Locked out of universities network, still have some bad malware problems, please help

Re: Locked out of universities network, still have some bad malware problems, please

Hi there and welcome.

We have a file we need to restore afterwards and some remnants of symantec to remove but first we have more pressing matters:

Please try not to reboot the machine or turn it off whilst we work through the below:

1. Please go to add/remove programs and uninstall the following software which is out of date and rather useless.

• Ad-Aware 2007

2. Tidy up!
C:\Documents and Settings\Administrator\Desktop

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage.

You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


3. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$67we.$
C:\Documents and Settings\Administrator\Desktop\livlvhjhvkjckjvboobooo.html
C:\Documents and Settings\Administrator\Local Settings\temp\STS7.tmp
C:\Documents and Settings\Administrator\Local Settings\temp\MAR5.tmp
c:\windows\system32\musowewo.dll
c:\windows\system32\pefuwiwi.dll
c:\windows\system32\diwikewo.dll

Folder::
C:\WINDOWS\Temp\xsw2
C:\WINDOWS\Temp\PDFC
c:\documents and settings\All Users\Application Data\Viewpoint

DirLook::
c:\program files\oiidri
c:\program files\jcsrly

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"00b2bd65"=-
pagasadasa"=-
"CPM03818ef9"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

4. Delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

5. Now run Radix:

Using Radix To Detect Rootkits

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix and the log.txt from Radix.

7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Thanks
Kes13!

 

Re: Locked out of universities network, still have some bad malware problems, please

Explain. What windows popped up?

Your MGlogs.zip is incomplete so I can see you had some trouble, please refer to this section for any error messages. I cannot verify that the files are wanted dead are indeed desd without seeing complete logs from you.

Using MGTools (scroll down to error messages)

So combofix warned you that you have a rootkit? Let's do this and see how your PC behaves:

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Fcopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"00b2bd65"=-
pagasadasa"=-
"CPM03818ef9"=- 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now let's get rid of Norton completely because having this floating around still whilst you have MCAfee could be causing you even more instability!

Please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.

Now, after having referred to the error messages section I linked you to above, I would like for you to do the below and hopefully get us some complete MGlogs.zip.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Re: Locked out of universities network, still have some bad malware problems, please

Are you still with me? You have an MBR infection that we need to fix.

 

Re: Locked out of universities network, still have some bad malware problems, please

We will have you download the combofix beta tomorrow where I will explain more about that and also come up with a fresh fix for you

 

Re: Locked out of universities network, still have some bad malware problems, please

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command and boot back to normal mode, continue with the below.

Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run the new MGTools.exe and attach the C:\Mglogs.zip that it generates as well as the log from combofix.

 

Re: Locked out of universities network, still have some bad malware problems, please

Hello again.

I need to find out exactly how you are trying to boot to the Recovery Console. Sounds like you are trying to boot Windows. Are you using an original CD? Is it actually booting the CD and how far do you get?

Are you using an installed version of the Recovery Console like from ComboFix? Another method?

Does this only happen when trying to use the Recovery Console?
Thanks
Kes13!

 

Re: Locked out of universities network, still have some bad malware problems, please

Good morning. Take a look at this thread here:
Web browsers/ internet work intermittently
and try what was done in it. The user used the UBCD4win CD.

 

Re: Locked out of universities network, still have some bad malware problems, please

No you haven't...the MBR infection is still there sadly.

 

Re: Locked out of universities network, still have some bad malware problems, please

You need to fix your MBR as we have already pointed out, and because you are having trouble getting into the recovery console I linked you to some other things to try:
Web browsers/ internet work intermittently


and try what was done in it. The user used the UBCD4win CD.

Have you tried any of this yet?

 

Re: Locked out of universities network, still have some bad malware problems, please

Did you notice the 3rd item listed?

 

Re: Locked out of universities network, still have some bad malware problems, please

Then I suggest that you look into making the UBCD4win by borrowing a Windows XP CD from some one and making this CD to see if it will work. If none of these are working then you may have other non-malware issues and may need to reinstall but will have to delete and recreate hard disk partitions to since just doing a format and reinstall will not fix the master boot record.


You will know when you get the infection fixed by looking for the below files. If they are gone, you have gotten the infection removed. These files will keep returning after a reboot until the MBR infection has been fixed.

Code:

"C:\WINDOWS\Temp\"
$$$dq3e       Dec 14 2009        6789  "$$$dq3e"
$67we.$       Dec 14 2009       14419  "$67we.$"
xsw2          Dec 21 2009           4  "xsw2"

 

Re: Locked out of universities network, still have some bad malware problems, please

Quite simply because it cannot. Sorry! That's just the way it is. A better question would be why can't your protection software fix it. They obviously cannot either. In fact the majority of them do not even detect the infection.

PrevX also had at one time stated they could detect and fix the newer forms of these MBR infections ( see: http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html ) Whether they still can remains to be seen since the infection is constantly changing. But you could look into trying PrevX to see if it helps. You could try their tool: Prevx 3.0 Additional MBR infection info from PrevX was published here:http://www.prevx.com/blog/131/MBR-Rootkit-reloaded.html

 

Re: Locked out of universities network, still have some bad malware problems, please

I suggest that you reboot your PC and attach a new log from MGtools. (download and run the new version). So we can be sure they are gone. Make sure that you do the reboot since this is what would normal trigger their return.


Also are you still having any problems? If so, what are they?

 

Re: Locked out of universities network, still have some bad malware problems, please

Uninstall McAfee and then run the below if possible (not sure if it works on Enterprise version) then reboot no matter what. After reboot, reinstall McAfee and see if it works.

McAfee Consumer Product Removal Tool


Your logs are clean but you should uninstall the below:
NOD32 FiX v2.1 << illegal hack
Prevx << we are finished with it now and you don't need this service to always be running.


Also I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!