Desktop.ini and ComboFix

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by INeedHelp., Jun 9, 2012.

  1. INeedHelp.

    INeedHelp. Private E-2

    Hello, a few days ago Trend Micro detected a virus located in C:\windows\assembly\GAC_32\Desktop.ini
    I have tried so many things, but I can not remove it in any way, it redirects my web pages and causes my computer to freeze.
    I tried reading other threads about this problem and I read about ComboFix, but I am not an expert and I don't want to do more damage by running it, can someone please help me?
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.


    Now do not stop, please continue on with the below instructions too! :)

    v
    V
    V
    V
    READ & RUN ME FIRST. Malware Removal Guide
     
  3. INeedHelp.

    INeedHelp. Private E-2

    Here are the report and the log.
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you miss this???
     
  5. INeedHelp.

    INeedHelp. Private E-2

    No, but it took me ages to follow all the steps because my computer keeps freezing. I did everything, but ComboFix only does the extraction and does not run and RootRepeal says "Error - RootRepeal does not support 64-bit OSs!"
    Also Trend Micro stopped working, it says "starting your protection", but it doesn't start even if I wait for a long time.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.


    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  7. INeedHelp.

    INeedHelp. Private E-2

    nwktst it said "the ordinal 1108 could not be located in the dynamic link library WSOCK32.dll"

    I didn't get any error messages when i entered the other commands.

    OTL only gave me OTL.Txt, I'm attachihng it here.
     

    Attached Files:

    • OTL.Txt
      File size:
      84.5 KB
      Views:
      6
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So did it produce a new MGlogs.zip?

    Please uninstall anything relating to Searchqu Toolbar, Paretologic and Bandoo Media if they show.

    Please try renaming combofix.exe to b7ytDF.com and boot into safe mode to see if it will run at all.


    We need to run an OTL Fix

    • Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code
    Code:
    Code:
    :otl
    IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}
    IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
    C:\windows\assembly\GAC_32\Desktop.ini
    IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}
    O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll ()
    O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll ()
    C:\PROGRA~2\WI3C8A~1\Datamngr
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll (Bandoo Media, inc)
    O20:[b]64bit:[/b] - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
    O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll (Bandoo Media, inc)
    O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll (Bandoo Media, inc)
    [2012/06/07 18:00:00 | 000,000,424 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
    [2012/06/04 23:01:48 | 000,000,448 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Anti-Virus PLUS.job
    [2012/06/11 16:05:36 | 000,076,800 | ---- | C] () -- C:\Windows\Installer\{13851150-6554-632f-43c3-3e704e0e6a72}
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:4CF61E54
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:05EE1EEF
    @Alternate Data Stream - 132 bytes -> C:\ProgramData\Temp:2F370DA6
    @Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:115CEE00
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:A724744F
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:AB689DEA
    
    :commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.


    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

    Now run OTL again like you did in my post # 6. Attach the log.

    Also now see if you can run MGTools.exe again and see if it will produce a complete MGlogs.zip.

    Let me know about Combofix too please.
     
  9. INeedHelp.

    INeedHelp. Private E-2

    No, it did not produce a new MGlogs.zip.

    I renamend combofix, but it did only the extraction, even in safe mode.

    Here are the OLT report, the FRST log, the OLT log and the MGlogs.zip, MGtools showed me an error message "the ordinal 1108 could not be located in the dynamic link library WSOCK32.dll", but it finished the scan.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'll try to keep you moving along while Kestrel13! is not around. ;)

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • Fixlog.txt from FRST
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  11. INeedHelp.

    INeedHelp. Private E-2

    Here are the files, it's not working properly, trend micro disappeared (?), my desktop is messed up and sometimes it says I can't access my profile when i boot.
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hopefully you will be able to get through the below. The issues you are having is due to the damage the malware has caused no doubt.


    Uninstall the below if you can.

    • Java(TM) 6 Update 22
      [*]Java(TM) 6 Update 26





    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6


    Now Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Run FRST again like you did in my post #8. Attach the log from doing so.

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Last edited: Jun 13, 2012
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note that none of the below are problems and do not need to be fix. INeedHelp. has this software installed.
    In fact after a more detailed look... nothing in this last fix other than the Java update and the below needs to be performed.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    @Chas. Sorry. I was under the impression that searchautocomplete.com was a dodgy website, and also that datamngr.dll related to searchqu stuff as I swore I saw that in one of the logs.

    I would love to see the new log from FRST when the user attaches it after running again. There is still malware here. Possibly.
     
    Last edited: Jun 13, 2012
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please explain what you mean.

    It was not installed when you posted your first logs. You will have to install it if you use it.
     
  16. thisisu

    thisisu Malware Consultant

    Just FYI that proxy is part of the Akamai software that is installed. ;)
     
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'm just going to check new FRST log and new MGlogs.zip if that's okay with everyone. :)
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yep. :-D
     
  19. INeedHelp.

    INeedHelp. Private E-2

    Chaslang i'll try to install trend micro again, but I do get an icon saying "starting your protection" and the control panel shows that it's installed...

    Kestrel13! I attached the logs.

    It looks like it's working ok now. It does not freeze and I don't have any problems accessing my pprofile when I boot.

    Silly question (probably) ^^' "The 'Java8tm) Plug-In SSV Helper' add-on from 'Sun Microsystems, Inc.' is ready for use." Should I enable it?
     

    Attached Files:

  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:



    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix exit HJT.


    Please note, the 020 line relates to imesh, which is not installed on your computer right now. Was it something you once had installed knowingly?


    Please download Combofix as per the instructions in the Read and Run Me First procedures, to your desktop.

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    c:\progra~2\wi3c8a~1\datamngr\datamngr.dll
    Folder::
    c:\progra~2\wi3c8a~1
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Please note, the use of keygens, torrents, and "cracks" is an open doorway for malware to come straight through...
     
  21. INeedHelp.

    INeedHelp. Private E-2

    No, I never installed imesh knowingly.
    Combofix finally worked!
     

    Attached Files:

  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I didn't think you had. Right, that's looking loads better. Only two registry keys remain which I want dead.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Reboot.

    Are you okay in the registry? Can you now try and see if those keys still exist or not? Let me know. :)
     
  23. INeedHelp.

    INeedHelp. Private E-2

    I got a success message =)
    And the keys are not there anymore.
     
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's wonderful news!! :)

    Ready for final steps -

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  25. INeedHelp.

    INeedHelp. Private E-2

    Noooooooo! I ran the MGclean.bat and my computer is very slow Now and my internet connection disappeared (i'm using a phone now)
    What happened?? :(
     
  26. INeedHelp.

    INeedHelp. Private E-2

    I managed to get my connection back, but it's still slow.
     
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Slow running computers are not usually my area unless malware is at play... however, if you need to post in the software forum about this then you should provide this information:

    Please explain what operations are slow! For example answer the below:


    • Is boot up slow?
    • Is shutdown slow?
    • Is browsing/surfing slow?
    • Is downloading slow?
    • Is running any application?
    • Is it also slow in safe boot mode?
    • Also are any process showing in Task Manager to be using a lot of CPU time?
    • Anything else slow?
     
  28. INeedHelp.

    INeedHelp. Private E-2

    Thank you very much for your help!!
    It is working fine now :-D
     
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Glad to hear it. :-D
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds