bandwith stealing malware...

help, malware stealing my bandwith+other malware stuff.

This information may help: A toolkit gave me malware (not 100% sure)

And also rootrepeal failed, i have crash logs on next post.

 

crash logs of rootrepeal...

 

also, combofix doesntwork, it just loads up, even got an update but doesnt launch as it should be doing so.

 

And combofix failed as well. it wont work.

 

after another full scan with malwarebytes i got 1 more threat reported on my system.

Anyone know why combofix doesn't work?

 

Hi, louis cardinal

Possibly rootkit activity. First run the below scans.

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

 

Yeah... it did nothing...?

i want to kill the guy stealing my bandwidth!!!:cry

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• avast! Free Antivirus <--- you can reinstall after malware removal if you'd like
• DAEMON Tools Lite <--- you can reinstall after malware removal if you'd like
• Java(TM) 6 Update 29

Reboot,

Then download and run Avast Uninstaller then reboot again afterwards.

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  lsass.exe
  regedit.exe
  services.exe
  shell32.dll
  svchost.exe
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

here are the two files. Also the malware file kmsemulator.exe keeps coming back after my malwarebytes quarantines it.

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller by Tigzy to your desktop.

Rename RogueKiller.exe to winlogon.exe
Double-click winlogon.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the number "1" and press ENTER.
When it is finished -- Notepad will open with the report and the log is saved to your desktop.
Attach RKreport[1].txt to your next message. (How to attach)
You can now type the number "0" and press ENTER to exit RogueKiller.

I've noticed. I'm removing part of MBAM in the below fix so don't try to run anything other than what is requested. We'll be able to see if it returns or not without MBAM from the new logs you attach.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (Synth3dVsc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sptd)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (rootrepeal)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (MBAMSwissArmy)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (GENERICDRV)
O33 - MountPoints2\{05e9b8c0-6294-11e0-bbba-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{05e9b8c0-6294-11e0-bbba-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{5c4ef9c0-9712-11e0-a2b1-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{5c4ef9c0-9712-11e0-a2b1-806e6f6e6963}\Shell\AutoRun\command - "" = D:\setup.exe
[2011/12/17 00:55:17 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/12/17 00:53:47 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/16 07:14:00 | 004,340,701 | R--- | C] (Swearware) -- C:\Users\Louis\Desktop\ComboFix.exe
[2011/11/27 19:33:20 | 000,000,000 | ---D | C] -- C:\Users\Louis\AppData\Local\{CB0B3CBF-7B7D-41FD-BBC0-E424423B7DFC}
[2011/11/27 19:32:06 | 000,000,000 | ---D | C] -- C:\Users\Louis\AppData\Local\{D0B00041-17CC-4ECA-8D1F-E7D71D8B4EB8}
[7 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img194.imageshack.us/img194/4930/combofix.gif Now download a new ComboFix.exe to your desktop.
Now try to run by right-mouse clicking it one time and choosing "Run as Administrator".

Regardless if ComboFix was successful this time or not, do the following after at least attempting ComboFix.


http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

i attached the RK report but theres a problem with the OTL task you set me. it failed, you can see the image i put below for details. After it gives me that error message i let it flow for 30 minutes, nothing happens, OTL stopped working!?

So what now?

 

http://img805.imageshack.us/img805/9659/rktigzy.gif First, run winlogon.exe again and this time choose mode "5 - DNS Fix" and then press ENTER.
Attach RKreport[2].txt to your next message.
Exit out of RogueKiller.

http://img205.imageshack.us/img205/1894/otl.gif I have edited the OTL Fix. Refresh your browser to see the changes and then copy/paste the new information into OTL.

See if it will run now.

 

heres the RK report 2, Also the new fix entry failed again, see the image i attached for the error. so far your help has been amazing!

 

Just double-check that you are running OTL as Administrator and then use the updated fix (I have updated it again).

Let me know if that still does not work. We may need to resort to another tool to finish up.

Also, what happens if you press OK to that error you receive?

 

Heres the OTL log. It worked but what do i do now? do i proceed with this?

 

Yes, continue onto ComboFix.

 

After i finished running combo fix, a log came up and i accidentally closed it :cry

I went into my disk :C and there was a combofix.txt, i hope this is the same thing!?

one thing happened after i ran combofix.

In my networks and sharing center i can see a new, never seen before network 3.

and it is impossible to delete it from there. Is this be the network setup from the malware?

i also did the next step of running the .bat file for the MGlog

thanks!

 

Code:

c:\windows\Tasks\AutoKMS.job
c:\windows\Tasks\AutoKMSDaily.job
c:\windows\KMSEmulator.exe
c:\windows\AutoKMS.exe

All these are part of a HackTool for MS Office.

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/what-is-autokmsexe/40e0a42e-316c-41ac-b4c5-38e4a3de4a09?msgId=35d2d631-3592-428c-8af3-afb36de3fbde

How is your PC running?

 

The link you sent me said it was a false positive!??? however i still have a 'network 3' on my list of network and sharing center, and my internet is still not at it's fastest as it should be. Someone is still stealing some of my internet bandwidth. I can tell because the LED on my etheranet port used to be green.

 

It is a false-positive. It's still a hacktool and is not recommended. Read: Warning about Porn, Keygens, Cracks, and other Illegal Software

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1DD20947-DB6E-442F-84A3-5D7AC6898356}: DhcpNameServer = 0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B2E6AD84-EDCB-4394-A0A0-2B5D541628BE}: NameServer = 219.76.98.66 218.102.32.208
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\Tasks\AutoKMS.job
c:\windows\Tasks\AutoKMSDaily.job
c:\windows\KMSEmulator.exe
c:\windows\AutoKMS.exe
ipconfig /flushdns /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

heres the log, thanks man. LED still orange (slow) are we getting closer to the finish? :confused

 

I'm not seeing any actual malware in your logs.

You can run this scan below while I double-check with my colleagues to make sure I am not missing something.

Download Virus Removal Tool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

• Click the cog in the upper right
  http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPfront.gif
  
  
  
• Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
  
  
  http://i1224.photobucket.com/albums/ee362/Essexboy3/avpsettings.gif
  
• Allow Virus Removal Tool to delete all infections found
• Once it has finished select report tab (last tab)
• Select Detected threads report from the left and press Save button
• Save it to your desktop and attach to your next post. (How to attach)

 

Over the stages of malware removal my internet connection has gotten better and returned closer to normal by the way. its just not as it used to be.

 

And the verdict is... your logs are clean

Not sure why it is slower than before but it's not due to malware.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!