Jump to content

Infected With Virus - Registry Editor, Folder Options & System Restore Disabled.

VinodKulkanri
 Share

Recommended Posts

VinodKulkanri

VinodKulkanri

Posted
  • Author
Posted

Wow.. looks like it worked.. Thanks a lot.

I'm able to edit the registry, system restore and also folder options. But it looks like some of the viruses and spyware still exists.

Im uploading the log files of malware bytes scan, hijack this and exehelper log.

Please let me know what i need to do to remove them completely.

Thanks,

Vinod.

Log_Files.zip

Link to post
Share on other sites
VinodKulkanri

VinodKulkanri

Posted
  • Author
Posted

Attaching the log files with this post

below is the outline from the hijack this n rkill files.

Rkill

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Administrator on 07/20/2010 at 1:46:20.

Processes terminated by Rkill or while it was running:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp1dc16c39.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2KKM3SYQ\rkill[1].exe

Rkill completed on 07/20/2010 at 1:46:57.

Malware bytes

exehelperlog.txt

mbam_log_2010_07_18__23_36_14_.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please do this:

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable. More info HERE
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Try it this way:

Delete your copy of ComboFix and download a fresh one.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

For the wifi....look at the link below:

http://www.intel.com/support/wireless/wlan/sb/cs-025780.htm

--------------------------------

Do you recognize this folder?

c:\documents and settings\Administrator\Application Data\Quuvoc

You may have to enable hidden files to see it:

http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

---------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::

c:\documents and settings\Administrator\Local Settings\Application Data\pojseupck

c:\documents and settings\Administrator\Local Settings\Application Data\brxlupopd

c:\documents and settings\NetworkService\Local Settings\Application Data\kcxgpxpdq

c:\documents and settings\Administrator\Local Settings\Application Data\fqbatuckd

c:\documents and settings\Administrator\Local Settings\Application Data\qubxoxiek

c:\documents and settings\Administrator\Local Settings\Application Data\wcyxvkloa

c:\documents and settings\Administrator\Application Data\Quuvoc

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

it shall produce a log for you at C:\ComboFix.txt , please post it in your reply.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

We want to delete these folders:

c:\documents and settings\Administrator\Local Settings\Application Data\pojseupck

c:\documents and settings\Administrator\Local Settings\Application Data\brxlupopd

c:\documents and settings\NetworkService\Local Settings\Application Data\kcxgpxpdq

c:\documents and settings\Administrator\Local Settings\Application Data\fqbatuckd

c:\documents and settings\Administrator\Local Settings\Application Data\qubxoxiek

c:\documents and settings\Administrator\Local Settings\Application Data\wcyxvkloa

as mentioned before you may have to enable hidden files to see them.

If you can manually delete them....please do.

Also you didn't answer the question about this folder:

c:\documents and settings\Administrator\Application Data\Quuvoc

------------------------------------

Is your wireless adapter plugged into a usb port?

If so please unplug it and plug another device (like a usb flash drive) into it and see if it is recognized and works.

MrC

Link to post
Share on other sites
VinodKulkanri

VinodKulkanri

Posted
  • Author
Posted

Yeah, I have uninstalled and re-installed the wi-fi software and it is working fine now.

Also, Im able to look into the folder 'C:\Documents and Settings\Administrator\Application Data\Quuvoc' and it is empty, there are no files or folders inside it.

I cannot see the files you have mentioned. I will copy them into the script as mentioned by you and run the script tonight.

Thanks,

Vinod.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, that's good news.

Please don't use ComboFix and run that script, use Avenger instead:

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the Avenger folder to your desktop
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
c:\documents and settings\Administrator\Local Settings\Application Data\pojseupck
c:\documents and settings\Administrator\Local Settings\Application Data\brxlupopd
c:\documents and settings\NetworkService\Local Settings\Application Data\kcxgpxpdq
c:\documents and settings\Administrator\Local Settings\Application Data\fqbatuckd
c:\documents and settings\Administrator\Local Settings\Application Data\qubxoxiek
c:\documents and settings\Administrator\Local Settings\Application Data\wcyxvkloa
c:\documents and settings\Administrator\Application Data\Quuvoc

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites
VinodKulkanri

VinodKulkanri

Posted
  • Author
Posted

Hello,

I have executed avenger.exe and following is the content of the log file C:\avenger.txt

Note:- Initially, i didn't include the command 'Foders to delete', later on i included that and ran the script.

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Mon Jul 26 22:56:36 2010

22:56:36: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Folder "c:\documents and settings\Administrator\Local Settings\Application Data\pojseupck" deleted successfully.

Folder "c:\documents and settings\Administrator\Local Settings\Application Data\brxlupopd" deleted successfully.

Folder "c:\documents and settings\NetworkService\Local Settings\Application Data\kcxgpxpdq" deleted successfully.

Folder "c:\documents and settings\Administrator\Local Settings\Application Data\fqbatuckd" deleted successfully.

Folder "c:\documents and settings\Administrator\Local Settings\Application Data\qubxoxiek" deleted successfully.

Folder "c:\documents and settings\Administrator\Local Settings\Application Data\wcyxvkloa" deleted successfully.

Folder "c:\documents and settings\Administrator\Application Data\Quuvoc" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Thanks,

Vinod.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK Great :)

To Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.