Hi, Need Help

Hey,

My sister has a Win XP 32 bit OS. The internet has been disabled by whatever bug/infection is causing the problem.

I've done the best I could so far with getting the logs. I used a USB drive to install SAS, Malwarebytes, Combo fix, and MGTools. They were the most recent versions I could find, but even Malwarebytes was 88 days out of date.

I had some trouble running Combofix even though I had turned AVG off. So I uninstalled AVG, and Combofix ran fine. It said there was a "Zeroaccess" bug, and to rerun it if I noticed any further issues. So I have 2 logs of Combofix.

This has not fixed the internet issue. I am still unable to connect to the internet via her computer.

Thanks for your help, when you get a minute to take a look.

 

The other logs I have.

 

Hi and welcome to Major Geeks, Thornbreaker!



http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• AVG 2012
• Java(TM) 6 Update 14

You were supposed to uninstall this as per the Read and Run Me instructions. You can reinstall it if you'd like after we are done with malware removal.

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach that file to your next message. (How to attach)

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR=darkred]KillAll::[/COLOR]
[COLOR=darkred]ClearJavaCache::[/COLOR]
[COLOR=darkred]Driver::[/COLOR]
AVGIDSAgent
avgwd
AVGIDSDriver
AVGIDSEH
AVGIDSFilter
AVGIDSShim
Avgldx86
Avgmfx86
Avgrkx86
Avgtdix
[COLOR=darkred]FCopy::[/COLOR]
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys
[COLOR=darkred]File::[/COLOR]
C:\Documents and Settings\Erin Wallace\Local Settings\Application Data\ie_runner_app.exe
C:\Documents and Settings\Erin Wallace\Desktop\downloadable_install_wizard(2).exe
C:\Documents and Settings\Erin Wallace\ymjmsi.log
C:\Documents and Settings\Erin Wallace\Desktop\soezeyibaj.tmp
C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
C:\WINDOWS\system32\571136691
C:\WINDOWS\system32\drivers\AVGIDSShim.sys
C:\WINDOWS\system32\drivers\avgldx86.sys
C:\WINDOWS\system32\drivers\avgrkx86.sys
[COLOR=darkred]FileLook::[/COLOR]
C:\Documents and Settings\Erin Wallace\Desktop\RadiosSetup.exe
C:\Documents and Settings\Erin Wallace\Desktop\MapsSetup.exe
[COLOR=darkred]Folder::[/COLOR]
c:\documents and settings\Erin Wallace\Application Data\GiiibDD3pn
c:\documents and settings\Erin Wallace\Application Data\vkIIVVzONtx0uS2
C:\Documents and Settings\Erin Wallace\Local Settings\Application Data\Viewpoint
C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint
C:\Documents and Settings\Erin Wallace\Application Data\AVG2012
C:\Documents and Settings\All Users\Application Data\AVG2012
C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2012
C:\Program Files\AVG Secure Search
C:\Program Files\Common Files\AVG Secure Search
C:\$AVG
[COLOR=darkred]Registry::[/COLOR]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57806:TCP"=-
"57806:UDP"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{73F40849-36C5-40EB-B641-CE8789CF38B2}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img254.imageshack.us/img254/945/baticonxp.gif Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator ).

When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Requested Logs. Still not able to connect to internet.

 

http://img684.imageshack.us/img684/3557/tdsskiller.gif Re-run TDSSKiller and this time if it detects:

Allow TDSSKiller to delete.


========WARNING========
The below is specifically for Thornbreaker's computer
Do NOT run the below if you are not Thornbreaker
Doing so may damage your PC!
========WARNING========

Attached is ipsec.zip

Inside is:

• ipsec_xp_sp3.reg
• fixme+restart.bat

Extract both files to the infected computer's desktop.

First double-click ipsec_xp_sp3.reg and allow it to merge into the registry. You should receive a successful message.

Now reboot your PC.

Once you have rebooted...

Test your internet, If it still is not working, run the fixme+restart.bat file by double-clicking it.
Your PC will reboot again. Once you are back in Windows, test your internet again.

If it still does not work, attach the fixme_results.txt file the .bat file created.

 

No luck with internet so far.

 

I would like you try the below.

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity.

 

Internet is working now.

 

Updated and ran Malwarebytes and SAS. Let me know if anything else needs to be done.

Thank you.

 

Good job :cool

ComboFix mentioned the below:

Can you test Windows Update?

If you find out that you are not able to update successfully, download Complete Internet Repair

Extract all the files into a folder on your desktop called "cip" or something similar so you know it's for complete internet repair.

• Run CIntRep.exe by double-clicking it.
• Complete Internet Repair launches.
• Put a checkmark in the following:
  • Repair Windows / Automatic Updates
  • Repair SSL / HTTPS / Cryptography
• Leave everything else unchecked and click the Go! button.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!