Multiple Trojan infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by Ben1976, Oct 26, 2010.

  1. Ben1976

    Ben1976 Private E-2

    Hi, while on holiday my netbook has become infected with the following trojans;
    win32/Kryptik.HNQ.
    win32/Kryptic.HPR.
    win32/Olmarik.AGD.

    OS is XP with SP3 and using Eset NOD32 4.0.

    My partner was on the internet using the motel wifi, she went to open a picture from a google search and Nod real time protection came up with alerts etc (log file attached). When we got home I updated virus definitions and scanned and 3 files were quarantined (log file attached).

    Since the initial attack the netbook has the following symptoms;
    Error message on startup (not every time) - Generic process for win 32 services.
    Sound device not working.
    WLAN & LAN only works now and then (requires rebooting).
    Cant update windows - sometimes get error message on start up - updater client.
    Changes the task bar to classic view.
    Default browser (Mozilla firefox) & IE cant access internet - just loads untitled page (Mozilla) or displays error message (IE).
    Also there has been a noticible increase in time to start windows.

    I have followed the read & run me first instructions for Malware removal and will post all log files as requested. I had some problems getting through the list of instructions;

    I had to run SAS from alternate start.
    I couldn't get MBAM to run at first, then renamed the .exe in the installed directory to MB.exe and it ran ok (didn't find anything).
    Combofix would not run.

    Sorry if such a long post, just wanted to give as much info as possible, any help is greatly appreciated.
     

    Attached Files:

    Ben1976, Oct 26, 2010
    #1
  2. Ben1976

    Ben1976 Private E-2

    Remaining log files......
     

    Attached Files:

    Ben1976, Oct 26, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Currently reviewing your logs and will get back to you with a set of instructions as soon as possible.
     
    Kestrel13!, Oct 27, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Your thread got temporarily lost to me, I apologise, reviewing your logs right now. :)
     
    Kestrel13!, Oct 28, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Rename Combofix.exe to kestrel13.com and try running it again. If normal mode proves problematic then reboot into safe mode and try again.

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

    C:\Documents and Settings\User\Local Settings\TEMP

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How are things running now    ? Is your antivirus flagging anything?
     
    Kestrel13!, Oct 28, 2010
    #5
  6. Ben1976

    Ben1976 Private E-2

    Thanks Kestrel13, no worries re: being lost.......:)

    having problems with combofix, renamed as suggested and ran, then after some time time a small dialog box appeared with "error" and an ok button. I hit "OK" then the netbook shutdown and a system "beep" came from the MB (not the speakers) then rebooted and continued to the point of creating the system restore and reported that my machine did not have the recovery console installed. I clicked no because the netbook was not connected to the internet then closed combofix without letting it continue.

    Then following the instructions for manually installing the recovery console, combofix comes up with a CFscript name error - the name CFScript appears to be incorrectly spelt "OK". When I click ok it stops (this happens in both normal and safe mode).

    Is it important to have a system restore point?

    Windows mesenger removed, files in temp directory deleted, SAS uninstalled and about to install new version and update, will try running combofix again without the step for manuall installation of recovery console and see if combofix can download and install. If all goes smooth will then run SAS scan and MGtools and post log files as requested.

    Thanks again for helping
     
    Ben1976, Oct 28, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Make sure hidden files and folders are set to show, then return to your desktop and check that combofix.exe is correctly renamed as kestrel13.com and not with some kind of double extension. Let me know how you get onm and if that works go ahead and run the rest of the instructions and attach the log(s) I requested.
     
    Kestrel13!, Oct 28, 2010
    #7
  8. Ben1976

    Ben1976 Private E-2

    OK so some luck in getting combofix to run (took some time.....).
    All other instructions were followed with no issues.

    I have attached the logfiles as requested, SAS found nothing, dont know what combofix did?

    have rebooted the laptop a couple times now and keep getting the generic host process for win 32 services error message appear on startup - I have attached the technical information from the error report (dont know if this is of any use).

    Also now getting error message from Nod32 - error communicating with kernel on bootup. Not long after windows boots the desktop flashes afew times really quickly (like hitting the F5 key to refresh) then the taskbar resets to classic view.

    While waiting for a reply this morning I updated NOD32 definitions and ran an in depth scan and found nothing...:confused (this was before instructions were given) yet seems the netbook is still showing signs of infection or damage from trojan attack.

    One last thing should've probly said earlier, the infected netbook is only 1 week old, everything was running fine before the initial trojan attack.
     

    Attached Files:

    Ben1976, Oct 28, 2010
    #8
  9. Ben1976

    Ben1976 Private E-2

    Another update, have rebooted / shut down restarted a few times now and getting the kernel error message from ESET and the generic host for win 32 services every time the netbook starts up.........:(
     
    Ben1976, Oct 28, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I have seen a few cases of this lately. Let me have a think about it. I may have to send you to the software forum though regarding this.

    You could try attaching the above files for us to take a look at. Or delete the whole C:\DOCUME~1\User\LOCALS~1\Temp\WERa369.dir00 folder.

    C:\Documents and Settings\All Users\Application Data\obmlf5 <--- delete this file.

    I am seeing signs of a DNS Hijacker. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup. After doing this, continue with on with the below.

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 28, 2010
    #10
  11. Ben1976

    Ben1976 Private E-2

    Followed all steps apart from resetting my router as the infected laptop is not permanetly connected to any network. Have two desktop PCs connected and when I need internet for the laptop, I enable the WLAN on the router (I have this permanetly disabled). Both desktop PC's have been scanned with ESET using latest definitions and with windows defender - both running fine with no signs of infection and both PC's are not networked - so I didnt see the point in resetting router to factory defaults as I dont have the settings for my ISP handy...

    Deleted the file "C:\Documents and Settings\All Users\Application Data\obmlf5 <--- delete this file." as requested. What was this file for??:confused

    Eset seems to be working again on the laptop - no kernal warning - performing another in depth scan - will update when this is complete.

    Still getting the error message for generic host process for win 32 services; tried to find the temp dir but was not there. Seems this temp dir gets deleted when I click on the "dont send error report". I managed to copy the files while the diag box was open, have zipped and attached.

    Also windows firewall has been disabled on the last couple boots, when trying to start get a message that windows cannot start the ICS service.

    Other reports as requested are also attached.

    I appreciate you looking into this for me.:)
     

    Attached Files:

    Ben1976, Oct 28, 2010
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay bear with me for a little while. You have a DNS infection and before I attempt a fix I want to be absolutely sure about the right way to go about it! :) Thanks for your patience.
     
    Kestrel13!, Oct 28, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try this whilst I am seeking further advices

    Open a command prompt.
    Within the prompt, type ipconfig /flushdns

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 28, 2010
    #13
  14. Ben1976

    Ben1976 Private E-2

    Thanks heaps for your help.

    The indepth scan found win32/Kriptik.HPR tojan in c:\system volume information\_restore...... and has quarantined four files. should I leave them or delete them?

    will attach log as requested...
     
    Last edited: Oct 28, 2010
    Ben1976, Oct 28, 2010
    #14
  15. Ben1976

    Ben1976 Private E-2

    flushed dns via instructions below and ran MGtools, MGlogs.zip attached as requested.

    Cheers
     

    Attached Files:

    Ben1976, Oct 28, 2010
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like you to have follwed step 6 of the Read and Run Me First - Disabling disk emulation software.

    Download DeFogger by jpshortstuff and save it to your desktop.

    • Double click DeFogger.exe to run the tool.
    • The application window will appear.
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue.
    • A 'Finished!' message will appear.
    • Click OK.
    • DeFogger will now ask to reboot the machine...click OK.

    IMPORTANT!     If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters]
"DhcpNameServer"="203.8.183.1 192.189.54.33"
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how things are running for you now.
     
    Kestrel13!, Oct 29, 2010
    #16
  17. Ben1976

    Ben1976 Private E-2

    Things looking better (fingers crossed) ;)

    Ran all processes as instructed and log files attached as requested.

    Only error was during combofix - Mbr.cfxxe error, windows wanted to send an error report, once I clicked on dont send combofix continued. I also noticed it didn't take as long this time.

    TDSSkiller found Suspicious file and cured it (details are in the log file)

    I have shut down the laptop and powered up, and performed restart and no longer getting error message for generic host process for win 32 services and I can now enable / disable wifi using fn + F3 :)
     

    Attached Files:

    Last edited: Oct 29, 2010
    Ben1976, Oct 29, 2010
    #17
  18. Ben1976

    Ben1976 Private E-2

    All the symptoms I explained in my posts have dissapeared. I have updated windows & Mozilla, updated NOD32, SAS & Malwarebytes definitions and run scans. Almost finished NOD32 but so far nothing has been found. Only earlier scan found 4 infected files in system restore and are in quarantine (not deleted).

    Can't thank you enough for curing my laptop of infection, will await your further instructions for clean up.
     
    Ben1976, Oct 30, 2010
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's great. Hang in there a bit longer as I discuss something regarding your thread. I think we will be wrapping up very soon though. :)
     
    Kestrel13!, Nov 1, 2010
    #19
  20. Ben1976

    Ben1976 Private E-2

    No worries....

    Big thumbs up :-D :-D

    You guys here are the best!!
     
    Ben1976, Nov 2, 2010
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well, that registry fix seems to have removed the wareout addresses successfully! (Thanks to Chaslang for advice.)

    Let's do this now:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{DC40A2DC-7CCC-4083-BEEA-E9EFDA9AEDB2}\00Tcpip\\Parameters\\Interfaces\\{C18AEA48-112C-4620-A968-3AAF0B875C92}\00\00"
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:dc,a2,40,dc,cc,7c,83,40,be,ea,e9,ef,da,9a,ed,b2,48,ea,8a,c1,
   2c,11,20,46,a9,68,3a,af,0b,87,5c,92

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{7C8850D8-A000-43AC-8006-820F990A7B59}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{7C8850D8-A000-43AC-8006-820F990A7B59}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{7F58601A-03B7-43EA-A4FC-BEF6F79273D3}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{7F58601A-03B7-43EA-A4FC-BEF6F79273D3}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{C20CCD17-4D71-46B1-81E1-364BC01DA2E9}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{C20CCD17-4D71-46B1-81E1-364BC01DA2E9}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{25E58767-B21E-49DC-ABD4-AA1288BED90C}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4B6239CB-7398-49BE-9589-8B09916A9DD6}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{592B2E9B-AF7B-42D4-9657-5D01B1300575}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6BB86C91-8938-4651-9DC8-4F745501DFDA}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7F58601A-03B7-43EA-A4FC-BEF6F79273D3}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000004\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84F9B94D-6F92-4198-BB65-24ABBD85BDC0}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C18AEA48-112C-4620-A968-3AAF0B875C92}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DAB523CA-EC03-4762-81A1-C9F484E8297F}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DC40A2DC-7CCC-4083-BEEA-E9EFDA9AEDB2}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Nov 2, 2010
    #21
  22. Ben1976

    Ben1976 Private E-2

    Thanks for the reply, I wont have time to get to this until tomorrow night as have work in the morning :(

    Will post log files as requested when completed.

    Cheers :)
     
    Ben1976, Nov 2, 2010
    #22
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No worries, we'll be here waiting.
     
    Kestrel13!, Nov 2, 2010
    #23
  24. Ben1976

    Ben1976 Private E-2

    I followed your instructions,

    Had 2 small hiccups, combofix (which I have renamed Kestrel13.com as advised earlier) came up with an error saying it was expired? click no to exit or yes to run in different mode (or something like that) so I downloaded it again, copied combofix.exe to the desktop and it ran fine. (this means now have two combofix exe files on desktop - just one has been renamed as above).

    That ran fine... then when running the get logs batch file the laptop didnt get far and rebooted. When I ran it a second time it finished whithout any issues.

    Have attached the MGlogs.zip file from the second attempt as the first one is alot smaler in file size and has only one .txt file in it.

    Thanks again, and will await further instructions.
     

    Attached Files:

    Ben1976, Nov 3, 2010
    #24
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{10E69142-8BE2-4A1B-91BD-9989987F08E0}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AFBD9755-E4FF-4976-AD2E-18DA686BEA27}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F7B8CE1F-AD3A-4BAD-864D-FC3C555E7BD5}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Nov 3, 2010
    #25
  26. Ben1976

    Ben1976 Private E-2

    OK all good, everything ran without any problems and MGlogs.zip attached.
     

    Attached Files:

    Ben1976, Nov 3, 2010
    #26
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let's try again, there are some registry keys that should not be locked.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{DC40A2DC-7CCC-4083-BEEA-E9EFDA9AEDB2}\00Tcpip\\Parameters\\Interfaces\\{C18AEA48-112C-4620-A968-3AAF0B875C92}\00\00"
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:dc,a2,40,dc,cc,7c,83,40,be,ea,e9,ef,da,9a,ed,b2,48,ea,8a,c1,
   2c,11,20,46,a9,68,3a,af,0b,87,5c,92

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{7C8850D8-A000-43AC-8006-820F990A7B59}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{7C8850D8-A000-43AC-8006-820F990A7B59}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{7F58601A-03B7-43EA-A4FC-BEF6F79273D3}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{7F58601A-03B7-43EA-A4FC-BEF6F79273D3}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{C20CCD17-4D71-46B1-81E1-364BC01DA2E9}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{C20CCD17-4D71-46B1-81E1-364BC01DA2E9}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{25E58767-B21E-49DC-ABD4-AA1288BED90C}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4B6239CB-7398-49BE-9589-8B09916A9DD6}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{592B2E9B-AF7B-42D4-9657-5D01B1300575}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6BB86C91-8938-4651-9DC8-4F745501DFDA}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7F58601A-03B7-43EA-A4FC-BEF6F79273D3}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000004\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{84F9B94D-6F92-4198-BB65-24ABBD85BDC0}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C18AEA48-112C-4620-A968-3AAF0B875C92}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DAB523CA-EC03-4762-81A1-C9F484E8297F}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DC40A2DC-7CCC-4083-BEEA-E9EFDA9AEDB2}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Last edited: Nov 4, 2010
    Kestrel13!, Nov 4, 2010
    #27
  28. Ben1976

    Ben1976 Private E-2

    New log file attached as requested
     

    Attached Files:

    Ben1976, Nov 5, 2010
    #28
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And again. If this does not work then we will find another way to deal with them.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6C85E7C6-F77B-4FF9-B2B3-95810C598458}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{78524E51-2433-4273-9489-3DBAEB855E77}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{92010AF1-86A2-44DE-8B53-07ACE5F41B71}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Nov 5, 2010
    #29
  30. Ben1976

    Ben1976 Private E-2

    OK, with any luck it has worked this time....

    Combofix completed scan etc first time round, laptop rebooted with a windows error but there was no logfile created so ran combofix again using the CFScript and combofix completed scan and created log file.

    MGTools crashed on first attempt, 2nd time ran ok.

    Log files attached.

    I will await further instructions, again I appreciate the time you have been putting into looking at this for me.
     

    Attached Files:

    Ben1976, Nov 5, 2010
    #30
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome. I have to seek out advice on this so I'll get back to you as soon as possible. :)
     
    Kestrel13!, Nov 5, 2010
    #31
  32. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Nov 8, 2010
    #32
  33. Ben1976

    Ben1976 Private E-2

    Instructions followed and log file attached as requested.
     

    Attached Files:

    Ben1976, Nov 9, 2010
    #33
  34. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That looks like it has done it! :)

    I know it's been a long drawn out process and you are eager to wrap up but one more sweep through the logs now.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Nov 9, 2010
    #34
  35. Ben1976

    Ben1976 Private E-2

    No worries, just grateful you guys donate your time and effort to help with malware removal:)

    MGlogs.zip attached as requested.

    Cheers
     

    Attached Files:

    Ben1976, Nov 10, 2010
    #35
  36. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Dammit, I still see signs of the infection.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"DhcpNameServer"="203.8.183.1 192.189.54.33"
[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]
"DhcpNameServer"="203.8.183.1 192.189.54.33"
[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters]
"DhcpNameServer"="203.8.183.1 192.189.54.33"
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    There is a little button on the bottom ( on most models ) to reset it to factory settings. Do that. You may then need to go back into it to set any special setting that you may have set up originally. But do that first.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Nov 11, 2010
    #36
  37. Ben1976

    Ben1976 Private E-2

    Attached Files:

    Ben1976, Nov 12, 2010
    #37
  38. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    My apologies, I referring to your router not the latop. Seems as if all is okay again now though from what the logs reveal! The last fix took care of it.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Nov 12, 2010
    #38
  39. Ben1976

    Ben1976 Private E-2

    Followed all steps, as an extra I ran all scans and came back negative.

    Cant thank you enough for all your help:-D

    Would definately recommend you guys!:major

    :wave
     
    Ben1976, Nov 18, 2010
    #39
  40. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome. :) Safe surfing.
     
    Kestrel13!, Nov 18, 2010
    #40

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds