Jump to content

MagnusEdv

Members
 View Profile  See their activity

  • Posts

    17

  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. MagnusEdv
    Hi, I'm back. Thanks for the patience. I applied the registry fixes to remove the entries of the registry, disabled all startup services and programs that were not Microsoft's and rebooted, but the suffix came back again.
  2. MagnusEdv
    Yes, I'm still here. I'm currently making a virtual machine with an image of the infected system, so I can easily test the solutions there when I'm not at home. Please, be patient with me, as it might take a little while.
  3. MagnusEdv
    Hi, unfortunately, the problem persists. I tried doing as you said, and also tried running both fixes before rebooting, but it always comes back. What's even worse, it comes back even before rebooting if I take more than a few seconds to reboot. This makes me think that there's a process running that puts the registry entries back in place, so modifying the registry won't solve the issue if we can't kill that process first.
  4. MagnusEdv
    I'm attaching the reports. thanks! RogueKillerReport.txt TDSSKiller.txt
  5. MagnusEdv
    Now that lit a bulb! Reading the description of SSDPSRV I noticed that at the same time that I started having network connection speed problems and overall laggy behaviour in my computer (which led me to the initial ipconfig that made me discover utopia.net), my mapped network drives were not automatically reconnecting when starting the computer and I had to do it by hand. This leads me to believe that either this malware infected or replaced one or more dll files related to the Discovery Protocol Service. Now... I don't know how to fix this other than replacing these dlls from a clean operating system, or reinstalling the whole system from scratch. I'm not really confident about replacing the dlls, as whatever infected them might still be (and probably is) in the system, and the replacement won't fix anything for more than five seconds. To be honest, I thought of that solution (format and clean install) on day three, but I think that if we find a way to actually fix this infection, we might be able to help lots of other people that are infected, and solve a problem that's been around since 2011. I'm going to investigate further down this path and keep you updated. So far, only disabling the service, running the fixme and rebooting didn't fix it.
  6. MagnusEdv
    Well, I found out two things related to this: 1.- When I stop SSDPSRV, the network traffic to and from utopia.net stops. 2.- When I stop dnscache, after two or three minutes, it restarts and svchost writes the previous registry values under the PID 1304. Besides that, I couldn't arrive to many conclusions, since I started getting network connections to utopia under other PIDs I didn't have before. I'll try to make more controlled and methodic tests tomorrow.
  7. MagnusEdv
    Ok, playing a bit more with the process monitor, I found out that a service with PID 1304 is the one writing to the registry, and PID 1312 keeps sending and requesting network packages from utopia.net: I don't know if there's much we can do with this information, but I thought it could be useful. Also, I want to point out that PID 1312 is trying to communicate with utopia.net despite the suffix not being there, as there are requests before and after running the fixme.reg
  8. MagnusEdv
    Hi, I added the registry values as you indicated, and sure thing, the suffix was gone, but as soon as I rebooted, it was back. Using microsoft's process monitor, I found out that there's some service running that's requesting the modification of the values back: What's even more interesting is that this service keeps requesting the writing of utopia.net values into the registry periodically, every ten minutes or so, which means it's not something that just runs at startup, but a resident service that's continuously running. These are just a few examples, the filter output is filled with these entries. I can make a text output if you wish to inspect it further. Also, I've been inspecting what services is svchost runnning, but despite there are several network related ones, I haven't seen any particularly suspicious one. I await further instructions.
  9. MagnusEdv
    Hi, I ran the fixme.reg, rebooted and ran Farbar with the parameters you told me, and this is the result: Needles to say, the redirection is still there. I've been going back and forth through all the services and processes and I can't figure out which one is that's rewriting the registry. I ran the following script: And got this output: I don't know why I keep getting different outputs than from FRST, but well... there they are.
  10. MagnusEdv
    Well, I'm a fool. It wasn't until I went to check my regedit version that I realised I wasn't copying the first line of the script, as I thought it was but a title. So, I finally ran the script and rebooted the computer and, guess what? utopia.net is still there.
  11. MagnusEdv
    Sorry for the delay, I had a hectic week. I tried the script, but it says this: I tried doing as the error states, and importing from within regedit, but it says: I also tried running the script from a command prompt with administrator privileges, but I got the first error. The same three things were tried on safe mode with no luck. I think there might be a typo somewhere in the script, but I can't find it.
  12. MagnusEdv
    Well, it seems we have a stubborn one here. It's still there. I ran again FRST and found these matches: Fixlog.txt
  13. MagnusEdv
    I'm attaching the results from the script scan. The results regarding the firewall are the rules I made to block the IPs I found were associated to utopia.net. output.txt
  14. MagnusEdv
    Hi Nasdaq, the search has given the following result: however, a manual search in the registry found keys under other folders, such as: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F34C2D7F-6779-41D9-9E36-CFC08F197867}\Connection HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\Isatap\{F34C2D7F-6779-41D9-9E36-CFC08F197867} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters <--- This one worries me in particular HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\iphlpsvc\Parameters\Isatap\{F34C2D7F-6779-41D9-9E36-CFC08F197867} And others... I'm currently writing a bat script to export all results to a txt file. Don't worry about the router credentials, I have them.
  15. MagnusEdv
    I'm attaching the fixlog. After rebooting I ran an ipconfig and saw the dns suffix is still there, so I manually ran the command netsh int ip reset to see if there was any error being thrown there, but everything came out ok: but as I said, the dns remains. What baffles me is that under network config's settings, the suffix is not there: I wait for further instructions. Fixlog.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.