Windows 7 Int Sec 2012

Running Win7 x64

Pretty sure this popped when I went to run

Carried on through the Run Me's and Read Me's and I think I may be in the clear mostly.

I'm having issues with certain services - some that I'm trying to install, other's that were removed and can't be restored, etc.

One - BFE, Base Filtering Service.
Two - ESET, can kind of push this out of the list via the registry, but it's being a bear.

Windows Explorer crashes regularly on each boot. Just once, just the first time. I haven't tried simply logging off and on yet, it doesn't seem relevant yet.

Ran ComboFix, MBAM, SuperAntiSpyware finished a quick scan but the complete halted. Various related logs are attached per request. Adding one more for MBRCheck as well. MBAM was run twice, so there are two logs.

I don't have my ComboFix log anymore unfortunately. I didn't think I'd be having any residual issues, didn't think I'd even have to consult anyone, so I've already gone and uninstalled ComboFix. If you need me to, I'll gladly run it again so I can attach it.

Thanks,
B

 

Alright!

Ran TDSSKiller, no issues to note there (per the app at least) Log's attached.

As for the four files you questioned. I don't recognize them, and I don't have any particular affections for them. So, with someone's blessing, I'll gladly kill them.

As for the MBR issues, I don't think that my rollout is anything terribly unique. The one that notes "MBR Code Faked" is pretty generic. How can I get a little more in-depth info on this issue?
The drive's root contents are:
1) $RECYCLE.BIN
2) Movies
3) System Volume Information (Hidden directory that's non-navigable)

B

 

Things seem alright now, I guess.

I'm still missing the Base Filtering service, but we'll see if I can do a repair or an in-place upgrade to rectify that.

Things feel better now, though. I've attached the logs so ya'll can give me your take. I would say that I'm a little confused as to why MSE and Comodo still prompt when I ran ComboFix and appear in the report. They're both removed and MSE was purged, I though, using a MS FixIt utility. That's no issue, though. I do wonder if ESET is going to spaz when I go to install it if those registry entries are still present.

 

Deleted the four files. I do have my boot CD. Does it present an issue if SP1 has been installed but my boot disc doesn't have it?

B

 

And here comes the latest batch of logs.

For the MBR issues, should I check things like Disk Management or gpartd or anything like that for signs of false partitions?

B

 

Curiosity -

Do we have any guesses at this point what file may have had the rootkit with it at this point? Any of the logs show something like that?

 

Hello bigongst,

I will help you with your remaining malware problems as chaslang has been very busy.

I've checked, there isn't one that needs to be deleted according to your logs.


From Programs and Features (via Control Panel), please uninstall the below:

• HijackThis 1.99.1
• Java(TM) 6 Update 27 (64-bit)
• Java(TM) 7

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR=darkred]KillAll::[/COLOR]
[COLOR=darkred]ClearJavaCache::[/COLOR]
[COLOR=darkred]DirLook::[/COLOR]
C:\Users\Benji\AppData\Local\SKIDROW
[COLOR=darkred]Driver::[/COLOR]
aqngtfbe
[COLOR=darkred]File::[/COLOR]
c:\windows\system32\drivers\aqngtfbe.sys
[COLOR=darkred][/COLOR] 
[COLOR=darkred]Folder::[/COLOR]
C:\Users\Benji\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[COLOR=darkred]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\05\10\17\16\11?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
[COLOR=darkred]RegLockDel::[/COLOR]
[HKEY_USERS\S-1-5-21-3821064674-1206271528-59661261-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ŽJj2C^*€=.]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3821064674-1206271528-59661261-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ŽJj2C^*€=.\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Code:

    465 GB  \\.\PhysicalDrive5   MBR Code Faked!
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
 
Drive    O:    
Description    Local Fixed Disk    
Compressed    No    
File System    NTFS    
Size    465.76 GB (500,105,216,000 bytes)    
Free Space    49.27 GB (52,898,246,656 bytes)    
Volume Name    Benji_Ext2    
Volume Serial Number    B8790690

Are you having problems with the PC when the above external drive is NOT connected to your PC?

Now install the current version of Sun Java from: jre-7u2-windows-x64.exe


Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Sounds good.
Done and attached.
I used to. At boot the drive would refuse to spin up and if I didn't pull the USB cord, boot just hanged. This is well before the virus and all and I kind of just chalked it up to mediocre product. I'm going to spend the rest of tonight with the drive unmounted and see if I have any grief.

Also done.
Attached! I did get the

Code:

SteelWerX WhoAmI application has stopped working

error message. Followed the instructions, didn't hit cancel - waited for Close Program.

Remaining issues may be present in the logs. In addition to any evidence found there, I've read a lot about others having issues with their Security Center services or BFE or any of a few others and I'm not sure that I've seen any perfect resolutions yet. BFE is still not present in my service listings, though bfe.dll appears to be present everywhere it should be. IPsec Policy Agent & IKE and AuthIP IPSec Keyring Modules also appear to have issues.

Thanks again to you and chaslang for all of your help so far.

B

 

Retry attaching the logs. They are not in your message.

 

Sorry, friend.

B

 

No big deal

Backup Your Registry with ERUNT

• Please download Erunt
• Run the setup program to install ERUNT on your computer

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Download Windows Repair by Tweaking.com

• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program still are not running before accepting to restart.

Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
  

• Check List Permissions radio button.
• Press Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

Here go. Windows Repair was a little tough to keep up with, but I feel like I saw it spit out an error or two. Nothing fatal, clearly.

Attached is my MiniReg log.

Thanks,
B

 

Good job.

According to this log we are ready to patch the registry and hopefully the Firewall will be on whenever you reboot.

Now open the following folder: C:\MGtools
Locate FixWFW.bat and right-mouse click it once, and then choose "Run as Administrator" from the side menu that appears.
It won't take long to run. Give it about 10 seconds and then reboot your PC. Let me know if the Windows Firewall is now on when you are back in Windows.

 

My oh my, that worked perfectly. Looks like all three of my issue services are running just fine now. Windows Firewall is up and running as is PeerBlock which was the one that actually alerted me to the missing services.

So, a little background really quick. I kind of ran into this virus because I had a small gap in protection because after removing MS Sec Essentials + Comodo Firewall I tried to install ESET Smart Security 5+ and the install failed everytime.

I /think/ that was because MSE and Comodo still had entries in the registry, but... Do you have any resources that could help me find those registry entries again in the future if I have trouble? Or do any of the *.bat files in MGTools help purge things from the Security Center?

Outside of that, what's up next?

Thanks,
B

 

Rerun c:\MGtools\GetLogs.bat and attach the latest MGlogs.zip for review.

If you are wanting to purge the security center WMI traces of previously installed Antivirus software; complete the below:

Download Windows Repair by Tweaking.com

• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Repair WMI
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program still are not running before accepting to restart.

 

Here go. And thanks for the instructions. Is that safe to use in conjunction with a force-able uninstall tool if the manufacturer provides one if/when I have a PC that has a AV uninstall take a dump and not purge itself completely?

Thanks.

 

Repair WMI basically clears and rebuilds the cache of previous Security Programs that were detected in the Windows Security Center.

It won't remove drivers, services, files, or folders of the security programs. That is what their custom "Removal / Uninstall Tool" is supposed to do. But even some of those do not do the job very well when it comes to certain security programs.

Code:

    465 GB  \\.\PhysicalDrive5   [B][COLOR="Red"]MBR Code Faked![/COLOR][/B]
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

22:38:20.0191 5600	Boot (0x1200)   (5903ad2cda5b061a2d8b979428fa0ee4) \Device\Harddisk5\DR5\Partition0
22:38:20.0191 5600	\Device\Harddisk5\DR5\Partition0 - [B][COLOR="DarkGreen"]ok[/COLOR][/B]

Answer the following questions

• How is the PC running without this drive attached?
• How does the PC run with this drive attached?

The rest of your logs are clean.

 

This is an external USB hdd. PC won't post if the drive is present. If you remove it, after a few seconds it'll post and then follow boot. Once you hit the desktop, if you plug it back in, it takes maybe 8 minutes for the drive to become available. As far as what life is like with the drive present, I can't honestly say I really notice anything when I'm in Windows and the same goes for when the drive isn't present.

B

 

I would experiment with how the PC runs with and without the external drive over the next few days. We may end up needing to put a clean MBR on it but if you are not experiencing any problems, wait for a bit as recommended and then you can complete the following steps:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!