Lost Internet/Network connections after MBAM

Discussion in 'Malware Help (A Specialist Will Reply)' started by Bluznvice, Sep 20, 2008.

  1. Bluznvice

    Bluznvice Private E-2

    Working to remove a slew of nasty virii from my son's laptop. He has no idea how he got them, and said it's been "a while" since he got them. Since then, he powered it down and left it. I guess it's been at least 6 months or so.

    The laptop is a Gateway, 1.5 GHz Celeron with 448 MB RAM, running XP Home edition SP2.

    Basic symptoms were a red screen desktop saying that the computer was under spyware "atack" and click here to fix. He probably did...several times. There were a bunch of different spyware programs installed and running. Internet home address was hijacked, disk was constantly being accesses, and a pesky popup "Application error - SCANREGW.EXE" failed to initialize.

    Long story short, going through the README First process:

    I had to download all the programs onto my laptop and copy them to his laptop. It seems that whatever was running didn't like me going to MajorGeeks website. I installed all the programs as per instructions.

    Ran CCleaner with no problems. It deleted about 150 MB worth of stuff.

    Had some problems trying to run SAS. First time, it ran all the way through, fairly quickly and found over 500 issues. When I clicked on fix the problems, SAS crashed and the computer re-booted. I tried running it again, this time it took a little longer, but same results, so I moved on.

    More issues running Spybot. It would run about halfway through then seemingly hang while scanning "Virtumonde" and crash out. It also kept saying that it needed to reboot to continue. I did that the first time, and before it bombed out, it allowed me to delete some of the errors it found. But it still never completed.

    The computer seemed to run a litttle bit faster after this, so I decided to run SAS again. It took over 7 hours to run, but in the end, it finished and allowed me to delete all the problems it found. I've attached the first and third SAS logs to the post.

    I ran Spybot again, and it finished normally so I next ran MBAM. It seemed to finish normally and told me to re-boot, which I did. However, it went into a boot-loop and as long as I tried a normal boot, it would contstantly re-boot itself. It had an error just before re-booting: "Error - Rundll - error loading C:\windows\system32\njalvqkx.dll".

    I then rebooted it with last known good configuration. This seemed to be ok, but I noticed there was no wireless icon in the system tray. Tried re-booting in Safe mode with networking - same results. After re-booting and completely shutting down a couple of times, I'm now able to boot in normal mode, but not sure why.

    Anyway, there are no network connections, and I've lost the wireless icon/monitor and can't connect to the internet. I've elected not to continue with running ComboFix until I get some feedback/help on the network problem. Computer seems to be running pretty good with that one exception, but I'm sure I need to complete the process and get it properly protected.

    Thanks for all you do!
     

    Attached Files:

    Bluznvice, Sep 20, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Yes you are correct in your assessment that this PC was (and may still be) very badly infected. Here is what I would like you to do. We will skip ComboFix for now but I may ask you to run it at a later time.

    First boot into safe mode and see if you can run a full scan with SAS. If you can then attach the new log. If you cannot run it in safe mode then run it again in normal boot mode and attach that log.

    Now move on to the instructions in the READ & RUN ME for MGtools and run it and attach the C:\MGlogs.zip file.
     
    chaslang, Sep 21, 2008
    #2
  3. Bluznvice

    Bluznvice Private E-2

    Thanks for the reply Chaslang!

    So far, so good. SAS ran ok in Safe Mode, no errors. MGtools ran as well in Normal Mode. Both logs are attached.

    I did notice that in Safe Mode, I got the option to boot as User "Administrator" or "Owner". Don't ever get that option in Normal Mode. When I check the User accounts in Normal Mode, there is no "Administrator" displayed. Same thing when I boot as "Owner" in Safe Mode. But they both show up when I boot as Administrator. I suspect that the infection set up the Administrator user because when it was infected, various functions were blocked by Administrator.

    I ran SAS in Safe Mode twice, once as "Owner" and once as "Administrator". The only one attached is from the "Owner" boot.

    Not sure if I completely trust the system yet, but it seems clean. The only obvious problem now is no Network Connections (completely blank), and no Internet or wireless connectivity. Device Manager shows and "Unknown" device which appears to be what should be Network Adapters, which is missing. Hopefully, there's an easy fix for this!

    Thanks again!
     

    Attached Files:

    Bluznvice, Sep 22, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No this is not part of the infection. The Adminstrator account is a normal account created by Windows and it only appears in Safe Boot mode unless you configure the PC to always show it. You read a little about this while doing step 1 of the READ & RUN ME while running the CCleaner part.

    Speaking of step 1 of the EAD & RUN ME, you did not uninstall the below. Uninstall them now:
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

    Also your McAfee program has been totally compromised and should be uninstall for now since it can no longer be trusted. It and several other programs have been infected by a form of Virtumonde. We are going to need to use ComboFix so make sure that you have saved it to the Desktop now. The below instructions will require this.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
    O4 - HKCU\..\Run: [Hktwfsx] "C:\Program Files\Common Files\?ecurity\??rvices.exe"
    O4 - HKCU\..\RunOnce: [3P_UDEC] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T44FL9S1\CleanerInstall[1].exe" 0;B
    ;aid=rbrnm_sa_rid_3_300x250_onclick_dscl6&lid=3_300x250_onclick&affid=nm_151077_4B3D3AACCCB811DCA885151077DDFFFF_E42ECCB1633C49848F700F04C66317F3
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O20 - AppInit_DLLs: hbqgrm.dll
    O20 - Winlogon Notify: xxyvtus - xxyvtus.dll (file missing)

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it:
    Code:
    KILLALL::
 
RenV::                                                                      
----a-w            32,768 2008-03-13 05:42:13  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w            68,856 2008-02-05 23:39:50  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w            49,152 2008-03-13 05:42:41  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           267,048 2008-03-13 05:42:47  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           136,600 2008-09-19 21:05:31  C:\Program Files\Java\jre6\bin\jusched .exe
----a-w           110,592 2008-06-04 03:15:20  C:\Program Files\McAfee\SpamKiller\MS47CC~1 .EXE
----a-w           110,592 2008-06-10 00:41:56  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w         1,121,792 2008-03-13 05:42:37  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w           303,104 2008-03-13 05:42:28  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w           212,992 2008-03-13 05:42:03  C:\Program Files\McAfee.com\Agent\mcupdate .exe
----a-w           999,424 2008-03-13 05:42:37  C:\Program Files\McAfee.com\Personal Firewall\MpfTray .exe
----a-w           131,072 2008-09-18 14:30:05  C:\Program Files\McAfee.com\Shared\mcappins .exe
----a-w         1,694,208 2008-02-03 19:14:39  C:\Program Files\Messenger\msmsgs .exe
----a-w           227,914 2008-03-13 05:42:51  C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper .exe
----a-w         1,576,176 2008-09-19 21:05:40  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w           737,370 2008-03-13 05:42:17  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w            15,360 2008-09-19 17:37:22  C:\WINDOWS\system32\ctfmon .exe
----a-w        16,863,864 2008-06-10 00:42:14  C:\WINDOWS\system32\MRT .exe
 
Driver::
avszhqpk
 
File::
C:\wzoubv.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\fdnrrskn.ini
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\klhkdoge.ini
C:\WINDOWS\system32\lrrgyanr.ini
C:\WINDOWS\system32\pondloak.ini
C:\WINDOWS\system32\drivers\avszhqpk.sys
C:\WINDOWS\system32\hbqgrm.dll
 
Folder::
C:\Program Files\QdrModule
 
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"QdrModule12"=-
"Hktwfsx"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"3P_UDEC"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Sep 25, 2008
    chaslang, Sep 22, 2008
    #4
  5. Bluznvice

    Bluznvice Private E-2

    Making progress, thanks again Chaslang!

    Ok, I had actually uninstalled Viewpoint between posts, but forgot to tell you. I double-checked and it's gone. Add/Remove programs wasn't working for many things until the first fixes went in.

    McAfee would not unistall from Add/Remove Programs. It seems the uninstall program was gone. There were two folders, "McAfee" and "McAfee.com". "McAfee" only had Spamkiller in it, and I was able to delete the folder. The "McAfee.com" folder would not delete. So, I went to Services and disabled 4 processes: McAfee Firewall, McAfee Security Center, McAfee Task Scheduler, and McAfee WSC Integration. I rebooted and then was able to delete the McAfee.com folder and emptied the Recycle bin. I also used Ccleaner to delete HSKDetectorExe from the Startup. Hope this was all ok, but it was the only way I knew to get rid of the McAfee stuff.

    According to your instructions, I deleted Windows Messenger

    Next ran MGTools\analyze.exe. After the scan, there were two entries you listed that were not there:

    Next ran ComboFix and it completed normally.

    Added fixme.reg to the registry and received a success message.

    Ccleaner and MGtools\Getlogs ran normally.

    Requested logs are attached.

    Note: I'm still copying the files and logs between computers because I still don't have any network connections/internet connectivity on the infected machine. However, everything else appears to be functioning normally.
     
    Bluznvice, Sep 23, 2008
    #5
  6. Bluznvice

    Bluznvice Private E-2

    Oops...forgot to attach logs...
     

    Attached Files:

    Bluznvice, Sep 23, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below is what you needed to run and still do. Please run it now.

    McAfee Consumer Product Removal Tool


    Do you know what the below file is for?
    Code:
    "C:\WINDOWS\"
sysopt.exe    Jun 30 2008       20996  "sysopt.exe"
    For some reason, ComboFix did not fix some of the Vundo issues that were listed under the RenV:: heading. Let's try one more time and also there are a couple other things to fix.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
    O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    Code:
    KILLALL::

RenV::
----a-w            32,768 2008-03-13 05:42:13  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w            49,152 2008-03-13 05:42:41  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           267,048 2008-03-13 05:42:47  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           136,600 2008-09-19 21:05:31  C:\Program Files\Java\jre6\bin\jusched .exe
----a-w         1,694,208 2008-02-03 19:14:39  C:\Program Files\Messenger\msmsgs .exe
----a-w           227,914 2008-03-13 05:42:51  C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper .exe
----a-w         1,576,176 2008-09-19 21:05:40  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w           737,370 2008-03-13 05:42:17  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w            15,360 2008-09-19 17:37:22  C:\WINDOWS\system32\ctfmon .exe
----a-w        16,863,864 2008-06-10 00:42:14  C:\WINDOWS\system32\MRT .exe
Driver::
mff
FileLookL::
C:\WINDOWS\sysopt.exe
 
File::
C:\WINDOWS\system32\drivers\mff.sys
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now double click the fixme.reg patch saved to your desktop last time and allow it to be added to your registry.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 25, 2008
    #7
  8. Bluznvice

    Bluznvice Private E-2

    Everything appears to be working normally, but still no network connections. Actually, I was able to download the Broadcom network adapter drivers, which gave me a Local Area Connection via Ethernet adapter, but no Wireless adapter despite attempting to install the drivers. I've also uninstalled most programs, so without being able to surf, it's difficult to determine if there's any glitches.

    I'm really trying not to fiddle with it between posts, but thought reinstalling the drivers might be worth a shot. Hope it didn't mess anything up. I definitely appreciate your help.

    Ran the McAfee removal tool, and it looked like it found some additional things to remove.

    Not sure about the "sysopt.exe" file, and the date is really unusual since we don't thing it was ever powered on at that time. I did find some interesting things about it though...

    Checked support.gateway.com and only one hit on "sysopt":

    Not much luck googling "obolochka" - lots of hits in Russian.

    Googled "MYBHOHelpInstallUtility" and found the following on the Online Armor website:

    Continued and ran HJT, but didn't see any of the three items you listed. Assumed the McAfee removal tool did it's job, so exited

    Ran ComboFix with the instructions you provided. Note: I received a notice when starting CF the CF is expired and will run in Reduced Functionality Mode, but it appeared to run the same way as last time.

    Ran fixme.reg and CCleaner. Attached the requested logs.

    Thanks again!
     

    Attached Files:

    Bluznvice, Sep 26, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete the C:\WINDOWS\sysopt.exe file

    ComboFix is still not running the fix. Please attach the CFScript.txt file that you created.


    Your network connections issues may have to be addressed in another forum (possibly Networking or Hardware) however first run SUPERAntiSpyware and click Preferences. Then goto the Repairs tab and select the Repair broken Network Connect (WinSock LSP Chain) item and then click Perform Repair...
     
    chaslang, Sep 26, 2008
    #9
  10. Bluznvice

    Bluznvice Private E-2

    Figured I'd be deleting that file ;)

    Attached is the CFscript I last ran. Hopefully, nothings getting messed up copying back and forth between computers.

    I ran SAS as you suggested to repair the network connections, but no luck.

    I considered posting in the Network forum, but thought I might get bumped back here since my connections only disappeared after running MBAM in the READ and RUN ME procedure. Up till then all the connections, including wireless, were available and working.
     

    Attached Files:

    Bluznvice, Sep 26, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but based on the logs provided, I don't see anything but hundreds of malware issues being removed. I did not see anything obvious that could be related to your network drivers. I suggest that you reinstall the drivers for your network interfaces (wired and wireless).

    Let's try to finish off your malware cleanup with another program.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    Code:
    Drivers to delete:
mff
Files to delete:
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\MRT .exe
C:\WINDOWS\system32\drivers\mff.sys
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 27, 2008
    #11
  12. Bluznvice

    Bluznvice Private E-2

    Yeah...me too. Looked through the logs and didn't see anything obvious that would make them disappear. I'm working on getting the drivers re-loaded. So far, no luck.

    Anyway...back to the malware problems...

    Avenger didn't go too smooth. Everything seemed to run ok until the reboot. Then it went into a reboot loop. Wouldn't boot in Normal or Safe mode. Just kept coming back to the failed startup and choice of boot modes. The ONLY option that worked was "Last known good configuration". At least it booted up then.

    Probably because of the reboot problem, there isn't any Avenger log. I looked everywhere, and it doesn't exist. Tried running it again, and same results. However, the MGtools log is attached.

    Checked for the files listed below in the Avenger script. All but mff.sys were still there, so I deleted them manually. Ran CCleaner ok.

    Interesting about the boot issue because there doesn't appear to be anything that would cause that!
     

    Attached Files:

    Bluznvice, Sep 27, 2008
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm??? I'm not sure why these problems with Avenger and ComboFix are occurring.

    Back in message # 4 we deleted C:\WINDOWS\system32\drivers\avszhqpk.sys well it has returned with a new file name. Let's use combofix again but this time we will do it in safe boot mode. Follow along with the below.

    First let me ask what your plans are for reinstalling McAfee. Are you still planning on using it?




    Now we need to use ComboFix but we will first save the script file in normal boot mode and then we will boot into Safe mode to actually run the script. After ComboFix runs, reboot into normal mode to finish the steps after ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • NOW REBOOT INTO SAFE BOOT MODE TO DO THE BELOW WITH COMBOFIX. Print these instructions if you need them for safe mode.
    • After booting in safe mode make sure you do not run anything but these instructions! DO NOT OPEN any browsers.
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    You should now be back in normal boot mode.

    Now double click the fixme.reg patch saved to your desktop in a previous fix and allow it to be added to the registry.

    Now run this Running GMER to detect rootkits I will ask for the log down below.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • GMER log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 28, 2008
    #13
  14. Bluznvice

    Bluznvice Private E-2

    Ok...I'm going to feel really stupid if this is the problem...but, do you think there might be malware migrating from the D: recovery drive? Probably should have mentioned that up front. I didn't even think about it until today when I was trying to re-install the network drivers and the Gateway website said I could try to recover from the D: drive.

    I realize my post is going to bump because I haven't run your scripts yet, but wanted to mention this up front.

    I'll get started on your latest post.

    Thanks!
     
    Bluznvice, Sep 28, 2008
    #14
  15. Bluznvice

    Bluznvice Private E-2

    I don't have plans on keeping McAfee, so we can delete anything you feel. I'll keep running Avast, SAS (paid), and Online Armor, although I might swich to a different firewall due to various glitches on other machines running this combo.

    The only thing weird in running your instructions this time was that initially I couldn't boot into SAFE mode. It just didn't give me the option until I powered down and back up. Then it worked.

    Ran everything else without error. Attached are the logs.

    Enjoy your vacation!
     

    Attached Files:

    Bluznvice, Sep 28, 2008
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it is possible. Exactly what is the D drive. Is this an internal hard disk or an external hard disk? Also are the file that are on it simply copied there via a file copy or do you use some kind of backup program or imaging software.

    The malware renamed itself again to the below
    Code:
    2008-09-27 00:32 . 2008-09-27 00:32 61,440 --a------ C:\WINDOWS\system32\drivers\jkwh.sys
    We also still seem to be having a problem removing the mff.sys driver. I'm not sure why ComboFix is having a problem with this since I have removed it in the past without a problem here: http://forums.majorgeeks.com/showthread.php?p=1101296

    It is possible that Online Armor and/or other protection software could get in the way even in safe boot mode. If you have not install Online Armor yet, please do not install it until we are finished. If you have installed it already, it would be best to uninstall it now.


    Copy the bold text below to notepad. Save it as fixMFF.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Now please go to this link:http://live.sysinternals.com/
    • find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
    • Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
    • For you the prompt should show C:\Documents and Settings\owner>
    • Now type cd Desktop and hit the enter key. There is a space after the cd. If you do this properly, your prompt will change to C:\Documents and Settings\owner\Desktop>
    • Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
      • psexec -s -i regedit
    • In the Registry Editor click File, Import and then navigate to the fixMFF.reg file on your Desktop from the previous fix and double click on it to import it into your registry. If it works properly you should get a success message.
    • If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.


    Now we need to use ComboFix but we will first save the script file in normal boot mode and then we will boot into Safe mode to actually run the script. After ComboFix runs, reboot into normal mode to finish the steps after ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • NOW REBOOT INTO SAFE BOOT MODE TO DO THE BELOW WITH COMBOFIX. Print these instructions if you need them for safe mode.
    • After booting in safe mode make sure you do not run anything but these instructions! DO NOT OPEN any browsers.
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    You should now be back in normal boot mode.

    Now double click the fixme.reg patch saved to your desktop in a previous fix and allow it to be added to the registry.


    Now download Registry Search(see the link titled RegSearch Download Link)
    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • Enter mff in the top area of the form and then click "OK".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).





    Then attach the below logs:
    • C:\ComboFix.txt
    • RegSearch.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Oct 1, 2008
    chaslang, Oct 1, 2008
    #16
  17. Bluznvice

    Bluznvice Private E-2

    Welcome back Chaslang!

    The D: drive is a partition on the internal hard drive. Near as I can tell, it's a recovery partition set up by Gateway to recover all the factory installed programs and system files. It's accessed by hitting F11 during startup.

    I don't have Online Armor installed on that computer yet, and only the programs installed via the READ and RUN ME and what we've done here. It's pretty clean.

    I was able to fun the fixMFF.reg from the desktop as you instructed and it merged with the registry successfully. However, when I worked through the psexec procedure, I received the following error:

    While attempting to navigate to the fixMFF.reg file on the desktop I get a popup that says:

    "Import Registry File (Big Red "X") - C:\Documents and Setting\LocalService\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet on your network, and then try again. If it still cannot be located, the informatio might have been moved to a different location."
    <OK>

    I've tried all different ways to look at the desktop and I get this every time, and it doesn't see the fixMFF.reg file.

    Stopping here as you instructed.
     
    Bluznvice, Oct 2, 2008
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you first opened the command prompt window, the prompt is supposed to be C:\Documents and Settings\owner> If this is not the prompt you are getting then you are logged into the wrong user account or something else is incorrect in your Windows OS. When you saved the fixMFF.reg file it was saved to C:\Documents and Settings\owner\Desktop> which is where you will need to navigate to within Regedit's browse feature to find the file and import it into the registry editor.
     
    chaslang, Oct 2, 2008
    #18
  19. Bluznvice

    Bluznvice Private E-2

    I double and triple checked, and everything appears normal.

    There's only one user account - "Owner", which I'm logged into.

    At the Command prompt, I have C:\Documents and Settings\Owner>

    Did the Change Directory (cd desktop), and I get C:\Documents and Settings\Owner\Desktop>

    Then try to do the import file for psexec, and it's weird that the message says it's looking in C:\Documents and Setting\LocalService\Desktop

    I tried booting in Safe Mode to see if it would make any difference, but psexec wouldn't run in Safe Mode, which I'm sure you already knew...

    Not sure where to go from here!
     
    Bluznvice, Oct 2, 2008
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After selecting Import from the Registry Editor menu, DO NOT click on the Desktop icon to get to the Desktop. Click on the My Computer icon and navigate your way to your Desktop (the Owner desktop) and then select the fixMFF.reg file and click Open.

    Did that work?
     
    chaslang, Oct 4, 2008
    #20
  21. Bluznvice

    Bluznvice Private E-2

    Ok...I think that worked.

    Actually selected the My Computer icon, navigated to Local Disk (C:), then Documents and Settings, then Owner, then Desktop. There I found fixMFF, selected and opened it, and got a success message for entering into the registry.

    Closed psexec and exited from cmd.

    Rebooted into Safe mode after saving CFscript to the desktop. Dragged the script to Combofix and it ran normally, but after displaying the log, didn't reboot into normal mode. It just hung up on the safe mode "black screen". Hit Ctrl+Alt+Del to restart.

    Back in normal mode, ran fixme.reg and it added to the registry successfully.

    Ran regsearch...whew. Remember when registries only had a *few* entries? Looking through the log, that's a pretty slick search engine!

    Ran CCleaner and Getlogs. All logs attached.

    Fingers crossed...
     

    Attached Files:

    Bluznvice, Oct 4, 2008
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 5, 2008
    #22
  23. Bluznvice

    Bluznvice Private E-2

    Well, worked my way through your instructions below deleting files, etc. After completing this, I received a "windows update" message which I allowed to run. It was the XP SP3 update. Must have been waiting the whole time since I still don't have any internet connectivity (network drivers broken).

    In the process of installing Avast!, during the initial scan after reboot, I received several error messages for infected files. Too many to copy here, so I just copied the log and attached here.

    Seems like way too many to be false positives, and hard to believe that everything we've done missed all of these! All I can think is that the windows update was somehow infected.

    Please let me know what you think...
     

    Attached Files:

    Bluznvice, Oct 5, 2008
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If your internet connection is broken, how are you getting windows update messages to download updates. Have you reinstalled all the drivers for your hardware?

    Looks like you have somehow gotten reinfected. Has anything else been done with the PC? Like installing any software, running anything from CDs or flash drives, even inserting a CD or flash drive? Even copying files from anywhere else to this PC by any method???

    If you run Avast again does it still find anything? If yes, please download the new version of MGtools.exe and run it. Then attach a new log.
     
    chaslang, Oct 7, 2008
    #24
  25. Bluznvice

    Bluznvice Private E-2

    I believe the Windows update was there the whole time we were working through the cleaning process waiting to be run. There's no way it could have downloaded unless it did it before the initial run of Malwarebytes which is when my Network Connections all disappeared. Up to that point, I had Network Connections and internet.

    I've downloaded (on another laptop) and reinstalled the network and wireless drivers, but the system is unable to load them. The Device Manager just shows "Unknown" in the place where the Network Adapters should be, along with the two drivers with yellow exclamation points.

    After deinstalling and deleting all the files and programs you listed, I did the following:

    1. Got a pop-up message saying Windows update needed to run. I allowed it to run and it installed the XP SP3 update.

    2. Tried to perform a "Restore" from the D:\Restore drive in an attempt to locate the original network adapters and drivers. The process required a restore CD in the first step, which I don't have, so I exited the process and rebooted.

    3. Installed Avast!, which is where I got the new errors.

    AS I mentioned earlier in the process, I have to download all programs on another laptop that has internet connectivity and put them on a DVD for transfer to the infected laptop. The same thing with logs created on the infected PC; I have to copy them to the DVD and upload them from the other machine. I've used the same physical appendable DVD throughout the entire process, and the same "other laptop".

    The "other laptop" is fully protected and I've periodically run SAS and Avast scans during this cleaning process. I ran a SAS scan on the DVD at some point and it was clean, but I'm performing a full scan on the other machine using READ and RUN ME FIRST before doing anything else.

    I've already deinstalled all the tools on the infected machine so I need to reinstall them after making sure the other machine is clean.


    <If you run Avast again does it still find anything?>

    I did run Avast again, and it found more viruses in Win32, but won't be able to attach logs until I'm done with the other machine. I'll post all the requested logs as soon as I'm done with that.

    I have a sneaking suspicion that there may have been something hiding on the D:\Restore drive, which is a restore partition, or buried in the DVD that I was transferring files with. That would possibly explain why the infections kept coming back each time as I copied the scripts and logs from one machine to the other.

    As of now, I've rescanned the "other computer" and the DVD used for transferring files. Both are clean.

    Will continue with your instructions and post the logs asap.

    Thanks!
     
    Bluznvice, Oct 8, 2008
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I recommend that you try working our this problem in the Hardware or Networking forum. It may be necessary to delete the hardwre from Device Manager and then reboot and then reinstall all the proper drivers. But this is better discussed elsewhere. Nothing in any of your logs showed drivers for your hardware being removed.

    Once you post this new MGlogs.zip file we can continue the hunt for malware. Also let me know if Avast is finding more infections
     
    chaslang, Oct 9, 2008
    #26
  27. Bluznvice

    Bluznvice Private E-2

    Already tried that between malware sessions, to no avail. But I'll start another thread in one of the other forums to see if I can get it fixed.

    No more infections showing up from Avast. Some went to the virus chest, and some were deleted directly, but I've since had it delete everything and emptied the virus chest.

    Attached is the new MGlogs.zip

    Thanks again for all your help.
     

    Attached Files:

    Bluznvice, Oct 9, 2008
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you specify your have a Gateway PC and give the model number and any infor related to the actual ethernet hardare you can. Your current HijackThis log shows the below lines for Broadcom:

    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    These were not in the very first MGlogs.zip file you provided so they were missing well before you ran MGtools the first time. Does this PC also have a wired interface that you can try to use?


    Still clean!
     
    chaslang, Oct 9, 2008
    #28
  29. Bluznvice

    Bluznvice Private E-2

    Thanks Chaslang, looks like the malware problems are resolved at least!

    You're right, they disappeared immediately after I ran Malwarebytes Anti-Malware the first time I was going through READ & RUN ME. That's where I stopped and posted this thread before anything else went weird.

    Since then, I've had issues with Malwarebytes on my other computer making unwanted changes, but I just did a restore to eliminate the changes it made. Wish I would have thought of that before I deleted all the restore points on the infected computer!

    Yes, it has a 1394 network plug, and I tried plugging in directly to my DSL modem, but no luck. Think about this...when I go to my Network Connections from the Control Panel, it's completely blank. So, there's nothing to recognize that it's connected!
     
    Bluznvice, Oct 9, 2008
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The only item I saw in your MBAM log that were possibly unwanted fixes were the below
    Code:
    Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL (Hijack.Homepage) -> Bad: ([URL]file://c:/windows/homepage.html[/URL]) Good: ([URL]http://www.google.com/[/URL]) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Secondary_Page_URL (Hijack.Homepage) -> Bad: ([URL]file://c:/windows/homepage.html[/URL]  ) Good: ([URL]http://www.google.com/[/URL]) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Secondary Start Pages (Hijack.Homepage) -> Bad: ([URL]file://c:/windows/homepage.html[/URL]  ) Good: ([URL]http://www.google.com/[/URL]) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: ([URL]file://c:/windows/homepage.html[/URL]) Good: ([URL]http://www.google.com/[/URL]) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Hijack.Homepage) -> Bad: ([URL]file://c:/windows/homepage.html[/URL]) Good: ([URL]http://www.google.com/[/URL]) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Hijack.Homepage) -> Bad: ([URL]file://c:/windows/homepage.html[/URL]) Good: ([URL]http://www.google.com/[/URL]) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: ([URL]file://c:/windows/homepage.html[/URL]) Good: ([URL]http://www.google.com/[/URL]) -> Quarantined and deleted successfully.
    It is making an invalid assumption that those settings were bad since they may well have been setup by you. Everything else it changed appears to be malware related and nothing removed was related to the Broadcom processes.


    Yes because it is either not recognizing the hardware or the drivers that are loaded are not the correct drivers.
     
    chaslang, Oct 9, 2008
    #30
  31. Bluznvice

    Bluznvice Private E-2

    Yeah...I doubt there's an easy fix for this.

    I don't suppose you help out in the Network forum? ;)
     
    Bluznvice, Oct 10, 2008
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You will not know until you post in the other forum. ;)

    Way too busy here to spend much time in the other forums. And since we are so busy with malware specific problems, we have to send some problems elsewhere when we feel it is not malware. :)
     
    chaslang, Oct 12, 2008
    #32

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds