Trojan.Gen.2 will not go away

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TriBeCa99, Aug 9, 2012.

  1. TriBeCa99

    TriBeCa99 Private E-2

    Hi there,

    My Symantec Endpoint Protection finds Trojan.Gen.2 in a .tmp file (most recently DWHCC2C.tmp) on a more or less daily basis. I'm having this issue on both a Win 7 desktop and a Win 7 laptop, but let's just deal with the desktop for now. The problem started approximately 6 months ago, and I've been ignoring it because it was not causing any noticeable performance degradation and I haven't been able to afford any downtown for serious removal efforts.

    The original infection came through a USB drive at some point, and likely was reinfected several times before autorun was disabled on these machines. All USB drives *should* be clean at this point, unless malware can survive a quick format.

    At any rate, I ran your READ & RUN ME FIRST on the PC yesterday. Logs are attached--I apologize I did not save the HitmanPro log as it came up with no hits at all. I am happy to run it again, however your instructions also indicated not to repeat any steps unless specifically instructed to do so, so I haven't re-run HitmanPro at this point.

    At any rate, after completing the R&RM steps I began a full data backup to an external 1TB drive. Autorun was off on the PC and the only visible file on the TB drive was a hidden System Volume Information folder (it had been quick-formatted by a clean Win XP laptop immediately prior). This morning when I arrived at work SEP auto-protect had logged Trojan.Gen.2 in the .tmp file I mentioned above--something I see basically every morning, as I said.

    Many thanks in advance for any help you can provide,
    ~TBC
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.


    Then immediately reboot your PC.

    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

    How are things working now?
     
  3. TriBeCa99

    TriBeCa99 Private E-2

    Deleted the indicated registry entries, rescanned and attached log as indicated. It wasn't until after the first couple of tries that I realized which entries you were referring to, as the naming in RogueKiller wasn't obvious to me at first.

    I'll keep my eye out for any further AV hits and will post back if they occur. Unless I get one before I leave work today it will most likely not be until Monday--but hopefully it'll be all clean.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks good now.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  5. TriBeCa99

    TriBeCa99 Private E-2

    Unfortunately the infection is not gone.

    When I arrived at work today I had the same Trojan.Gen.2 notification from SAV. I reran RogueKiller just now (redownloaded it via the link on MajorGeeks because it alerted me to a new version). The same Adobe Speed Launcher entries I deleted previously were back, so I marked them for deletion.

    I am attaching logs from both before and after deletion of those entries.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are the below still showing up on new scans?
    C:\Users\Jared\AppData\Roaming\service1043.exe) -> FOUND
    [SUSP PATH] HKUS\S-1-5-21-1277685125-4187367947-72843683-1000[...]\Run : Adobe Reader Speed Launcher (C:\Users\Jared\AppData\Roaming\service1043.exe)

    If yes, please do the below.

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  7. TriBeCa99

    TriBeCa99 Private E-2

    Yes, those two entries are still appearing on new scans--see the RK log attached.

    Followed your instructions, see attached FRST log.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  9. TriBeCa99

    TriBeCa99 Private E-2

    Requested logs are attached. As always, I will have to wait to see if SEP reports anything over the next couples of days before I know whether I'm clean or not. I will report back on Monday.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean again. If the infection comes back again, you are going to have figure out what you are running or which website you are accessing that is bringing it back as it has been removed twice now.
     
  11. TriBeCa99

    TriBeCa99 Private E-2

    Hi again,


    Thanks so much for your help with this so far. I appreciate your concern that my logs have come back clean twice now, and yet the infection keeps returning.

    However, the very last thing I did before leaving work on Friday was to run the Farbar fix and MGTools scan and post them here. I then left the computer on over the weekend, and when I returned what I saw is shown in the attached screen shot.

    I visited literally no websites at all, and did nothing at all, with the computer between posting those logs and getting the AV result you see in the screen shot. The computer is in a locked office, so unless someone in housekeeping or engineering or one of my colleagues is manually reinfecting it (enormously unlikely), I'm either being reinfected over the network or the infection was not removed in the first place.

    Please don't give up on me here....
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. Sometimes computers can be infected just by being connected to the internet even with no one using it; however, I don't think that is the case with these infections you had. What about someone plugging in a USB drive? Are any folders shared over a network?


    Not really helpful as we need to see the details of exactly what and where. Infection names are rarely of much use because AV companies invent there own names and they do not mean anything most of the time. That is just a generic detection name which provides us with zero info and many times these are false detections. So if you can select the items and click the Details buitton to provide more information, I may be able to comment more.

    Are you currently having any malware problems?
     
  13. TriBeCa99

    TriBeCa99 Private E-2

    The only USB drive was the one used to run FRST, I did leave it in over the weekend and it's still in there now. There are two network drives normally mounted, both from the same server which is an Ubuntu box I maintain. However, I've been replacing the RAID array in that box with larger drives, and the server was off the entire weekend so nothing could have spread over those drives.

    See attached for the details screen of the trojan.gen.2 auto-protect result that was waiting for me this morning.

    And no, I'm not experiencing any malware problems, but that doesn't mean there's not something here.... This rig is running a quad core CPU at 4.7 GHZ and has 16 GB of RAM, so it's unlikely I would experience a noticeable slowdown.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just a temp file and most likely just related to some program being used.

    Based on your logs, you are clean.

    You should complete the final instructions I gave in message # 4.
     
  15. TriBeCa99

    TriBeCa99 Private E-2

    Are you sure I'm clean? The logs may have looked that way immediately after cleaning, but see the attached RK log I ran just now.... This is hardly my specialty but it seems to me I'm being reinfected somehow.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well your other logs were coming up clean. Let's try a few things including a few more scans to dig deeper.

    Re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.


    Then immediately reboot your PC.


    Now goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller later where requested
    Now also run another new scan with RogueKiller and save a log as in original instructions and attach the new log.

    And we will add one more new scan to help us determine if anything else is hiding.


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Right mouse click on the OTL icon on your desktop and select Run as Administrator
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the TDSSKiller log
    • the new RogueKiller log
    • OTL.txt log
    • C:\MGlogs.zip
     
  17. TriBeCa99

    TriBeCa99 Private E-2

    All requested logs are attached.

    My apologies for the delay, please do not mistake it for disinterest or any lack of appreciation for your help. I had some serious issues with my RAID array after your last post that had to be dealt with, and required multiple (very time consuming) rebuilds and back-up of several terabytes of data, so I was unable to reboot the machine for quite some time. By the time I had all that done there was also a substantial backlog of (also time-consuming) analyses that had to be carried out, again preventing a reboot.

    Thanks so much again, hopefully we can nail it this time!
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    No problem. I have not been able to be here too much either due to real work of late.

    Okay this last RogueKiller log was clean. I just see some minor tweaks to finish off.



    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    [2011/05/25 17:54:13 | 000,000,120 | ---- | C] () -- C:\Users\Jared\AppData\Local\Ugiburaranaw.dat
    [2011/05/25 17:54:13 | 000,000,000 | ---- | C] () -- C:\Users\Jared\AppData\Local\Vxiweduvakadevip.bin
    [2012/08/25 13:56:34 | 000,000,000 | ---D | M](C:\Windows\SysNative\???????????????????????????????) -- C:\Windows\SysNative\巯﹛矷孿￝￯翿﹛ﵿ뤿￝폕��￟痿翟￟翟罿翟￝ퟓ
    [2012/08/25 13:56:34 | 000,000,000 | ---D | C](C:\Windows\SysNative\???????????????????????????????) -- C:\Windows\SysNative\巯﹛矷孿￝￯翿﹛ﵿ뤿￝폕��￟痿翟￟翟罿翟￝ퟓ
    [2012/08/25 10:16:33 | 000,000,000 | ---- | M] ()(C:\Windows\SysWow64\??????????????)?????????????????????????????????????????????????????????????????????????) -- C:\Windows\SysWow64\ﵿﵿﵿ矍뤿翷뽷痝뭽꿿ᶿ�)繿﷿뭽꿿ᶿ■■ᶿ緿뭽꿿ᶿᶿ뽷ﵾ痿�■ᶿﵾ痿ᶿᶿᶿᶿᶿ뽷■痿ﵾ痿폕�睽�■睽睽�痿罿睽ᶿᶿᶿᶿ폕痿ᶿ�痿￟■
    [2012/08/25 10:16:33 | 000,000,000 | ---- | C] ()(C:\Windows\SysWow64\??????????????)?????????????????????????????????????????????????????????????????????????) -- C:\Windows\SysWow64\ﵿﵿﵿ矍뤿翷뽷痝뭽꿿ᶿ�)繿﷿뭽꿿ᶿ■■ᶿ緿뭽꿿ᶿᶿ뽷ﵾ痿�■ᶿﵾ痿ᶿᶿᶿᶿᶿ뽷■痿ﵾ痿폕�睽�■睽睽�痿罿睽ᶿᶿᶿᶿ폕痿ᶿ�痿￟■
    @Alternate Data Stream - 168 bytes -> C:\Users\Jared\Desktop\jared notes.jpeg:3or4kl4x13tuuug3Byamue2s4
    :Files
    C:\Users\Jared\AppData\Local\Ugiburaranaw.dat
    C:\Users\Jared\AppData\Local\Vxiweduvakadevip.bin
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run one more RogueKiller scan to make sure it still comes up clean.


    Then attach the below logs:
    • the log from OTL
    • the new RogueKiller log
    Make sure you tell me how things are working now!
     
  19. TriBeCa99

    TriBeCa99 Private E-2

    I had two trojan.gen.2 warnings from my AV when I came in, so I reran RogueKiller before following these instructions to remove the two service1043.exe hits we've been seeing every time. Then I followed the rest of your instructions, and logs are attached.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but this log does not show it. Are you saying it comes back again after the next reboot?
     
  21. TriBeCa99

    TriBeCa99 Private E-2

    No reboot necessary, it just comes back. I generally only reboot the system when windows releases patches, and even then sometimes I'm forced to wait another week or two before I get a chance to take it offline.

    It's entirely possible, if not likely, that that's what SEP is picking up on--the reinfection.

    So for example, my computer has not been rebooted since the last set of logs I uploaded, and yet see the attached RK log.

    Is it possible the smb share I have mounted from my linux machine with ~2.4TB of data on it is reinfecting it? Or from somewhere else over my work network?
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Back in message #13 you stated
    Can you please disconnect this PC from network and then have RogueKiller fix those same entries and immediately reboot. After reboot see if they are really fixed. If they are, still remain disconnected from the network and periodically check to see if they come back.
     
  23. TriBeCa99

    TriBeCa99 Private E-2

    I kept the rig offline (cable disconnected) for about 18 hours overnight yesterday and it was clean when I came in this morning. The most recent log is attached.

    Unfortunately I have to have it online, so it's plugged in again. I'll let you know if /when it gets infected again.
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well then perhaps we have learned that another piece of equipment on your network is the source of the reinfection. Each time I have said you were clean, you were clean until some length of time later with the PC connected to the network. With it disconnected, it seems to remain clean.

    Now it is always possible that something on this PC is dialing out and redownloading the infection, but that seems less likely since nothing shows in the logs and your Symantec Endpoint firewall should be protecting you from this happening.... well hopefully it does unless someone has given the process permissions thru the firewall.
     
  25. TriBeCa99

    TriBeCa99 Private E-2

    Just ran a scan before leaving work here, and sure enough it was infected again. I've removed the offending files, but of course they'll be back.

    How should I proceed? I didn't notice any exceptions I don't recognize in the firewall rules. Is it more likely to be coming from my Ubuntu server that I am mounting two shares from, or is it equally likely to be coming from any random device on my work's local network?
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't remove them next time. First look to see if the file actually exists. If it does, put a copy of it into a ZIP file and attach it here. Then after you have the ZIP file attached fix the problem with RogueKiller. And then immediately do the below

    Navigate to the below folder:
    C:\Users\Jared\AppData\Roaming

    Create a folder ( not a file ) with the below name:
    service1043.exe

    Change the permissions of this new folder to be Read-Only, Hidden

    While scans may still detect this strangely named folder, let's see if it blocks the ability of the infection from creating the file.

    It could be coming from anywhere. Including removable drives.
     
  27. TriBeCa99

    TriBeCa99 Private E-2

    Unfortunately the service1043.exe file does not seem to exist... at least not in that location
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! I wonder if it is hidden or it comes and goes? Try creating the below FOLDER name:

    C:\Users\Jared\AppData\Roaming\service1043.exe

    If you cannot create the folder, it would mean there is a file there already using that name.


    The next time you see that the registry entries have appeared, do not fix them. Try running the below online scan and attach the ESET log.

    Using ESET's Online Scanner
     
  29. TriBeCa99

    TriBeCa99 Private E-2

    Okay sooooo.... things did not go exactly as planned.

    First off, I was able to create the service1043.exe directory no problem, even when roguekiller reported the threat as present.

    Next, I tried running ESET. It was a looooooooong scan and I ended up having to leave before it was done. While it was working, it reported Win32/PrcView as a thread, in addition to Win32/Dorkbot.D worm.

    I left work with it still running, and when I came in the next day my computer had BSOD'd. So I was unable to acquire a log.

    I reran it yesterday before leaving and it was done when I came in. There were no threats and I couldn't find any way to get a log out of it (given that there were no threads). There was a link file in some backed up data that it had quarantined, so I instructed it to delete that.

    Since I didn't have an ESET log for you, I ran RK and attached that log instead. As you can see service1043 was still there. I deleted it, so we'll see if it comes back tomorrow....
     

    Attached Files:

  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When this problem appears, is Symantec actually detecting it? If so perhaps it is already removing something we need to see that is not showing up in scans.

    However that being said, I still have to go back to the fact that this does not show up when you are not connected to your network, so I have to wonder if the problem is coming from your some other PC on your network.

    Do you have any files/folders shared on this PC?
     
  31. TriBeCa99

    TriBeCa99 Private E-2

    Symantec detects it at some point, but based on the results of past RK logs it does not detect it at the moment the computer gets reinfected, but at some time later. Also, Symantec only ever identifies a problematic temp file, and is basically never able to do anything other than log it.

    Yes, I too wonder if the problem is from some other PC on the network.... I'm not sharing any folders, but I do have two samba shares mounted from an Ubuntu box.
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does this folder still exist? If so, there is never any real infection of file named sevice1043.exe running since it can't exist with that folder in place.

    Just a false detection of process.exe used by MGtools and many other programs. It is just a simple command line task manager.

    Would need a log showing where this is found to determinie if it is real or not. Nothing related to this showed in other logs but those logs would not detect all aspects of this infection if it did exist. I would however expect that your Symantec Antivirus program would detect it.



    Please download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Remove Policies Set By Infections
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.
    Now run RogueKiller and attach a new log. If those lines exist, do not fix them. Just run the below:

    Download SystemLook_x64 from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      service1043.exe
      :filefind
      service1043.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
  33. TriBeCa99

    TriBeCa99 Private E-2

    Yes, the folder still exists.

    Sadly the PC BSOD'd before the log was created. I can try a full system scan with SEP.... Like I say it does report "Trojan.Gen.2" on a regular basis, but not Dorkbot.D.




    All done, logs attached. Finds the registry entries but no files....
     

    Attached Files:

  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. Hopefully you still have not tried to fix these. I want to run the below ComboFix scan but only while these still exist.


    Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.
    Then right click on it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall.
    After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
    If after running Combofix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
     
  35. TriBeCa99

    TriBeCa99 Private E-2

    Okay, here's the log. And no, I didn't fix them prior to running this scan.
     

    Attached Files:

  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the only thing Combofix showed was the below folder I had you create
    Code:
    2012-09-20 15:41 . 2012-09-20 15:41 -------- d-----w- c:\users\Jared\AppData\Roaming\service1043.exe
    
    Is it possibly that you can uninstall ALL of the Adobe software you have on this PC just to make sure it is really not some how related to Adobe?

    Also let's do the below with ComboFix where I'm going to remove those registry keys and replace them with a dummy entry.



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
     
  37. TriBeCa99

    TriBeCa99 Private E-2

    Unfortunately I've been too busy working on this machine to follow the instructions in your last post.

    However, I also happen to have noticed that I have seen no sign of the virus (no alerts from SEP) in over a week of continuous uptime. That hasn't happened since the infection appeared.

    In short, it looks to me like something we did in the last little while finally cleaned the infection permanently.

    What do you think?
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Were any other PCs on the network removed from the network or shutdown during this time? Or did any other PCs recently go thru a malware cleaning/scanning process .... even if automatic via an antivirus program?

    I would not think so since you still had the problem after previous fixes and you did not run the most recent one.
     
  39. TriBeCa99

    TriBeCa99 Private E-2

    My work network has probably roughly 1,000 PCs on it, so I can't really answer your first question.

    Couldn't Windows Repair or ESET have fixed it? Unfortunately I don't remember exactly but I think the last time I saw SEP report an infection was around the time I ran those.
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I cannot really say for sure with having seen a log but we were not able to get one. Is it possibly.... yes.




    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds