list, right click on it and select Run As Administrator. This will open up the Services form. Scroll down to the Base Filtering Engine Service service and double click on it. Set the Startup type to Automatic and then close the form for the BFE service.

Now locate the Windows Firewall Service service and Start it and set the Startup type to Automatic, Did this Start?

Now close the above services forms.


Now please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• both OTL.txt and Extras.txt
• C:\MGlogs.zip

 

You're welcome.

That's normal. It is just attempting to apply a quick registry patch.

 

You're welcome.

Not sure if this will be easily fixed. As I said earlier there is significant damage from the malware you had. However let's continue and see what happens.

Since you have backed up important data, let's try to fix the NetSvcs by setting it back to a default.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

Do not shutdown or reboot your PC now. Leave it running until you hear back from me.

 

Okay that did update the NetSvcs registry entry to more of a default type value. But this has not removed all the stray services entries and those are really to numerous and difficult to fix as it is just about impossible for us to know which one are valid for your PC.

I had checked to see if you had a restore point we could use but you seem to have disabled system restore at some point because there are no good restore points before 4/11/2012.


Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Repair Windows Firewall
  • Repair Internet Explorer
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Reboot after running Windows Repair.


After reboot, rerun the same OTL scan from message number 9 and attach the new logs from OTL.


Also see if there is any improvement on your PC.

 

Well this is all very good news.

Yes. Down below.

We cannot fix all of the damage without a full reinstall. However many of the items are not just dead drivers/services. If your PC is working OK then it will likely be okay to ignore all this. If however your PC were not working properly, and no obvious malware or easily recognize other Windows problems could be found, then you would have to reinstall to repair especially since you have no old restore points.



Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
SRV - File not found [Auto | Stopped] -- \.\globalroot\C:\Windows\system32\svchost.exe -- (BrSerIf)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\oracledbconsoleorcl.dll -- (aaksrv)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SGHIDI.dll -- ({85ccb53b-23d8-4e73-b1b7-9ddb71827d9b})
IE - HKU\S-1-5-21-1481166795-4156231051-990927424-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = [URL]http://search.conduit.com/ResultsExt...ctid=CT2504091[/URL]
O3 - HKU\S-1-5-21-1481166795-4156231051-990927424-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
NetSvcs: FastUserSwitchingCompatibility - %systemroot%\system32\nmraapache.dll File not found
NetSvcs: oraclesnmppeerencapsulator - %systemroot%\system32\shellhwdetection.dll File not found
NetSvcs: array_utility_service4 - File not found
NetSvcs: 0 - File not found
NetSvcs: 1 - File not found
NetSvcs: 3 - File not found
NetSvcs: oracleorahome92tnslistener - %systemroot%\system32\symids.dll File not found
NetSvcs: roxwatch9 - %systemroot%\system32\vmm.dll File not found
NetSvcs: EPSON_EB_RPCV4_01 - %systemroot%\system32\slapd-data52.dll File not found
NetSvcs: ctaud2k - %systemroot%\system32\GoogleDesktopManager-010708-104812.dll File not found
NetSvcs: TuneUp.ProgramStatisticsSvc - %systemroot%\system32\mpfservice.dll File not found
NetSvcs: oracleorahomedatagatherer - %systemroot%\system32\W700mdfl.dll File not found
NetSvcs: mi-raysat_3dsmax9_32 - %systemroot%\system32\spooler.dll File not found
NetSvcs: lxdj_device - %systemroot%\system32\superproserver.dll File not found
[2012/03/29 16:42:03 | 006,827,792 | ---- | C] (PC Antivirus) -- C:\Windows\uninstac.exe
[2012/03/29 16:42:01 | 001,332,560 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\sbte.dll
[2012/03/29 16:41:58 | 000,000,000 | ---D | C] -- C:\ProgramData\AVC1Data
[2012/03/29 16:52:49 | 000,308,560 | ---- | M] () -- C:\Windows\System32\vipre.dll
[2012/03/29 16:52:49 | 000,160,768 | ---- | M] () -- C:\Windows\System32\unrar.dll
[2012/03/29 16:48:03 | 000,000,000 | ---- | M] () -- C:\Windows\System32\SBRC.dat
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:03271074
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:9D6EAEC3
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:15752405
:File
C:\Windows\$NtUninstallKB41687$
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes probably because you are way behind on updates. Also when a particular update installs, it can also trigger additional updates to be necessary. So don't be surprised if someday you see 1 or 2 updates to install and then after you install them, you see more.

Then we will leave it as is.

If you are happy with AVG and its performance, then reinstall it. Personally I don't like it. Have not like it since version 7.5 which is a long time ago. Also I don't like any type of PC-Tune up program. They are basically junk and unnecessary and in many cases can cause more harm then good. Especially if you start allowing them to make changes in the registry. Many times these kinds of tweaks are the reasons why things like Windows Update stops working or other strange unexplained problems start occurring.

Uninstall Microsoft Security Essentials before installing any other antivirus or antispyware protection programs.

Since your logs are clean, we will move on to final steps.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome.

It will not delete any file you need. However it you don't want your cookies deleted that save login and other info, then configure it to save cookies you want to keep. DO NOT USE the registry cleaning option. We don't recommend this with any program. Even though mostly safe, it is almost never necessary and can cause problems when care is not taken.

One of the reason I stopped using AVG, but adding any security program does impact startup and general performance.

So I checked the start-up programs in the control panel and it asked me to turn Windows Defender on. Is it normal that Windows Defender is off? As far as I know, it was running and I didn't turn it off.[/QUOTE] The malware you had may have disabled the service. You can see if you can enable the service using services.msc

However if you have AVG installed, it already includes antispyware and thus you really don't need Windows Defender.

 

You're welcome and thanks for the praise.

Surf safely!