HELP! Virus or Malware Added Group Policy and cannot find it

[jstatham]

Still gives the error.

[jstatham]

Nothing in Group Policy Editor

[CatByte]

will it run in safe mode?

please run the following:

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

• Double click on Rkill.
  
• A command window will open then disappear upon completion, this is normal.
  
• Please post the log
  

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

[jstatham]

It will run in safe mode. Here is the log.

Rkill2.txt

[CatByte]

Please do the following:

• Close all programs so that you are at your desktop.
  
• Open the Control Panel switch to classic view, then click Folder Options.
  
• After the new window appears select the View tab.
  
• Put a checkmark in the checkbox labeled Display the contents of system folders.
  
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
  
• Press the Apply button and then the OK button and exit My Computer.
  
• Now your computer is configured to show all hidden files.
  

NEXT

submit a file to virustotal for analysis

• Use the browse button on that page to navigate to the location of the file to be scanned.
  
• In the right hand panel,
  
• click on the file C:\Users\justin\AppData\Local\ntr\inquiero.exe
  
• then click the open button.
  
• The file will now be displayed in the submit box.
  
• Scroll down a bit and click "send file", wait for the results
  
• If you get a message saying File has already been analyzed: click Reanalyze file now
  
• Once scanned, copy and paste the link to the results page in your next reply.
  

[jstatham]

I will but the inquiero.exe is a remote control app we use for remote adminsitration that I have been running for years.

[CatByte]

yes, I'm sure it's probably fine, but I found a couple of instances where that particular file had been infected, so i just wanted to make sure as we are not having much luck finding the source of this issue

try running this MBAM rookit beta tool

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
  
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  
• Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

[jstatham]

SHA256: ba01b5c7dd7937ff6cec89f47a6213b1328a0bea4683ef66bf0d47be15cc038b SHA1: cd514a9a366f32c18275e85747bd634d9da210b7 MD5: 5f56064d4f9334fa619f7ba9df2a57d0 File size: 577.9 KB ( 591760 bytes ) File name: 3A4F502390EDB5B3077D09CAAA9BDA00EC0AD3CA.exe File type: Win32 EXE Tags: signed Detection ratio: 3 / 41 Analysis date: 2011-05-23 02:51:11 UTC ( 1 year, 6 months ago )

0

0

More details

• Analysis
  
• Comments
  
• Votes
  
• Additional information
  

Antivirus Result Update AhnLab-V3 - 20110522 AntiVir - 20110523 Antiy-AVL - 20110523 Avast - 20110522 Avast5 - 20110522 AVG Win32/Heur 20110522 BitDefender - 20110523 CAT-QuickHeal (Suspicious) - DNAScan 20110522 ClamAV - 20110523 Commtouch - 20110522 Comodo - 20110523 DrWeb - 20110523 eSafe - 20110522 eTrust-Vet - 20110520 F-Prot - 20110522 Fortinet - 20110522 GData - 20110523 Ikarus - 20110523 Jiangmin - 20110522 K7AntiVirus - 20110520 Kaspersky - 20110523 McAfee - 20110523 McAfee-GW-Edition - 20110522 Microsoft - 20110522 NOD32 - 20110523 Norman - 20110522 nProtect - 20110522 Panda - 20110522 PCTools - 20110519 Prevx - 20110523 Rising Suspicious 20110522 Sophos - 20110523 SUPERAntiSpyware - 20110523 Symantec - 20110523 TheHacker - 20110520 TrendMicro - 20110522 TrendMicro-HouseCall - 20110523 VBA32 - 20110520 VIPRE - 20110523 ViRobot - 20110523 VirusBuster -

[jstatham]

Looks like nothing was found. This is crazy.

mbar-log-2012-11-21 (19-29-57).txt

system-log.txt

[CatByte]

I have asked my expert colleagues to have a look, this is quite unusual that nothing seems to be showing up at all,

hopefully someone will be able to see what I am missing

please bear with me till I hear back

[CatByte]

one of the experts suggested the following:

Since the user does not seem to have these issues in Safe Mode, I would be interested in seeing if the problem persists if you have them go into Safe Mode and disable all startups and Services (excluding Microsoft services) via MSconfig. Then reboot into Normal Mode to see if problem still occurs.

let me know what happens

[jstatham]

I disabled all startup items and disabled all services. When I rebooted into windows I still get the same error. I was wondering what would happen if I booted in safe mode and disabled the group policy client what would happen. Here is the event viewer log when i click on the Malewarebytes icon. I guess the big question is how do we find the rule? It looks like there is a policy on the path and not the exe. If I rename the Malwarebytes folder it works. Strange,

Access to C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe has been restricted by your Administrator by location with policy rule {3036cfcf-7c01-4800-a2ca-e6a7873107d2} placed on path C:\Program Files (x86)\Malwarebytes' Anti-Malware.

[CatByte]

let's try looking for that string in the registry

Please download SystemLook from one of the links below and save it to your Desktop.

Link 1

Link 2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  
  :regfind
  C:\Program Files (x86)\Malwarebytes' Anti-Malware
  {3036cfcf-7c01-4800-a2ca-e6a7873107d2}
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[CatByte]

never mind that

I think I have found it

Please run the following:

Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{3036CFCF-7C01-4800-A2CA-E6A7873107D2}]

Now go to File > and click Save As,

From the drop down menu at the top of the box choose Desktop as the location to save this file.

Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.

Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.

If this reg fix doesn't fix it, then continue on with SystemLook

[jstatham]

The registry script would not run it I get an error. But I manually removed it and I found a bunch more that I think need removed. I exported them out into the attached regfile. It looks like to me all the paths need removed.

regfix.txt

codeitentifiers.txt

[CatByte]

yes

removing the "0" sub key should remove all the keys beneath it

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0]

are you comfortable doing that manually, if not i can give you a reg fix (the previous one wasn't saved to the desktop)

I don't have any of those subkeys on my machine, so I don't believe any of them are legitimate

let me know

[jstatham]

I manually deleted the 0 key and it finally works. Now my big question is how in the world did those get added in. Thanks again for all your help.

[CatByte]

well, they were definitely added by malware

please post the content of qoobox

Press the WinKey + R to open a run box, copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

are there any other outstanding issues?

both Adobe and Java need updating:

Visit ADOBE and download the latest version of Acrobat Reader (version XI)

Having the latest updates ensures there are no security vulnerabilities in your system.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

• Go to this site and click on "Do I have Java"
  
• It will check your current version and then offer to update to the latest version
  
• Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.
  

Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if there are - remove them.

[jstatham]

Here is the report. I think all the malware is going but sometime IE is showing page cannot be displayed.

2012-11-18 16:09:59 . 2012-11-18 16:09:59 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt

2012-11-17 03:11:58 . 2012-11-17 03:11:58 766 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Octoshape add-in for Adobe Flash Player.reg.dat

2012-11-17 03:11:58 . 2012-11-17 03:11:58 652 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Connect Add-in.reg.dat

2012-11-17 03:11:58 . 2012-11-17 03:11:58 1,342 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Connect 9 Add-in.reg.dat

2012-11-17 03:07:26 . 2012-11-18 16:18:26 17,707 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2012-11-17 02:58:35 . 2012-11-18 16:08:45 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

[CatByte]

try resetting IE back to default

• Open Internet Explorer.
  
• Click Tools from the Command Bar and select Internet Options.
  
• Select the Advanced tab.
  
• Go to the Reset Internet Explorer settings section and click the Reset button.
  
• You will then see a window that outlines the impact of resetting IE. A basic reset will disable toolbars and add-ons, and reset default web browser settings, advanced options, tabbed browsing settings, privacy settings, pop-up settings and security settings.
  
• If you check the Delete personal settings checkbox, it will reset the home page(s), search providers and Accelerators to their default values. It will also delete the temp internet files, history, cookies, passwords and InPrivate Blocking data.
  
• When you have it set to reset the desired information, click the Reset button.
  
• Restart Internet Explorer.
  

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!