first post.. need major help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by missmymac, Jan 22, 2012.

  1. missmymac

    missmymac Private E-2

    I have visited here many times for research and tips on previous infections. I've finally run across one I can't remove. I've followed all steps in the Read & Run Me First. All logs will be posted.

    Previous attempts at removal included an AVG Scan which reported a file as whitelisted which brought me to seek your assistance. Browser redirects only on Google search results. AVG intercepts regular trojans. Seems to be some abnormal use of System Resources as well.. CPU and RAM

    Full SAS and Quick MBAM found nothing.

    Combofix detected rootkit.zeroaccess in tcpip stack "difficult infection", as it predicted my internet connection was useless after scan. I rebooted as recommended, no change. Ran Combofix a second time as recommended it still detected the infection and there was no change in internet connection. I am attaching both logs (Combofixlog & Combofixlog2)

    RR detected one locked and hidden file

    Thesw and any future logs will have to be manually transferred to another PC in order to upload due to failed internet connection.

    Thanks in advance for your help!
     

    Attached Files:

    Last edited: Jan 22, 2012
    missmymac, Jan 22, 2012
    #1
  2. missmymac

    missmymac Private E-2

    continued log uploads
     

    Attached Files:

    missmymac, Jan 22, 2012
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::

File::
C:\Documents and Settings\Susie\Application Data\fd24e3ce
C:\Documents and Settings\Susie\Local Settings\Application Data\3e200cd1
C:\Documents and Settings\Susie\Local Settings\Application Data\7k43oq2r56w704
C:\Documents and Settings\Susie\Local Settings\Application Data\e20261758mejle7rm252
C:\Documents and Settings\Susie\Local Settings\Application Data\tdpbyo7e2ulx1pis8axc7l410r6x
C:\Documents and Settings\All Users\Application Data\7k43oq2r56w704
C:\Documents and Settings\All Users\Application Data\tdpbyo7e2ulx1pis8axc7l410r6x
C:\Documents and Settings\Susie\Templates\7k43oq2r56w704
C:\Documents and Settings\Susie\Templates\tdpbyo7e2ulx1pis8axc7l410r6x
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 22, 2012
    #3
  4. missmymac

    missmymac Private E-2

    After following those steps I opened 2 programs, they seemed fine. After a reboot Internet Connection is the same as before.. No Internet Connection, Network Connection is fine.

    I did run one Combofix scan between my post and your response in a feeble, desperate attempt to get the internet working. It seemed to run exactly the same as previous runs.

    This attempt at Combofix performed as all others with same detections and number of reboots.

    As far as programs not opening, the Dell Print Monitor has been crashing during startup since the initial steps in Run & Readme. This isn't a huge issue with this machine other than the annoyance of the errors.
     

    Attached Files:

    missmymac, Jan 23, 2012
    #4
  5. missmymac

    missmymac Private E-2

    I did type the code rather than copy/paste for CFScript... Seemed just as easy as transferring a txt to the infected machine, and a bit quicker. I'm confident it was transcribed without error, but might be something to keep an eye out for.
     
    missmymac, Jan 23, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use windows explorer to find and delete:
    C:\Documents and Settings\Susie\Templates\c6c7a0be

    I am not finding any other malware in your logs. All of your internet services are running, but it also reports that the media is disconnected. This is something you may need to address in the networking forum. But let's try this first:

    Please download MiniToolBox and save it to your desktop and run it by right clicking and selecting Run As Administrator.


    Checkmark following checkboxes:

    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List IP configuration
    • List Winsock Entries
    • List Devices -> All
    • List last 10 Event Viewer log

    Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run from.




    Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

    • Now open Repair_Windows.exe
    • Go to Start Repairs tab.
    • Choose "Custom Mode" and press "Start".
    • Create a System Restore point if prompted.
    • In the Custom Mode window, select the following repair options:
      • Repair Windows Firewall
      • Repair Internet Explorer
      • Repair Hosts File
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Windows Updates

    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

    Reboot after running Windows Repair.

    Tell me if you can now connect.
     
    TimW, Jan 24, 2012
    #6
  7. missmymac

    missmymac Private E-2

    Result.txt attached. Ran both programs as instructed. Good news is, near the end of the WindowsRepair Run the internet connection went live... Bad News.. after it finished it prompted me for reboot, made sure program was done and rebooted... no internet connection. I do seem to remember seeing something regarding an infection dealing with Winsock.. so that may be where the problem lies. This machine has shown an error as the bios is loading regarding "Media is Disconnected" for a long time, but the system always performed fine to my knowledge and limited experience with it. Assuming that all Malware is removed I'm left with a quirky issue with the internet and a runtime error on dldmon Dells Print Monitor (not an issue as far as I'm concerned)

    Thank you so much for all your help!!
     

    Attached Files:

    missmymac, Jan 24, 2012
    #7
  8. missmymac

    missmymac Private E-2

    this may be more appropriate in another section but I have tried to release and renew IP through IP config. Renew failed the first time due to the disconnected media you referred to. That error was coming from the LAC because CAT5 wasn't connected.. this machine has only ever connected wirelessly. I disabled that connection and tried ipconfig again. This time I got an error to the effect of something was socketed that wasn't a socket.. (that's probably way off... I've slept since I got that error lol) after a quick google I came across a Microsoft article on the issue.. recommending manual deletion of WinSock and WinSock2 registry entries from HKEY Local Machine. And then a reinstall of TCP/IP via C:\Windows\inf... still no internet. Also when I previously said the connection went live while running WindowsRepair.. the connection error clears from the taskbar icon.. but even with the error cleared and seemingly good connection browsers would still not connect to anything. I saw references to DNS entries being modified by Malware leading to the error, changed my DNS to Google's Public DNS.. still no change. The internet connection worked fine before running through the initial cleaning steps.. so something about the cleaning process has caused the issue. Whether it's related to the programs or to the removal of the various infections I don't know. I had also seen a thread on another site walking someone through removal of Rootkit.ZeroAccess recommending modifying (to the best of my recollection HKEY_Local Machine_System_Current Control Set_TCP/IP) the dword value from 3 to 5. This made no change, and I changed it back to it's original value. This was done after initial cleaning steps, between my initial post and your first response.
     
    Last edited: Jan 25, 2012
    missmymac, Jan 25, 2012
    #8
  9. missmymac

    missmymac Private E-2

    tried to edit previous post again but time limit expired.. The only other thing I can think of is I cleaned this machine about a month ago from an infection of the MBR.. this is not my machine so I don't have much exposure to it, and no control over download practices that have a high danger of infection. This could be related to a partial clean of the initial infection, or a new issue. Unfortunately I remember next to nothing regarding the previous infection. The only thing I can decipher is that after researching this and other sites, part of the cleaning process was to run awMBR.exe from Avast, so there should be a log I could post if needed.
     
    missmymac, Jan 25, 2012
    #9
  10. missmymac

    missmymac Private E-2

    I believe the problem is resolved!!! Gonna wait a few days before I'm confident in that statement though lol I ran sfc /scannow a quick reboot that led to a chkdsk run and internet is working perfectly!!! Thanks for all your help Tim! Keep up the awesome work y'all do here. I was at my wits end with this one.
     
    missmymac, Jan 25, 2012
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to hear you are up and running. Let me know if you have any other issues.

    In the meantime, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip
     
    TimW, Jan 25, 2012
    #11
  12. missmymac

    missmymac Private E-2

    So nice to post a log without having to transfer to another machine!!! :D

    Just out of sheer curiosity, what are you looking for in the MGLog?

    Also I like what I see with the WindowsRepair.. I've never heard of it before. Is there any use, and are there any dangers running it as a kind of housekeeping on other machines? I'm a bit OCD when it comes to having to wait on a slow computer :p

    Thanks again for your time.. So many people are quick to either format or restore instead of dealing with the problem. I really respect and appreciate you and all the other people on this and other forums that donate their time to help everyone with actual troubleshooting, cleaning, and maintenance. You guys ROCK!!
     

    Attached Files:

    missmymac, Jan 25, 2012
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just double checking that nothing remains. :)
    I would only run it if you are having issues. It isn't a cure all. :)
    You are most welcome.

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Jan 25, 2012
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds