Malware hijacked computers/router

Tunaboy79 · Nov 13, 2014

Hello! I have come to you folks knowing you have been fixing computers online through this forum for a long time. I am going to give a donation! I just need to make sure I am able to do it securely as all of the computers behind this router are infected. Also, the router itself, when I log into it and block certain ip addresses and ports, still allows tons of traffic through, and I know because both the internet light on the cable modem and the bandwidth light on the router are moving excessively.

This WinXP computer is infected, and I know XP is unsecure, but it is the only computer able to use the printer we have. If you don't want to work on it, that is understandable. I will just throw it out and not have a printer.

I also have a question about my router's log. One certain log regarding busybox sticks out.

Dec 31 17:00:07 syslogd started: BusyBox v1.17.4

The date was actually was sometime in October, but it says Dec 31 every time it performs what I think is a command for whomever is in control of it. If you want to check out the router logs, I would be ok sending it privately to one of you just to look at.

Thank you!

Tuna

Tunaboy79 · Nov 13, 2014

Here is the hitman log, as it was too big, and had to be cut in two.

Kestrel13! · Nov 13, 2014

Regarding BusyBox:

It's a UNIX application commonly used with DSL routers.

Reviewing the logs now...

Tunaboy79 · Nov 13, 2014

Thank you for looking at the logs. I'm going to go donate. Anyone willing to help me deserves money!

Kestrel13! · Nov 13, 2014

I think that's wonderful that you wish to donate to our website.

1. Uninstall the below, they are outdated and adaware SE is rather ineffective.

Ad-Aware SE Personal
[*]Java 2 Runtime Environment, SE v1.4.2_03
[*]Java 7 Update 45

2. Do you know what the below is? (Do not click on it)

C:\Documents and Settings\All Users\lxdd

3. RogueKiller

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Found

[PUP] HKEY_CLASSES_ROOT\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} -> Found

[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.mysearchdial.com -> Found

[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> Found

[PUM.SecurityCenter] HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | UpdatesDisableNotify : 1 -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

4. OTM

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:Files
C:\Documents and Settings\Manley\Local Settings\Application Data\Mobogenie

:reg
[-HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}]
[-HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
[-HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0}]
[-HKU\S-1-5-21-2358040571-4238371197-1667056720-1005\Software\Microsoft\Internet Explorer\SearchScopes\{96bd48dd-741b-41ae-ac4a-aff96ba00f7e}]

:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

5. We are going to be uninstalling your old version of FireFox and installing the new version. (Use Revo Uninstaller to remove it http://majorgeeks.com/Revo_Uninstaller_d5706.html) So do the below to save bookmarks:

Run FireFox and click Bookmarks.

Then select Organize Bookmarks.

Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

C:\Program Files\Mozilla Firefox

C:\documents and settings\UserAccount\Application Data\Mozilla

where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

6. Re run Malware Bytes please and attach log.

7...
http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

8. Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

Vista/Windows 7/8 users right-click and select Run As Administrator

Click on the Scan button.

AdwCleaner will begin...be patient as the scan may take some time to complete.

After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).

The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.

Attach the logfile to your next next reply.

A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

9. Install the most current and up to date version of Java available here at the below link:

Java Runtime 8

10. Re run Hitman Pro and attach log.

11. Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

12. Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!

Tunaboy79 · Nov 14, 2014

Thank you!

1. Done.
2. I have no clue. However there is an lxdd.log in the root. I can attach it or copy and paste.
3. These two entries were not on the scan the second time around.

- [PUP] HKEY_CLASSES_ROOT\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} -> Found
- [PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.mysearchdial.com -> Found

4. Done.
5. Done. Also thank you for showing me Revo Uninstaller. It's amazing!
6. Done.
7. Done.
8. Done.

Tunaboy79 · Nov 14, 2014

9. Done
10. Done
11. Done
12. The boot speed from power on til windows logon is the same. That's ok. The speed in which it loads start up items and services is 10x faster. It's amazing! Thank you so much!! Also, the user names are listed again with the processes in task manager, which is cool. And the hard drive has stopped running constantly, which is excellent.

I don't know if it is too late for this info, but before getting on majorgeeks, I downloaded Kaspersky and ran that and it found and quarantined updatetask.exe and rlls.dll. It calls them adware.win32.dealply.x and monitor.win32.rk.ey respectively.

I really need to thank you for your rules regarding just making logs and not deleting what you see after scanning. When things pop up on scanners, I've always just wanted to delete them to death, but I see now there is a way to remove these things, but you need to find the root of the problem, and not just what appears to be symptoms. Props to whomever had the patience to figure that one out, lol. :-D

Kestrel13! · Nov 14, 2014

However there is an lxdd.log in the root. I can attach it or copy and paste.
Click to expand...

I thought it might be something to do with Lexmark. Ahhh it is. Don't worry about it.

Re run Malware Bytes once more and attach log.

Go ahead and let Adwcleaner remove what it finds.

I don't know why Hitman is still showing signs of garbage in Firefox settings considering you uninstalled and reinstalled....

Try this Reset Mozilla Firefox to defaults

Then re run Hitman again and attach log.

Tunaboy79 · Nov 14, 2014

lol. That's why we don't run to the delete button. I saw 2 lxdd services and was going to 'sc delete' them! :-D

Just an update.... The names of the users in task manager have left again.

Kestrel13! · Nov 14, 2014

Did you follow all of my instructions? :confused

Tunaboy79 · Nov 15, 2014

Seems like we are playing tug of war with something every time I reboot. Here are the logs. Lost user names on task manager again.

Tunaboy79 · Nov 15, 2014

Hey Kestrel13!, I really appreciate your help but I have problems that need to be fixed before I try and fix my computers.

The router I was discussing earlier, an Asus open source compatible router, was attacked, and the culprit gained access to it, and used busy box to change the firmware, amongst other things.

I was just logged on to the router as admin, and it told me that an android was connected via lan wire to the router. I went to the router, and the physical lan slots were empty.

Another thing is that I changed the password for wireless connection, and didn't update the password on my computer and a few tablets and phones around here, and they still connect using the old password.

Whomever did this completely removed security from the router.

I will come back to majorgeeks when I have a hardware firewall and another router so I can be secure again.

Thanks for helping me.

Kestrel13! · Nov 15, 2014

OK, no problem.

Log in or Sign up

Malware hijacked computers/router

Tunaboy79 Private E-2

Attached Files:

mb-log.txt

RKreport_SCN_11122014_100813.log

TDSSKiller.3.0.0.41_12.11.2014_11.40.41_log.txt

MGlogs.zip

Tunaboy79 Private E-2

Attached Files:

Hitman1.txt

Hitman2.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Tunaboy79 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Tunaboy79 Private E-2

Attached Files:

RKreport_2.log

mblog.txt

JRT.txt

AdwCleaner[R0].txt

otm.log

Tunaboy79 Private E-2

Attached Files:

MGlogs.zip

HitmanPro_2.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Tunaboy79 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Tunaboy79 Private E-2

Attached Files:

mblog.txt

HitmanPro_20141114_2325.log

AdwCleaner[S0].txt

Tunaboy79 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member