Network threats

Discussion in 'Malware Help (A Specialist Will Reply)' started by futurerush, May 9, 2013.

  1. futurerush

    futurerush Private E-2

    Hi. I was looking at an email I would normally just delete without looking at it, but something possibly related to it going on in my life made me investigate. There was a link for shipping information that didn't work the way it was supposed to and it was trying to download something that wouldn't open. I recognized that this is unusual behavior, so I tried to get rid of everything related to it. The email, the half-assed download to the temp folder, etc. I thought maybe I beat a possible infection. But about five minutes later I started getting avast pop-ups about a threat blocked by the network shield. So I stopped what I was doing and started going through the MajorGeeks Read & Run Me First guide. Logs are attached.
     

    Attached Files:

    futurerush, May 9, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Run : fehepufd ("C:\Users\FutureRush\AppData\Local\cndfingu.exe") [-] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-1514481727-151634734-2981664973-1001[...]\Run : fehepufd ("C:\Users\FutureRush\AppData\Local\cndfingu.exe") [-] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now click on the DNS tab and have it fix these items:
    [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{990B4666-C7F9-4E79-9BCA-114ED682BDE0} : NameServer (0.0.0.0) -> FOUND
    [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{990B4666-C7F9-4E79-9BCA-114ED682BDE0} : NameServer (0.0.0.0) -> FOUND

    Now open Hitman and have it delete what it found.

    Reboot and rescan with both RogueKiller and Hitman and attach those logs as well.

    Be sure to tell me how things are running now.
     
    TimW, May 11, 2013
    #2
  3. futurerush

    futurerush Private E-2

    Hi Tim,
    I do not see those detections in the registry. I took a screenshot of what I have and attached and also created another report with a slight change to the file name for the txt, also attached. I notice I have two RK logs on my desktop from when I went through the guide, but I don't specifically remember making two. I have not done any deleting yet.
     

    Attached Files:

    Last edited: May 11, 2013
    futurerush, May 11, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Once more:

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKLM\[...]\Run : peaun ("C:\Windows\System32\rundll32.exe" "C:\Users\FutureRush\AppData\Roaming\peaun.dll",ReferenceError) [7] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : detwi ("C:\Windows\System32\rundll32.exe" "C:\Users\FutureRush\AppData\Roaming\detwi.dll",FillContiguousStrides) [7] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now click on the DNS tab and fix these:
    [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{990B4666-C7F9-4E79-9BCA-114ED682BDE0} : NameServer (0.0.0.0) -> FOUND
    [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{990B4666-C7F9-4E79-9BCA-114ED682BDE0} : NameServer (0.0.0.0) -> FOUND

    Reboot and rescan with RogueKiller and attach that log as well.

    Tell me how things are running.
     
    TimW, May 12, 2013
    #4
  5. futurerush

    futurerush Private E-2

    Hi Tim,
    Attached is the RK log. Some time after my first post avast popped up a window says that no evidence was found to categorize a specific file as malware and gave me an option to continue execution. I think the other option was close. This is confusing wording for avast to use since there are executable applications that run programs, and execute also means to get rid of. So I don't know if it was really asking to run an app, or terminate it. I hit the more obvious button to continue execution. Since then I have not received any more avast popups about the network shield blockings, or any other kind of avast pop ups (I was getting a couple others too before). What has happened upon booting or rebooting is a Comcast Desktop Software window would try to come up, but I would get an error window instead. That Comcast window shouldn't come up at all. Maybe CCleaner made that happen out of defaulting settings. There would also be a run error for one of the dll files RK took care of. Since deleting through RK just now, that error did not come up this time, but the Comcast window still did. Attached is a screenshot of both together before the last reboot.

    Note: I did not run Hitman after this.
     

    Attached Files:

    futurerush, May 12, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Attach the new C:\MGLogs.zip
     
    TimW, May 12, 2013
    #6
  7. futurerush

    futurerush Private E-2

    New MG logs attached.
     

    Attached Files:

    futurerush, May 12, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Let me know how things are running now.
     
    TimW, May 13, 2013
    #8
  9. futurerush

    futurerush Private E-2

    Successful merge with the registry. I rebooted afterwards and even booted once more after that. Everything is great.
     
    futurerush, May 13, 2013
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know,

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, May 14, 2013
    #10
  11. futurerush

    futurerush Private E-2

    As soon as I booted my computer today I got another malware notice. I pulled up the pop up again and took a screenshot. Attached. Firefox hadn't remembered by email password.
     

    Attached Files:

    futurerush, May 21, 2013
    #11
  12. futurerush

    futurerush Private E-2

    Also, I checked my email on my phone since I didn't feel comfortable doing it on my computer, and apparently it was hacked again and a bot spammed the contacts, like the last thread (before this one).

    I didn't get another pop up while using firefox, but when I closed firefox and later launched it again, the pop up for the network shield blocking a site came up again. Google is the homepage though, not exactly threatening.
     
    futurerush, May 21, 2013
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you need to run through the procedures again?
     
    TimW, May 22, 2013
    #13
  14. futurerush

    futurerush Private E-2

    I am not sure. The threat only occurs when I boot Firefox. I've been using Chrome since then without a problem. Maybe I should just uninstall Mozilla Firefox(?)
     
    futurerush, May 22, 2013
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Frequently Firefox users run into problems with redirects, popups, unwanted tabs opening, etc. One of the easiest fixes is to Reset Firefox to defaults. See the below link:

    http://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

    Maybe this will cure your problems. But do note that it will cause you to lose any Extensions, Open websites, and some Preferences.
     
    TimW, May 23, 2013
    #15
  16. futurerush

    futurerush Private E-2

    I guess resetting Firefox worked. I'm not getting Avast! threat detected alerts anymore when I open it.
     
    futurerush, May 23, 2013
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. Safe surfing. :)
     
    TimW, May 24, 2013
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds