Infection - Reinfection

Please move ComboFix directly onto your desktop, not were you have it:
Running from: g:\securitytemp\ComboFix.exe.

Please do the following in normal mode!!

Now download The Avenger by Swandog46 to your Desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
Extract avenger.exe from the Zip file and save it to your desktop.

1. Run avenger.exe by double-clicking on it.
2. Click OK at the warning to continue to use The Avenger
3. Do not change any of the check box options!
4. Shut down your protection software now to avoid possible conflicts.
5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
   
6. Now click the http://img33.imageshack.us/img33/9159/executeavenger.jpg button
7. Click Yes to the prompt to confirm you want to execute.
8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
9. Your PC should reboot, if not, reboot it yourself.
10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

Be sure to attach your log from TDSSKiller

Please also download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your log should be at:
C:\MGLogs.zip

 

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

ClearJavaCache::
KILLALL::
File::
C:\Users\Ave\AppData\Local\5m24ru2g53l507
C:\Users\Ave\AppData\Local\ajhxsn5g6bvn5sog4ypw6h057m6l
C:\Users\Ave\AppData\Roaming\Microsoft\Windows\Templates\5m24ru2g53l507
C:\Users\Ave\AppData\Roaming\Microsoft\Windows\Templates\ajhxsn5g6bvn5sog4ypw6h057m6l
C:\ProgramData\5m24ru2g53l507
C:\ProgramData\ajhxsn5g6bvn5sog4ypw6h057m6l
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

What files and why are they on your desktop? If you can delete them, do so.

Things are looking much better, but let's do this:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

ClearJavaCache::
KILLALL::
Driver::
nenjwvff
lwkxhith

File::
c:\windows\SysWow64\drivers\nenjwvff.sys
c:\windows\SysWow64\drivers\lwkxhith.sys
C:\Windows\System32\drivers\lwkxhith.sys
C:\Windows\System32\drivers\nenjwvff.sys

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The desktop files where hidden system files and shouldn't have been removed.

Let's just clean up a few more things:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

ClearJavaCache::
KILLALL::
Driver::
ssuflysw
yguwi
dbstsi
File::
c:\windows\SysWow64\drivers\dbstsi.sys
c:\windows\system32\drivers\lwkxhith.sys 
c:\windows\system32\drivers\nenjwvff.sys
C:\Program Files (x86)\frcbugc.txt
C:\Program Files (x86)\ojcxw.txt
 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Two more things to deal with and then you should be good to go. You can post in the software forum for advice about firewalls, but I would recommend Comodo.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

ClearJavaCache::
KILLALL::
Driver::
ajjdwri
File::
c:\windows\system32\drivers\dbstsi.sys
C:\Windows\majeezmi.txt

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Looks good.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0


Major Geeks on Facebook

Major Geeks Newsletter

 

You are most welcome. Safe surfing.

 

No Tim! This is due to the infection and only people here in the Malware Forum would understand this and the logs. You can see from our logs why this is not working

Code:

=====================================================================================  
Checking Base Filtering Engine Service State and Dependencies 
   Base Filtering Service is NOT running  
        C:\Windows\system32\bfe.dll is missing   
   Remote Procedure Call {RPC}- Service is running  
   DCOM Server Process Launcher Service is running  
=====================================================================================  
Checking Windows Firewall Service -MpsSvc- State 
.
   Windows Firewall Service is NOT running  
=====================================================================================  

But note that bfe.dll is not missing. This is an older version of MGtools that was run.

 

@PaperBullets:

Chas noticed somethings I overlooked. Please go to start / run / and type:
services.msc
When that panel opens, scroll down to both the Base Filtering Service (- bfe.dll) and the Windows Firewall Service (-MpsSvc). Right click them and tell me what the properties say. Are they disabled? Set to manual? Missing?

 

@TimW

The BFE and MpsSvc registry keys have been deleted. You need to restore them.

 

Let's try this:



Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc

• Check List Permissions radio button.
• Press Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

Reboot.


Now open the following folder: C:\MGtools
Locate FixWFW.bat and right-mouse click it once, and then choose "Run as Administrator" from the side menu that appears.
It won't take long to run. Give it about 10 seconds and then reboot your PC. Let me know if the Windows Firewall is now on when you are back in Windows.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay now press the Windows key and the R key at the same time to bring up the Run box. Type in regedit and hit OK.

• Then in the Registry Editor click File, Import.
• Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
• Then click the Open button and allow this to be added into your registry

Tell me what happend exactly. Like do you get any error messages or do you get a success message?

If you received a success message then repeat the above import but with below to files from the MGtools folder.

• fixW7FW.reg
• FixW7FWdrv.reg

Then so that we can see what effect this had, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

 

Download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm-x64.cmd
• Now right click onresetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.

Then retry the manual import of those three registry patches with Regedit.

Wherther the imports work or not, now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

When you ran the resetperm-x64.cmd script, did you notice the command prompt window open? And did it take 10 or more minutes to run?


Run the Windows Registry Editor again as Administrator

Navigate to the below registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

The right click on it and select Permissions

What names do you see in the section under Group or user names:

Also select SYSTEM from the names area and then look in the bottom box under Permissions for SYSTEM and tell me which check boxes are checked.


Also note that you are incorrect about the importing of the registry keys. You should not have just said they failed. At least two of them partially worked. I can see from your new logs that the registry entries for BFE and MpsSVC are now in your registry. So they only partially failed and should have given an error message indicating something like that.

 

See if it allows you to change the permissions for Everyone to have Full control.

 

Okay let's see if we can change this.

• With that Permissions for Root form open, click on the Advanced button down towards the bottom right.
• On the next Advanced Security Settings for Root form, click the Owner tab and tell me which names appear in the below two boxes
  • Current owner:
  • Change owner to:

 

Okay let's modify the Owner by adding Everyone to the list.

• On this Advanced... form, Click the Other users of groups... button
• One the next form, in the Enter the objec name to select box, type in Everyone and then click Check Names which will then verify that Everyone exists and will underline the text to show it was found
• Then click OK
• Then back on the Advanced Security Settings for Root form select Everyone and then click the Apply button. And then OK out of this form.
• Now you should be back at the Permissions for Root form.
• Select Everyone and see if you can now give Full Control by checking the box and clicking Apply.

If the above works, do the same thing for each the below subkeys of Root

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MpsSvc

It may even already have Everyone set to full control if we are lucky.

If all of this works, then try importing the fixW7BFE.reg and fixW7WFW.reg files again.

Tell me what happens.

 

Are you running Regedit as administrator? If not please do so and repeat the imports. And are you importing via the File menu within Regedit? I don't want you to just double click the patch files.

Also please try powering down your PC for a couple minutes and then reboot. See if the BFE service and Windows Firewall start. If they do not, please run the below commands from a command prompt window and tell me what you get for and output

net start mpsdrv
net start mpssvc
net start bfe

 

Okay there still is some kind of permissions issue with various registry keys that is stopping some data from being imported and allowing the services to run.

Please run the Registry Editor again as Administrator and do the following.

• First navigate to the below registry key and have it selected
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
• Then right click on this key and select Permissions
• Then on the Permissions for BFE for click the Add button
• In the Enter the object names to select box type Everyone and click the Check Names button which should cause the Everyone text to be approved and underlined
• Then click the OK button which returns you to the Permissions for BFE form
• Make sure you select Everyone from the upper list, and then in the Permissions form Everyone box, select Full Control and see if it allows you to click the Apply button.
  • If you could Apply this then repeat the above for the below key
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
  • If you could not Apply this then continue with the below for the BFE key
• Click the Advanced button
• On this Advanced... form, select the Owner tab.
• On the Owner tab, do the next steps to add Everyone to owners and make Everyone the current owner
• Click the Other users of groups... button
• One the next form, in the Enter the object name to select box, type in Everyone and then click Check Names which will then verify that Everyone exists and will underline the text to show it was found
• Then click OK
• Then back on the Advanced Security Settings for BFE form select Everyone and then click the Apply button. And then OK out of this form.
• Now you should be back at the Permissions for Root form.
• Select Everyone and see if you can now give Full Control by checking the box and clicking Apply.

If the above works to get Full Control enabled for Everyone on the BFE key do the same thing for each the below keys <B>

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
​

</B>

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
​

If all of this works, then try importing the FixW7BFE.reg, FixW7WFW.reg and the FixW7FWdrv.reg files again. Tell me what happens ( exactly ) for each entry.

Then no matter what happens above, continue with the below.

Reboot your PC and after reboot continue.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

Good job. According to your logs, all the services we were having a problem with are running now.

Are you having any remaining issues?​

 

You're welcome.

You can rerun the resetperm-x64.cmd file to reset permissions back to defaults. This will again take a good 10 minutes to run.



Then if you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!