IP address problem after running combofix

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Wharf_Rat, Dec 14, 2011.

  1. Wharf_Rat

    Wharf_Rat Private E-2

    Hello--

    I had the google redirect virus, which combofix completely eliminated.

    However, since I ran combofix, I have been having an issue connecting to a vpn using cisco. After much research, it appears that combofix may have eliminated/reset the IP addres, default gateway, and server address in the registry.

    When i try to connect through cisco, i get the message "The vpn client was unable to setup IP filtering. vpn connection will not be established"

    Unfortunately, I did not save combofix.exe to my desktop, so I will not be able to run the uninstall option and trigger the system restore in combofix.

    Im assuming that the system restore (using time/date i started running combofix) will reset and fix the IP address/gateway/server issues in the registry? Should i manually run system restore going back to the date/time in combofix log?

    Any help would be appreciated.

    View attachment ComboFix.txt
     
  2. thisisu

    thisisu Malware Consultant

    Hi :)
    I'm glad that the google redirects have stopped for you, but according to this CF log, your PC is still heavily infected.

    I would recommend starting with this thread: READ & RUN ME FIRST Malware Removal Guide
     
  3. Wharf_Rat

    Wharf_Rat Private E-2

    Yikes. That is not good news. The computer seems to be absolutely running fine, and superfast. No more popups or re-directs. I have ran TDSSkiller, rfkiller, mbam, superantispyware, cccleaner, vundofix, etc.

    I had microsoft security windows virus with the pop ups, google re-direct virus, and im sure numerous other trojan viruses.

    If there is any recommendations, I can run any of the various programs and post my logs if someone advises me on which programs to run. Thank you.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As previously stated:
    READ & RUN ME FIRST. Malware Removal Guide
     
  5. Wharf_Rat

    Wharf_Rat Private E-2

    Ok. Will do. Will run it later this evening and update you.
     
  6. Wharf_Rat

    Wharf_Rat Private E-2

    Ok. Followed all the steps in "run & read me". Attached are 4 logs from scans today. Didnt run rootrepeal as I have a 64 bit system.

    Also I noticed upon reboot, I keep getting a window popping up on the desktop asking me whether or not I want to "open file": C:\user\profile\sdsetup rewire207.exe
    Publisher: PCTools
    Type: Application


    Also, I think my comp is still infected with the pup.bitminer virus

    Combofix only took 10 mins this time. A few days ago it took 3 hrs.

    Thanks for the help.
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We didn't ask for a HJT log. Please attach the log from running MGTools.exe --- C:\MGLogs.zip.
     
  8. Wharf_Rat

    Wharf_Rat Private E-2

    Sorry about that. MGlog attached
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

    [​IMG] Please download RogueKiller by Tigzy to your desktop.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the number "1" and press ENTER.
    When it is finished -- Notepad will open with the report and the log is saved to your desktop.
    Attach RKreport[1].txt to your next message. (How to attach)
    You can now type the number "0" and press ENTER to exit RogueKiller.

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Ask Toolbar
    • BitTorrentBar Toolbar
    • Conduit Engine
    • Java(TM) 6 Update 29

    Code:
    AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
    AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    Choose one AV to keep and uninstall the other. It is not recommended to run more than one Antivirus as described in step #2 here.

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run


    [​IMG] Please download MBRCheck by clicking here and save it to your desktop.

    • Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
    • A window will open on your desktop.
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter.
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
    • Attach this file to your next message. (How to attach)

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]AtJob::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]DDS::[/COLOR]
    uInternet Settings,ProxyServer = http=127.0.0.1:52485
    [COLOR="DarkRed"]DirLook::[/COLOR]
    C:\13d7a3772f3112a85922220f
    [COLOR="DarkRed"]Driver::[/COLOR]
    AFS
    ccody
    ingkoct
    [COLOR="DarkRed"]File::[/COLOR]
    c:\windows\SysWow64\drivers\ccody.sys
    C:\cleanup.bat
    c:\windows\SysWow64\drivers\ingkoct.sys
    C:\Users\randy\AppData\Local\cupibp5b3wqn8vij3aox8y410e1b
    C:\Users\randy\AppData\Roaming\Microsoft\Windows\Templates\cupibp5b3wqn8vij3aox8y410e1b
    C:\ProgramData\cupibp5b3wqn8vij3aox8y410e1b
    C:\Users\randy\AppData\Roaming\Microsoft\Windows\Templates\6q83hsi6ew60bbv8472ui63bvg538g83tujr726w
    C:\ProgramData\24iLM21D1.dat
    C:\Windows\wygcgqkl.txt
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\assembly\temp\lsflt7.ver
    C:\Windows\assembly\temp\keywords
    C:\Windows\assembly\temp\cfg.ini
    C:\Windows\assembly\temp\bckfg.tmp
    C:\Windows\assembly\temp\@
    C:\Windows\system32\zefhegc.txt
    C:\Windows\SysWOW64\zefhegc.txt
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\windows\SysWow64\srrstr.dll
    C:\Windows\system32\srrstr.dll
    c:\windows\system32\win32k.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Windows\assembly\temp\U
    C:\ProgramData\PC Tools
    c:\program files (x86)\BitTorrentBar
    C:\Program Files (x86)\Ask.com
    C:\Users\randy\AppData\Local\{0353BF79-D789-4183-9BD3-478718D3EE3E}
    C:\Users\randy\AppData\Local\{0B521A4B-2089-4F0D-B5D3-4DD4243D2967}
    C:\Users\randy\AppData\Local\{109CE95C-E00F-45C9-8DAD-F536A7B80C44}
    C:\Users\randy\AppData\Local\{17581093-46A2-4E2C-9D8B-47ED56AFA6E6}
    C:\Users\randy\AppData\Local\{193EC269-B39C-4FA4-87CD-19DF7F90D10F}
    C:\Users\randy\AppData\Local\{199D72E6-009E-4594-8CF0-01755F142A4C}
    C:\Users\randy\AppData\Local\{1CFF6066-E19A-4C49-BCAD-80342DF8BE2F}
    C:\Users\randy\AppData\Local\{20EC3E08-2D98-42E7-905C-C967D72E7B5F}
    C:\Users\randy\AppData\Local\{22878440-57C4-4153-86DC-EAEF136A2829}
    C:\Users\randy\AppData\Local\{2D477066-8375-4196-9819-25970E7E6C72}
    C:\Users\randy\AppData\Local\{2D6C3CBD-7D19-4DE8-A2A3-2E72D60CDB74}
    C:\Users\randy\AppData\Local\{2FC3C761-D34C-4E31-A1C5-6EDE6172376D}
    C:\Users\randy\AppData\Local\{317AD893-E686-416A-A7C5-0F229333BBEB}
    C:\Users\randy\AppData\Local\{32109D26-10EA-4985-B085-667E574BF7DE}
    C:\Users\randy\AppData\Local\{36C3DAC3-0F6F-4A45-A831-8BF6C4A5290D}
    C:\Users\randy\AppData\Local\{411F6083-DF7B-4421-BB8E-024CC5246E1D}
    C:\Users\randy\AppData\Local\{41F8BD11-B617-4AD8-BB5F-0D9A6E1467C5}
    C:\Users\randy\AppData\Local\{59137C00-D27E-4B4A-8921-D52D05B3C2ED}
    C:\Users\randy\AppData\Local\{5A8198A0-D074-4172-8DB0-DB8E0DC63722}
    C:\Users\randy\AppData\Local\{5B3CECC4-3497-4003-BAF4-0DFCBBED60A3}
    C:\Users\randy\AppData\Local\{5BB9BC14-F97E-4B81-8FCC-D7C0E84B5580}
    C:\Users\randy\AppData\Local\{63FB5219-55D8-4D9F-B8A9-3F2627C7B7F6}
    C:\Users\randy\AppData\Local\{692AFEC1-7A00-462F-A162-55804F844A23}
    C:\Users\randy\AppData\Local\{7E0B1F27-229A-4F45-8220-53804959A66D}
    C:\Users\randy\AppData\Local\{80E2FD1A-BB6D-4F71-B723-40FAA5DC8D55}
    C:\Users\randy\AppData\Local\{83B6A531-DFA9-4BEA-A537-A6E8FF781A48}
    C:\Users\randy\AppData\Local\{84A2F971-7783-4DB1-98AA-ACAA33322393}
    C:\Users\randy\AppData\Local\{8B24EAE0-EBFC-4994-A367-F023F08CE913}
    C:\Users\randy\AppData\Local\{8DC15BF3-34DF-4767-B9EE-8E7CDC4E0C5D}
    C:\Users\randy\AppData\Local\{8FED1898-FBDA-4C23-8F89-507D4BEF8A1E}
    C:\Users\randy\AppData\Local\{90C74288-518C-4EA3-9B38-7E969760531E}
    C:\Users\randy\AppData\Local\{9182B7ED-BD4F-4321-B87A-6792AABE7DF3}
    C:\Users\randy\AppData\Local\{991E8291-CC25-45F1-9445-A146C9146BEE}
    C:\Users\randy\AppData\Local\{A06FF02B-537F-45ED-AB09-23F9E5F299E7}
    C:\Users\randy\AppData\Local\{A286E2C2-B8D3-45C7-8D93-7DB3A606A170}
    C:\Users\randy\AppData\Local\{A3400EAD-3019-4D91-8407-4C746E49AFE9}
    C:\Users\randy\AppData\Local\{A83E4C7E-B79E-4EE3-B746-BE10ACD449C3}
    C:\Users\randy\AppData\Local\{A8F40F2D-C5CB-4D70-B1DE-093D5E91A338}
    C:\Users\randy\AppData\Local\{AECEFB9B-4488-42DF-B21B-AE1417626DEA}
    C:\Users\randy\AppData\Local\{AF42121E-050E-4D68-9F5B-C1E52E89C46D}
    C:\Users\randy\AppData\Local\{B27D9424-BEBC-4904-8148-6164AF04A1DD}
    C:\Users\randy\AppData\Local\{B41FBC74-2EAE-4898-8079-C96A5C3F215A}
    C:\Users\randy\AppData\Local\{B49CB506-3522-4996-9F9B-460F29ACA3CE}
    C:\Users\randy\AppData\Local\{B7B88EB0-62B2-4FE0-998F-F646AFB0CB3A}
    C:\Users\randy\AppData\Local\{B9BF6538-9D90-467F-9EC2-F0648E0341D2}
    C:\Users\randy\AppData\Local\{BE9C93E5-BB62-4C5F-89F2-1ACB429A0CD1}
    C:\Users\randy\AppData\Local\{BEBCEC33-B527-4608-97CE-5A6889D07FDF}
    C:\Users\randy\AppData\Local\{C57E861D-560C-4B69-AAAF-B351CE9E6812}
    C:\Users\randy\AppData\Local\{CCC277D8-0841-4343-99CE-058DCB152D81}
    C:\Users\randy\AppData\Local\{CD4968F2-CC39-40E6-AC17-111D6DAEDF86}
    C:\Users\randy\AppData\Local\{D38A0798-EF5F-4D36-801B-69CC70A9837E}
    C:\Users\randy\AppData\Local\{D9242510-3990-45DD-B5B3-05179360E303}
    C:\Users\randy\AppData\Local\{DA645CE8-FEFD-495F-BC9D-0AA02E3FF9CF}
    C:\Users\randy\AppData\Local\{DB806BB4-6B3B-4DF7-B904-150BA4D6BED4}
    C:\Users\randy\AppData\Local\{DE698BB2-EC72-490D-ACAD-D9ED7C328A19}
    C:\Users\randy\AppData\Local\{E32E9C76-8E44-4819-A0D1-7C3C6777C522}
    C:\Users\randy\AppData\Local\{E3677DE2-534A-4A17-AF51-EE3D85C15C69}
    C:\Users\randy\AppData\Local\{E51D15A9-E3F4-4D66-8087-500E8D713C77}
    C:\Users\randy\AppData\Local\{F1C7D5C0-5C3F-4CCD-B637-F457F4B1FBDD}
    C:\Users\randy\AppData\Local\{F2EA59E3-BEA8-409B-8048-3DADF4C348A0}
    C:\Users\randy\AppData\Local\{F634D99F-09C0-43A7-BC25-7203A3CD1D9E}
    C:\Users\randy\AppData\Local\{FD4DBE1A-FEE4-4A42-B4D1-4E8BE90FBD71}
    [COLOR="DarkRed"]RegLock::[/COLOR]
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
       7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
       d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
       eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
    "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"=hex:51,66,7a,6c,4c,1d,38,12,0b,7b,fa,
       d3,bd,df,8a,04,e3,c6,66,eb,19,09,08,fc
    "{4B3803EA-5230-4DC3-A7FC-33638F3D3542}"=hex:51,66,7a,6c,4c,1d,38,12,84,00,2b,
       4f,02,1c,ad,08,d8,ea,70,23,8a,63,71,56
    "{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=hex:51,66,7a,6c,4c,1d,38,12,c4,f1,d4,
       8c,0d,b7,42,06,f0,18,f4,98,5c,39,e1,33
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=hex:51,66,7a,6c,4c,1d,38,12,7b,ba,ea,
       34,67,f9,48,0d,fd,1d,4b,bb,a3,e3,60,89
    "{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
       89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
       27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
    "{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
       06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
       1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}"=hex:51,66,7a,6c,4c,1d,38,12,9e,08,a1,
       18,9c,f5,c9,05,ec,e2,27,75,fa,63,40,05
    "{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
       64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
    "{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
       69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
       76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
       94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
       9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
    "{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
       ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
       b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
       d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
    "{D3D233D5-9F6D-436C-B6C7-E63F77503B30}"=hex:51,66,7a,6c,4c,1d,38,12,bb,30,c1,
       d7,5f,d1,02,06,c9,d1,a5,7f,72,0e,7f,24
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
       df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
       f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
    .
    [HKEY_USERS\S-1-5-21-2540303654-3729224824-1869506403-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-2540303654-3729224824-1869506403-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    [-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    [-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [-HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
    [-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Spyware Doctor"=-
    "uTorrent"=-
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{DAB20352-610E-4FAB-AC86-9C7018B0F3ED}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DAB20352-610E-4FAB-AC86-9C7018B0F3ED}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
    [COLOR="DarkRed"]Rootkit::[/COLOR]
    C:\Windows\system32\ST0735yO.com.b
    C:\Windows\SysWOW64\ST0735yO.com.b
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Now install the current version of Sun Java from: jre-7u2-windows-x64.exe

    [​IMG] Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      C:\win32kdiag.exe -f -r
    • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
    • Attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Do you notice any missing start menu/quick launch/desktop shortcuts?
    Also let me know how the PC is running after completing the above steps.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Neither of these are installed. Nor are they running. You cannot use those lines from ComboFix to decide what is running or installed.
     
  11. Wharf_Rat

    Wharf_Rat Private E-2

    Thanks so much. I really appreciate all this help! Attached are all the logs requested in the above post.

    No missing start menu/quick launch/desktop shortcuts.

    PC seems to be running smooth and quick.

    I still get the "The vpn client was unable to setup IP filtering. vpn connection will not be established" message when trying to connect to a vpn using cisco. When I click on the cisco VPN adapter settings, the IP address, subnet mask and gateway defaults fields are all blank.

    Also on my desktop, there is are grayed out icons with the names "desktop.ini" and "dywaqygfnc.tmp". What should I do with those?
     

    Attached Files:

    Last edited: Dec 17, 2011
  12. Wharf_Rat

    Wharf_Rat Private E-2

    Attached are the logs requested in the above post
     

    Attached Files:

  13. thisisu

    thisisu Malware Consultant

    You're welcome. We are making progress but we are not completely finished yet. Hopefully this one finishes them off. ;)

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]Driver::[/COLOR]
    hlsfswtk
    xceuca
    [COLOR="DarkRed"]File::[/COLOR]
    c:\windows\system32\drivers\ingkoct.sys
    c:\windows\system32\drivers\ccody.sys
    C:\Windows\system32\ST0735yO.com.b
    C:\Windows\SysWOW64\ST0735yO.com.b
    C:\Users\randy\Desktop\dywaqygfnc.tmp
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\windows\system32\EncDec.dll
    c:\windows\SysWow64\EncDec.dll
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]
    [COLOR="DarkRed"]SecCenter::[/COLOR]
    AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
    AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
    SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    Code:
          Size  Device Name          MBR Status
      --------------------------------------------
        698 GB  \\.\PhysicalDrive0   RE: [B][COLOR="Red"]Unknown MBR code[/COLOR][/B]
                SHA1: 901F6F830448146C2BC780BCF6FE4627A5752BC1
    
    
    Found non-standard or infected MBR.
    
    System Manufacturer	Hewlett-Packard	
    System Model	HP Pavilion P6000 Series
    Most likely this is not a problem since you say things are running smoothly and because of this PC brand.

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  14. Wharf_Rat

    Wharf_Rat Private E-2

    Also, still when I try to connect through cisco, i get the message "The vpn client was unable to setup IP filtering. vpn connection will not be established"

    The IP address/subnet mask/gateway deafault fields are blank in the cisco client adapter in network connections

    Also, there are 2 grayed out desktop icons named "desktop.ini" and "dywaqygfnc.tmp". What should i do with these?
     

    Attached Files:

  15. thisisu

    thisisu Malware Consultant

    Desktop.ini in this location is not a problem. The above fix will remove dywaqygfnc.tmp which is a malware trace.

    Complete my above fix first and then we will address any remaining issues including your VPN client.
     
  16. Wharf_Rat

    Wharf_Rat Private E-2

    Logs are attached. Thanks
     

    Attached Files:

  17. thisisu

    thisisu Malware Consultant

    Good news, your logs are now clean. Are you still having trouble with VPN?
     
  18. thisisu

    thisisu Malware Consultant

    What happens when you open an elevated Command Prompt window and type in the following command and press ENTER?
    • net start vpnva
     
  19. Wharf_Rat

    Wharf_Rat Private E-2

    Thanks!! You guys are the best.

    Unfortunately the VPN still doesnt work though.

    When I type in the above command prompt it says "system error 1058 occured" and "The service could not be started because it is disabled or has no enabled devices associated with it"

    I then tried to enable the cisco driver through network connection, and then typed in the above command, and it said "the requested service has already been started"
     
  20. thisisu

    thisisu Malware Consultant

    [​IMG] Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:

    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List IP configuration
    • List Winsock Entries
    • List Devices -> All
    • List last 10 Event Viewer log
    Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.
     
  21. Wharf_Rat

    Wharf_Rat Private E-2

    Minitoolbox log attached.
     

    Attached Files:

  22. thisisu

    thisisu Malware Consultant

    From Network Connections (via Control Panel), locate:
    • Wireless LAN adapter Wireless Network Connection 2
    Right-mouse click it once -> Repair
     
  23. Wharf_Rat

    Wharf_Rat Private E-2

    When I right click on the wireless connection 2 in network and internet > network connections, it only gives me the options of : disable, rename, or properties. I do not see a repair feature anywhere
     
  24. thisisu

    thisisu Malware Consultant

    Can you screenshot this?
    You can press the Print Screen key on your keyboard to copy your screen to the clipboard. Then open MS Paint and paste -> Save then upload the attachment here.
     
  25. Wharf_Rat

    Wharf_Rat Private E-2

    ok. screenshot attached
     

    Attached Files:

  26. thisisu

    thisisu Malware Consultant

    My fault, for some reason I thought you were on Windows XP.

    Have you already tried uninstalling and reinstalling Cisco AnyConnect VPN Client?

    The errors appear to be related to the actual software, not the driver.

    Source: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/user/messages/ac25-vpn-user-msgs.html
     
    Last edited: Dec 17, 2011
  27. Wharf_Rat

    Wharf_Rat Private E-2

    Yes, I just tried uninstalling and reinstalling cisco. Im still getting the same error message as in the post below.

    However, when I go network connections, there is still the red "X" on the wireless network connection 2 icon.

    Before I came to this forum, i was in the network connections area, and somewhere along the way, there is a "repair" option for the drivers, as you stated in your previous post, but I have no idea where I found it, or what area of network connections I was in when i came across it.

    Also, when I double click on the wireless network connection 2 icon, it brings me to the "properties" area of the driver. Then there is options to click on numerous fileds, such as TCP/IP4 or TCP/IP6, and when I highlight double click on TCP/IP4 option, there is no IP address/server listed (screenshot "2" attached)

    Also, when I double click on the cisco vpn driver icon, both options say "no network access" (screenshot "3" attached).

    Could it be a settings in the registry for the drivers that possibly got changed by the malware/virus or deleted/erased/changed by combofix?

    Thanks
     

    Attached Files:

  28. Wharf_Rat

    Wharf_Rat Private E-2

    Also, does the report from minitool box pull the IP address info from the registry?

    Im only asking because after I ran combofix (before I came to this forum), I was trying to fix the IP address settings in the registry as cisco never connected properly after running combofix for the first time, and am wondering if I put the wrong IP address in by mistake or possibly put it into the wrong registry setting?

    Is there anyway to get run some type of report that will pull my "true" IP address, default gateway info, and subnet mask info and then go into the registry settings and fix it if need be?
     
  29. thisisu

    thisisu Malware Consultant

    For Windows 7 I believe this is renamed to "Diagnose". Which, according to your screenshot, is grayed out. Which makes me to believe it is a driver problem with "Wireless LAN adapter Wireless Network Connection 2".

    The driver for this is "Microsoft Virtual WiFi Miniport Adapter".

    First check Device Manager ( Start -> run -> devmgmt.msc )

    Let me know if you have Microsoft Virtual WiFi Miniport Adapter listed in the "Network adapters" section. Also check for missing/disabled/corrupt drivers -- They will have a red X or yellow ? symbol near them.

    Code:
    Wireless LAN adapter Wireless Network Connection 2:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Could be, and ComboFix will typically back up your TCP ip settings before it scans.
    It is in your logs here : C:\QooBox\Quarantine\Registry_backups\tcpip.reg

    In theory you can double-click this and merge it to your registry and it should restore your previous tcp/ip settings BEFORE you ran ComboFix. I honestly have never done this and would recommend that you make another backup of your registry beforehand if you want to try this.

    [​IMG] Backup Your Registry with ERUNT

    • Please download Erunt
    • Run the setup program to install ERUNT on your computer
    Click Erunt.exe to backup your registry to the folder of your choice.

    Note: to restore your registry, go to the folder and start ERDNT.exe

    Then you can try that if you'd like.
     
  30. Wharf_Rat

    Wharf_Rat Private E-2

    Yes, Microsoft Virtual WiFi Miniport Adapter is listed in the "Network adapters" section. There is not any red X's or yellow ? symbols indicating missing disabled/corrupt drivers.

    I ran ERUNT and backed up my registry.

    I would like to try to merge the initial tcp/ip settings before combofix ran, as long as there is no chance of it restoring the malware.

    How do I merge them?
     
  31. Wharf_Rat

    Wharf_Rat Private E-2

    Yes, there is actually a red "X" next to the wireless network connection 2 driver icon in network settings

    when I opened up the file from the combofix folder, it automatically merged to the registry, I rebooted, and it still seems to having the same issue.

    Although which combofix back up would that be from? Is there anyway if you can look at the combofix log attached my first post in this thread, and help me find the back up in my computer so i can merge that with the registry? Im assuming the combo fix back-up I merged with the registry is from the most recent time I ran combofix, which still would have been when the VPN was not working correctly.
     
    Last edited: Dec 18, 2011
  32. thisisu

    thisisu Malware Consultant

    Good to know
    We can try.

    [​IMG] Download SystemLook from one of the links below and save it to your desktop.
    Download Mirror #1
    Download Mirror #2

    If you have a 64-bit system, please download the 64 bit version from here:
    SystemLook (64-bit)

    • Double-click SystemLook.exe to run it.
    • Copy and Paste the content of the following code box into the main text-field:
    Code:
    [COLOR="DarkRed"]:dir[/COLOR]
    C:\WINDOWS\ERDNT /s
    
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
    • Attach that file to your next message. (How to attach)
     
  33. Wharf_Rat

    Wharf_Rat Private E-2

    Attached copy of quarantined folder. Would restoring any of these files be helpful to change the registry settings back? I originally ran combofix on 12/11, the most recent back up is from 12/17, which is when the vpn was still not working correctly.
     

    Attached Files:

  34. Wharf_Rat

    Wharf_Rat Private E-2

    systemlook report attached.
     

    Attached Files:

  35. thisisu

    thisisu Malware Consultant

    I am running short on ideas here. Pretty much my last suggestion would be to try to restore the registry from the 11th of December.

    To do this you would need to navigate to this folder:

    C:\WINDOWS\ERDNT\Hiv-backup
    • from here launch ERDNT.EXE
    • Leave the checkmarks defaulted and press OK to begin.
    • You will have to reboot afterwards.

    If VPN was working on the 11th of December before you ran ComboFix, this once again, in theory should work IF IT IS A REGISTRY PROBLEM.

    Otherwise, I think you would be better off seeking additional help in the Software or Networking forums.
     
  36. Wharf_Rat

    Wharf_Rat Private E-2

    Ok. I will try that. Thanks for all the help. If I try your final idea and it doesnt work, can you move this thread into the networking forum, so all the info is there, and I do not have to start a new thread?

    I will let you know the outcome. Thanks again!
     
  37. Wharf_Rat

    Wharf_Rat Private E-2

    Ok, unfortunately that didnt work. It looks like the most recent back-up is from 12/17/11, not 12/11/11. I did run combofix again on 12/17/11, to remove the malware, as recommended in this thread. It must have deleted the original back-up from 12/11, and recreated the 12/17/11 backup, which appears to now be the only backup.

    Upon rebooting (after restoring from the 12/17/11 registry back-up), my network connection did not work at all, got error message saying there was not a valid IP address, and the troubleshooter fixed wireless network connection 1, but there is now red "X" next to wireless connection 2, and in network/connections, it says there is no connection for wireless network connection 2.

    I did back up again using ERUNT after the reboot and automatic troubleshooting fix, in order to save those settings.

    If you could move this thread to networking forum, I would appreciate. Thanks again for all your help!
     
  38. thisisu

    thisisu Malware Consultant


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds