1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Infected - Any ideas?

Discussion in 'Malware and Virus Removal Archive' started by omrsafetyo, 2011/10/03.

Page 2 of 3
  1. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    I am getting ready to try the /nombr switch as I am still having the application hang up on me with /killall

    What will be your next suggestion if this still refuses to run?
     
    omrsafetyo,
    #21
  2. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Oh, we have other options, so just let me know...
     
    broni,
    #22


  3. to hide this advert.

  4. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    Looks like that will not be necessary - with the /nombr switch I have made it much further than usual, it has gone beyond the scan step and is now running through the stages (currently on stage 4).

    Thank you broni! I will re-post when this is complete.
     
    omrsafetyo,
    #23
  5. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Cool beans :)
     
    broni,
    #24
  6. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    Combofix log:
     
    omrsafetyo,
    #25
  7. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    Of the other deletions:
    c:\documents and settings\nathan.kulas\GoToAssistDownloadHelper.exe
    c:\documents and settings\nathan.kulas\Start Menu\Internet Explorer.lnk
    c:\documents and settings\NetworkService\Application Data\PriceGong
    C:\install.exe
    C:\Thumbs.db
    c:\windows\962772537
    c:\windows\system32\d3d9caps.dat
    c:\windows\system32\drivers\etc\lmhosts
    c:\windows\system32\libeay32.dll.orig

    I know what the GoToAssist file is; I created C:\windows\962... as part of my troubleshooting during this thread; and libeay32.dll.orig is also a file I created (or renamed) which is installed by Crystal Reports Business Objects, but frequently interferes with other applications.
     
    omrsafetyo,
    #26
  8. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good.

    Update me on your computer behavior.

    See, if you can update and run MBAM in normal mode.

    See if you can run DDS now.
     
    broni,
    #27
  9. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We posted at the same time, so I'm not sure if you saw my latest reply.
     
    broni,
    #28
  10. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    I had, thank you.

    MBAM:
    DDS still does not run all the way. It looks like it is running normal, but it does not terminate execution at the end of 3 minutes as it says it should. It continues to run and requires a reboot.

    My google search is no longer affected, I can click links from the google search results and they go where they are intended to go.
    System restore still gives access denied when I try to start the service (which I think is also slowing my start-up, as it is trying/failing to start the service at startup), which is not a huge issue, but just something to note.
     
    omrsafetyo,
    #29
  11. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Some good news :)

    That particular type of rootkit you had messes with many aspects of Windows, so our next step will be to check all permissions.

    Lets run the following tool. This will help determine which files need permissions restored.

    Please download and save Junction.zip

    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter "):

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste the log in your next reply.

    It may be a lengthy log, so you may need to split it between some replies.
     
    broni,
    #30
  12. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    Here is the Junction output:
     
    omrsafetyo,
    #31
  13. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Is that it, or more is coming?
     
    broni,
    #32
  14. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    thats it
     
    omrsafetyo,
    #33
  15. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK.

    Please download GrantPerms.zip and save it to your desktop.
    Unzip the file and depending on the system run GrantPerms.exe (32-bit system) or GrantPerms64.exe (64-bit system)
    Copy and paste the following in the edit box:

    Code:
    C:\\Documents and Settings\nathan.kulas\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db
C:\\Documents and Settings\nathan.kulas\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow
C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\\Program Files\SUPERAntiSpyware\f98af0b4-e6fc-4c0d-9354-7c216c7796f6.com
    Click Unlock. When it is done click "OK ".
    Click List Permissions and post the result of Perms.txt file that pops up.
    A copy of Perms.txt will be saved in the same directory the tool is run.

    When done...

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #34
  16. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    Grant Perms final output:
    OTL.txt (Part 1):
     
    omrsafetyo,
    #35
  17. 2011/10/04
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    Part 2:
    Extras.txt:
     
    omrsafetyo,
    #36
  18. 2011/10/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    This will be my last reply for tonight (bed time).
    You can reinstall your AV program at any time now.

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
SRV - File not found [On_Demand | Stopped] -- -- (McComponentHostService)
O15 - HKCU\..Trusted Domains: army.mil ([owa.usar] https in Local intranet)
O15 - HKCU\..Trusted Domains: army.mil ([webmail.us] https in Trusted sites)
O15 - HKCU\..Trusted Domains: eagle_one ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: hvfal-ssrs-vm1 ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([sftus.one] https in Trusted sites)
O15 - HKCU\..Trusted Domains: munis.com ([support] http in Trusted sites)
O15 - HKCU\..Trusted Domains: netflix.com ([movies] http in Trusted sites)
O15 - HKCU\..Trusted Domains: onyx_test ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: onyx-cognos ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: onyx-cognos-dr ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: onyx-dr ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: onyx-kbea ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: onyx-oep1 ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: onyx-oep2 ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: program%20files ([]file in Trusted sites)
O15 - HKCU\..Trusted Domains: tyleronyx ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: tyleronyx ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: tylertech.com ([edelivery] https in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range10 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range11 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range12 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range2 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range3 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range4 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range5 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range6 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range7 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range8 ([http] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range9 ([http] in Trusted sites)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: OEPHelper http://192.168.197.11/oep_windows/OEPHelper.CAB (Reg Error: Key error.)
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2011/10/04 21:52:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/10/03 00:28:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2


:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ==============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
    broni,
    #37
  19. 2011/10/05
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    OTL
    Security Checkup:
    ESET
     
    omrsafetyo,
    #38
  20. 2011/10/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ===========================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
    broni,
    #39
  21. 2011/10/05
    omrsafetyo

    omrsafetyo Inactive Thread Starter

    Joined:
    2011/10/03
    Messages:
    23
    Likes Received:
    0
    Adobe has been upgraded.
    I also re-installed ESET NOD32 4 and updated my virus definitions, and have the real-time protection enabled.
    Upgraded to IE8 from IE7

    1. OTL
    3. Windows update has been run, I have installed all available updates.

    4. PWs changed (handy, my windows password was going to change 2 days from now)

    5. I'm going to skip this for now. I do not typically visit sites I don't trust on this laptop.

    6. Malwarebytes run scheduled to run weekly, and update virus definitions daily. Also have ESET NOD32 4 set to run on a schedule for both items as well.

    7. OK

    8. Done.

    9. Pass.

    10. I do this anyway - I use Defraggler.

    11. OK. I typically do this anyway. Great tip.

    12...

    13. Everything seems to be mostly fine.
    Cons:
    System restore service will still not start (Access Denied)
    Silverlight sites were not working properly (such as netflix, and etc.) if I had visited them previously. Needed to open the SilverLight control panel, go to Applications Storage and select "Delete All" and check "enable application storage ". This cleared the cache and made it so the same items could be re-downloaded properly - this is better now.
    Still many hidden files
    The programs menu under Start Menu for All Users are missing all .lnk files - recreating these manually as I go.
    I do have to re-save a lot of trusted sites, etc - but its certainly better to have this clean than corrupted.

    Pros:
    Computer is much faster, even at startup than it was previously.
    Many cached items that caused issues previously are no longer a problem

    Will post results to #2 - running that next.
     
    omrsafetyo,
    #40
Page 2 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...