Desktop.ini and ComboFix

[INeedHelp.]

Hello, a few days ago Trend Micro detected a virus located in C:\windows\assembly\GAC_32\Desktop.ini
I have tried so many things, but I can not remove it in any way, it redirects my web pages and causes my computer to freeze.
I tried reading other threads about this problem and I read about ComboFix, but I am not an expert and I don't want to do more damage by running it, can someone please help me?

[Kestrel13!]

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Now do not stop, please continue on with the below instructions too!
v
V
V
V
READ & RUN ME FIRST. Malware Removal Guide

[INeedHelp.]

Here are the report and the log.

[Kestrel13!]

Did you miss this???

Quote:

Now do not stop, please continue on with the below instructions too!

[INeedHelp.]

No, but it took me ages to follow all the steps because my computer keeps freezing. I did everything, but ComboFix only does the extraction and does not run and RootRepeal says "Error - RootRepeal does not support 64-bit OSs!"
Also Trend Micro stopped working, it says "starting your protection", but it doesn't start even if I wait for a long time.

[Kestrel13!]

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

• cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
• nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

[INeedHelp.]

nwktst it said "the ordinal 1108 could not be located in the dynamic link library WSOCK32.dll"

I didn't get any error messages when i entered the other commands.

OTL only gave me OTL.Txt, I'm attachihng it here.

[Kestrel13!]

Quote:

nwktst it said "the ordinal 1108 could not be located in the dynamic link library WSOCK32.dll" I didn't get any error messages when i entered the other commands.

So did it produce a new MGlogs.zip?

Please uninstall anything relating to Searchqu Toolbar, Paretologic and Bandoo Media if they show.

Please try renaming combofix.exe to b7ytDF.com and boot into safe mode to see if it will run at all.


We need to run an OTL Fix

• Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

Code:

:otl
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
C:\windows\assembly\GAC_32\Desktop.ini
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll ()
C:\PROGRA~2\WI3C8A~1\Datamngr
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll (Bandoo Media, inc)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll) - C:\PROGRA~2\WI3C8A~1\Datamngr\IEBHO.dll (Bandoo Media, inc)
[2012/06/07 18:00:00 | 000,000,424 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
[2012/06/04 23:01:48 | 000,000,448 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Anti-Virus PLUS.job
[2012/06/11 16:05:36 | 000,076,800 | ---- | C] () -- C:\Windows\Installer\{13851150-6554-632f-43c3-3e704e0e6a72}
@Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:4CF61E54
@Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:05EE1EEF
@Alternate Data Stream - 132 bytes -> C:\ProgramData\Temp:2F370DA6
@Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:115CEE00
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:A724744F
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:AB689DEA

:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Quote:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

Now run OTL again like you did in my post # 6. Attach the log.

Also now see if you can run MGTools.exe again and see if it will produce a complete MGlogs.zip.

Let me know about Combofix too please.

[INeedHelp.]

No, it did not produce a new MGlogs.zip.

I renamend combofix, but it did only the extraction, even in safe mode.

Here are the OLT report, the FRST log, the OLT log and the MGlogs.zip, MGtools showed me an error message "the ordinal 1108 could not be located in the dynamic link library WSOCK32.dll", but it finished the scan.

[chaslang]

I'll try to keep you moving along while Kestrel13! is not around.

Download this >> fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• Fixlog.txt from FRST
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[INeedHelp.]

Here are the files, it's not working properly, trend micro disappeared (?), my desktop is messed up and sometimes it says I can't access my profile when i boot.

[Kestrel13!]

Hopefully you will be able to get through the below. The issues you are having is due to the damage the malware has caused no doubt.


Uninstall the below if you can.

• Java(TM) 6 Update 22
• Java(TM) 6 Update 26

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6


Now Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Run FRST again like you did in my post #8. Attach the log from doing so.

Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[chaslang]

Note that none of the below are problems and do not need to be fix. INeedHelp. has this software installed.

Quote:

Originally Posted by Kestrel13!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.autocompletepro.com/?si=10203&bi=400
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.autocompletepro.com/?si=10203&bi=400
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.autocompletepro.com/?si=10203&bi=400
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.autocompletepro.com/?si=10203&bi=400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>
O20 - AppInit_DLLs: c:\progra~2\wi3c8a~1\datamngr\datamngr.dll

In fact after a more detailed look... nothing in this last fix other than the Java update and the below needs to be performed.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

[Kestrel13!]

@Chas. Sorry. I was under the impression that searchautocomplete.com was a dodgy website, and also that datamngr.dll related to searchqu stuff as I swore I saw that in one of the logs.

Quote:

In fact after a more detailed look... nothing in this last fix other than the Java update and the below needs to be performed.

I would love to see the new log from FRST when the user attaches it after running again. There is still malware here. Possibly.

[chaslang]

Quote:

Originally Posted by INeedHelp.

Here are the files, it's not working properly,

Please explain what you mean.

Quote:

Originally Posted by INeedHelp.

trend micro disappeared (?)

It was not installed when you posted your first logs. You will have to install it if you use it.

[thisisu]

Just FYI that proxy is part of the Akamai software that is installed.

[Kestrel13!]

I'm just going to check new FRST log and new MGlogs.zip if that's okay with everyone.

[chaslang]

Quote:

Originally Posted by Kestrel13!

I'm just going to check new FRST log and new MGlogs.zip if that's okay with everyone.

Yep.

[INeedHelp.]

Chaslang i'll try to install trend micro again, but I do get an icon saying "starting your protection" and the control panel shows that it's installed...

Kestrel13! I attached the logs.

It looks like it's working ok now. It does not freeze and I don't have any problems accessing my pprofile when I boot.

Silly question (probably) ^^' "The 'Java8tm) Plug-In SSV Helper' add-on from 'Sun Microsystems, Inc.' is ready for use." Should I enable it?

[Kestrel13!]

Hi there.

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.autocompletepro.com/?si=10203&bi=400
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.autocompletepro.com/?si=10203&bi=400
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.autocompletepro.com/?si=10203&bi=400
• R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.autocompletepro.com/?si=10203&bi=400
• O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
• O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
• O20 - AppInit_DLLs: c:\progra~2\wi3c8a~1\datamngr\datamngr.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix exit HJT.


Please note, the 020 line relates to imesh, which is not installed on your computer right now. Was it something you once had installed knowingly?


Please download Combofix as per the instructions in the Read and Run Me First procedures, to your desktop.

Now we need to use ComboFix by sUBs

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
c:\progra~2\wi3c8a~1\datamngr\datamngr.dll
Folder::
c:\progra~2\wi3c8a~1
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Please note, the use of keygens, torrents, and "cracks" is an open doorway for malware to come straight through...