Need Help with Nasty Rootkit - SKYNET/Trojan.Download.38278

I would like to see the logs regardless of the results

As mentioned I would still like to see these logs so if you could attach them into your next reply that would be great. Also most importantly of all I need to see logs from running the following:

• Combofix ---> C:\combofix.txt
• MGTools ----> C:\Mglogs.zip

Thanks
Kes

 

No, let me look over your logs which I will do as soon as I get a chance, and then I can get back to you with a set of instructions.

But you can do this:

Important Notice: A new version of SUPERAntiSpyware is out.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this log later.

 

FYI: If things seem slow this is why:

You need a memory upgrade.


1. Please go to Add/remove Programs and uninstall the following old version of Java:

• Java(TM) 6 Update 2

Also FYI: Ad-Aware SE Professional is not as effective as SAS or MBAM which you installed during the R&R.

Please also uninstall Spyware Doctor 6.0 if it is just a free trial.

2. Did you knowingly install the below toolbar for internet explorer?

If you didn't, then please also include this to our uninstall list.

3. Can you tell me what this is?

4. Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DirLook::
C:\Documents and Settings\Misa\LocalLow

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

5. Now reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

6. Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix

7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Keep everything where it is until we have finished. Qoobox folder is paticularly important to keep because it's a backup folder...and if something is wrongly removed we can make restorations!

 

1. Now we need to use ComboFix to remove a bunch of malware file(s)/folder(s)...

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\windows\system32\driver.dat

Folder::
c:\program files\sys 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


2. From your logs I see that proquota.exe is missing from the system32 directory, we will need to replace this, and to do so, please look at the below:

Running SFC Scannow


3. You really need to install yourself some anti virus at this point as surfing without any is leaving you wide open to attack. You can choose from our list of reccommended in the below link:

(scroll down to section 2)

How to Protect yourself from malware!


4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Thanks
Kes13!

 

Yes restore it indeed

Yes it won't be a problem to still include it. So go ahead and run my script.

Thanks
kes

 

Please restore everything that Spyware Doctor removed.
Did Spyware Doctor remove anything else prior to your running the MGLogs in message #8 on 6/25 which was slightly after the time you ran SD?

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator)

Then attach the below logs:

* C:\MGlogs.zip

 

You need to answer Kestrel13!'s question in msg # 14 and you need to attach the new log from MGtools before your thread can be continued.

Nircmd is not a problem. It is a valid tool used by ComboFix and is just another one of the many false positives reported by Spyware Doctor.

Please do not run Spyware Doctor again until after have been given final instructions and have completed them. Those instructions will be given to you when your PC is deemed to be clean.

 

You need to put your PC into Normal Startup mode with MSconfig as requested in step 1 of the READ & RUN ME and you need to remain in this mode.

Then to aid in future steps it would be best to get the current version of MGtools installed and get a new log. So please do the below after getting in normal startup mode.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

good afternoon. Whilst I go over the logs could you please disable spybot search and destroy's "Teatimer" function. See below for how to do this:

How to disable Spybot's TeaTimer

Thanks
Kes

 

thanks because it often interferes with the fix

Kes

 

1. Could you please get this: proquota.exe into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following from the quote box below:

2. Please go to Add/remove Programs and uninstall the following software as requested in the R&R -

• Viewpoint Media Player

3. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

4. Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DirLook::
C:\209270577 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

5. Attach the zipped file I requested to look at, and also the log from ComboFix.

Thanks
Kes

 

I only wanted to take a look at it for now.

No need yet.

yes it is, but it's also a dead entry now.

Will check your logs and get back to you ASAP.

Kes

 

Hi there

Let's do this:


1. Now we need to use ComboFix to kill a couple malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\wbem\proquota.exe

Folder::
C:\209270577

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

2. Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

3. Run the new MGTools.exe and attach the C:\mglogs.zip that it generates.

4. Also please attach the log from running ComboFix ---> C:\combofix.txt

5. Do let us know how things are running now!

Thanks
Kes

 

Hi

proquota.exe is missing, to replace it please refer to the below and read it carefully.

Running SFC Scannow

Then you must ensure that you do the below afterwards:

Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run the new MGTools.exe and attach the C:\mglogs.zip that it generates into your next response here.

Thanks
kes13!

 

Hi

1. Now we need to use ComboFix to get a file back where it should be.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FCopy::
C:\WINDOWS\system32\dllcache\proquota.exe|C:\WINDOWS\system32\proquota.exe 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

2. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

Thanks
Kes13!

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Hi there

C:\209270577 <--- you can delete this file

cmldr is required for the Recovery Console.

boot.bak is a backup of the boot.ini file which is saved while installing the Recovery Console.

settings.dat is just a left over from RootRepeal which can be deleted.

You can safely delete the collect.zip.

 

You're very welcome

If you're asking me what I would do, I would ditch Spyware Doctor and keep MBAM, yes. I use both MBAM and SAS on my machines.

safe surfing :wave Take care