Russian hacker problems...

Welcome to Major Geeks!

I can however see what else needs to be done in the way of cleaning any malware that does remain on the machine itself. I'll look over your logs and get back with a response shortly.

 

Thanks for attaching the Rootrepeal log. But do not run anything or attach anything else unless I request it. I did not ask for a HJT log

Let's get started:

1. Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

2. Please download http://noahdfear.net/downloads/HelpAsst_mebroot_fix.exe by noahdfear and save it to your Desktop.

• Double click HelpAsst_mebroot_fix.exe to run the tool.
• When the tool completes it will inform you HelpAssistant was successfully removed, or it may require a reboot. DO NOT reboot at this point if it tells you this. Do the below first.
• With Windows Explorer, navigate to the C:\MGtools folder and double click on mbrfix.bat ( If not sure how to use Windows Explorer, you can optionally click Start > Run and enter C:\MGtools\mbrfix.bat into the run box and click OK. ) This will run quickly flashing a black screen in front of you too fast to read.
• NOW REBOOT!

After reboot continue with the below:

3. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

msconfig should not be running at start up so please fix this as well.

After clicking Fix exit HJT.


4. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
nprdnpm

DirLook::
C:\Baskets
C:\{ed902d57-ac1b-405a-9026-b6f25799d38e}

File::
C:\WINDOWS\system32\msirbt32.exe
C:\Documents and Settings\Sam\My Documents\~WRL1201.tmp
C:\Documents and Settings\Sam\My Documents\~WRL1522.tmp
C:\WINDOWS\TEMP\$$$dq3e
C:\WINDWS\TEMP\$67we.$
C:\WINDOWS\TEMP\77.tmp
C:\Documents and Settings\Sam\Local Settings\temp\NPJs.dll 
C:\Documents and Settings\Sam\Local Settings\temp\Cab78.tmp
C:\Documents and Settings\Sam\Local Settings\temp\Tar79.tmp
C:\Documents and Settings\Sam\Local Settings\temp\TLHg2zLi.htm.part
C:\Documents and Settings\Sam\Local Settings\temp\REV8.tmp
C:\Documents and Settings\Sam\Local Settings\temp\CFG10.tmp
C:\Documents and Settings\Sam\Local Settings\temp\cfg18.tmp    
C:\Documents and Settings\Sam\Local Settings\temp\cfg1a.tmp     
C:\Documents and Settings\Sam\Local Settings\temp\cfg1f.tmp     
C:\Documents and Settings\Sam\Local Settings\temp\cfg21.tmp     
C:\Documents and Settings\Sam\Local Settings\temp\cfge.tmp      
C:\Documents and Settings\Sam\Local Settings\temp\csj54.tmp 
c:\windows\system32\drivers\laxgne.sys

Folder::
C:\Documents and Settings\Sam\Local Settings\temp\is-0QI7V.tmp
C:\Documents and Settings\Sam\Local Settings\temp\IS-1H6OL.TMP             
C:\Documents and Settings\Sam\Local Settings\temp\IS-8RG4S.TMP                
C:\Documents and Settings\Sam\Local Settings\temp\IS-E7H54.TMP                
C:\Documents and Settings\Sam\Local Settings\temp\IS-FMKII.TMP               
C:\Documents and Settings\Sam\Local Settings\temp\IS-S2KF2.TMP                
C:\Documents and Settings\Sam\Local Settings\temp\ISP2B.TMP                  
C:\Documents and Settings\Sam\Local Settings\temp\ISS11F.TMP
C:\Documents and Settings\Sam\Local Settings\temp\Rar$DR01.453
C:\Documents and Settings\HelpAssistant

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{145B29F4-A56B-4b90-BBAC-45784EBEBBB7}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

5. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Damn! Do you happen to have your XP CD? let me know and in the mean time I am going to seek advice regarding this.

 

Let's try this:

GMER's MBR.exe

• Double click on the MBR.exe file to run it.
• A log will be produced & saved to the desktop, called MBR.log.
• Rename this log. Attach this log to your next message.

Then run the below instructions.
Click Start > Run and copy & paste the following text in the code box into the Run box and then click OK. You must copy and paste or type in this exactly. The quotes must be exactly as shown and there is a space before the -f

Code:

     "%userprofile%\desktop\mbr.exe" -f

Now double click on the mbr.exe file and attach the new mbr.log

Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Folder::
C:\Documents and Settings\HelpAssistant

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and the other logs that I asked for.

 

Could be instantaneous... our main concern now is removing the infection.

We have work to do, and although it might be frustrating, rest assured, my aim is to get your machine clean, I may have to seek advice at times too, but I won't abandon you.

Complete as many of the steps as you can, if something doesn't work, just note it down to later tell me and continue on with the rest of the fix.


1. We need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

NetSvc::
{281D9357-D0A6-490B-AA6A84090F8993DF} 

FileLook::
c:\windows\system32\dllcache\tcpip.sys
c:\windows\system32\drivers\tcpip.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


2. Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\windows\system32\dllcache\tcpip.sys

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Then do the same for the below file and also let me know the results:

Code:

c:\windows\system32\drivers\tcpip.sys

Now let's try this again:

3. Please download http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command in the quote box, then hit Enter.

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and the other logs that I asked for as well as the results from jotti.

5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

That's finally nailed it. Your logs look good!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're most welcome!

LOL @ buy beer. I gotta go pour it tonight at work!

We do not take donations per se, however you can if you wish purchase yourself some geekwear (see red bolded link below) :major

J!NX

 

Oh my What happened since the last time I declared you all clean? Ideally you should have started a new thread anyway, but we will continue on now.

This report is a false positive anyway:

Pev.exe is safe, and it's part of combofix.

Now, without seeing at least logs from MGTools I am not going to be able to help you. I also want to try and get a combofix log.

Rename Combofix.exe to Kestrel.com and rename MGTool.exe to 123.com and see how you get along with that. If you cannot manage this in normal mode, then do try safe mode.

 

Not a problem. And ...

Catchme is not a problem, it is just part of gmer/combofix and other tools.

Going through your logs now

 

1. Why are you using this computer without running anti virus?? I believe you were using avast at one stage. In my final steps was a link to how to protect yourself from malware, and that included reference to a list of recommended.

Before I give you final steps this time, you should install some AV and a third party firewall. Because if you come seeking malware removal assistance again, you could be refused help if not protected.

2. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

3. I had asked you to rename combofix to kestrel.com not Kestrel.com.exe. Please rename it exactly as I suggested.

4. What exactly is this file on your desktop?

5. What do you know about this small file? Do the properties of it reveal anything?

6.Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  C:\WINDOWS\system32\admparsed.exe

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Then do the same for the below file and also let me know the results:

Code:

C:\WINDOWS\system32\bfvf.bxo

7. Could you please get this: admparsed.exe into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

log retrievable @ C:\collect.zip

8. Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

9. Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).

10. Now try and run kestrel.com (combofix) again, if not in normal mode then try again in safe mode.

11. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from avenger and hopefully you were successful with CF this time. Also let me know the jotti results and attach the collect.zip.

12. Let me know how things are running, please.

 

Thanks for answering all my questions. But I cannot assist you until you attach the requested logs and jotti results.

and please delete the renamed MGTools program from your Desktop. You don't need it anymore and it does not belong on your Desktop anyway.

 

NOTE: I recommend you uninstall this immediately. I don't recommend any InCode Solutions software as they are notorious for false detections and constantly indite valid programs to be malware. The frequently even declare valid Microsoft files to be problems. This software is not properly tested.

 

Re: admparsed.zip

See what I mean! This is the Windows Command Prompt program.

 

Sygate was discontinued years ago and really does not provide adequate firewall features these days since it has not been updated in many years.

 

Ok here's a fix. Please in future be very cautious about how you surf and where you surf to. I would also like to point out that the "stumble upon" toolbar and features can also land you in trouble as you do not know where the heck you are going to.

1. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe

After clicking Fix exit HJT.

2. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Fcopy::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

FireFox::
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13795&l=dis&q=

File::
C:\WINDOWS\system32\admparsed.exe 
C:\WINDOWS\system32\bfvf.bxo
c:\windows\system32\wuaucldt.exe
C:\{ed902d57-ac1b-405a-9026-b6f25799d38e}  

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"syncman"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Those logs look good now Sam. Please rename kestrel.com back to combofix.exe otherwise final steps will not go smoothly.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Open up avast by double clicking it's bubble in the system tray, choose the type of scan you want > click on more details > at the bottom of "more details" when that expands click on "settings" which will bring up the scan settings dialogue box. Click on "report file" and select generate report file. Enter a file name, and choose the file type. Plain Text (ANSI).

Ok that, start your scan, and at the end of it, it should give you the option to view the report.