Jump to content

Security Shield Virus Blocks All Attempts To Root It Out


murrysdad

Recommended Posts

My wife's Dell laptop has the Security Shield Virus. Everything I've tried to kill it is thwarted. E.g. it lets MBAM install, update and run...the program runs for 30 or so seconds then shuts itself down. This also happens with RKILL. It also won't let me get into Safe/w Networking only Safe so I can't restore. If you try to go into Safe/w Networking it gives me a blue screen that says I have a virus, cheeky, eh... OP system is windows xp-pro

Please help

Steve

Link to post
Share on other sites

Hi Georgi

I must of misread I thought I had to wait 48 hours TO reply - my bad.

I sure do need help NOTHING is working. Below and attached are the requested logs.

I followed the instructions you referred me to. One thing was not clear to me is weather I should be in regular or "safe" mode so I tried both. In both cases the virus was able to impact or shut down the programs you had me run. The logs are below and attached.

Malwarebyte was terminated by the virus within 30 seconds. It lasted lees in full windows then in safe. DeFogger ran but never asked for the machine to be rebooted, is that from the virus? I rebooted.

DDS ran but felt truncated. GMER Rootkit Scanner ran for about a minute then abruptly terminated. I tried the instructions multiple times, the worst is when the machine gave me a screen the it was shutting itself down because it detected a virus.

Here is the part of the instructions you sent that has me confused and you may want to change:

NOTE: Please DO NOT post back to your post within the first 48 hours. Replying to your own posts changes the post count and will often cause helpers to think that you're already being helped and thus they won't open and look at your post. If no one has replied within 48 hours then please go ahead and either reply to your post or send a private message to a Moderator and let them know that you're still needing assistance.

Before I paste in the logs I want to personally thank you for what you all do. My wife has cancer and her laptop is her link to her doctors, friends, and family.

I will be out of town next week and won't be able to work with her machine until Friday - how do we handle that?

Thank you.

Steve

-----------------------

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 16:03 on 22/09/2011 (Administrator)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

----------------------------

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 7.0.5730.13

Run by Administrator at 16:09:41 on 2011-09-22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1775 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\948985147:3298979783.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar =

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070607

uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{AD6A90B9-6AED-4734-976A-27E93FC37186} : DhcpNameServer = 209.18.47.61 209.18.47.62

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 151216]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]

S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2010-12-10 29262680]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]

S3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2010-8-14 480128]

S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\ZS211.sys [2010-8-14 1537280]

.

=============== Created Last 30 ================

.

2011-09-19 20:52:16 -------- d--h--w- c:\windows\PIF

2011-09-19 18:26:28 360448 ----a-w- c:\documents and settings\administrator\local settings\application data\kexnrpom.exe

2011-09-19 18:24:57 -------- d-----w- c:\documents and settings\administrator\application data\OpenCloud Security

2011-09-08 23:53:21 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cd158e1-1faa-4299-a3f3-d0585783fa5e}\mpengine.dll

2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

.

==================== Find3M ====================

.

2011-09-20 16:10:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: SAMSUNG_HM080HI rev.AB100-12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A689790]<<

_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A8091F0]

3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A782F08]

\Driver\00000691[0x8A782030] -> IRP_MJ_CREATE -> 0x8A689790

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A71F31B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 16:11:17.32 ===============

All the above log and attachment were in the SAFE mode

attach2.zip

Link to post
Share on other sites

Before I paste in the logs I want to personally thank you for what you all do. My wife has cancer and her laptop is her link to her doctors, friends, and family.

I will be out of town next week and won't be able to work with her machine until Friday - how do we handle that?

Hi Steve,

I am truly sorry to hear that. I can only imagine her stress level at the moment.

I hope your wife will recover quickly and everything will be fine as soon as possible.

Real life is the most important thing, everything else can wait.

And don't worry, the topic will remain open as long as needed.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:

Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Regards,

Georgi

Link to post
Share on other sites

Hi Georgi,

Thank you for your kind thoughts and consideration. This month marks the 1 year anniversary of my wife's stem cell transplant. In two weeks she will have a biopsy to confirm she is in remission. I pray a lot but I believe she is ok.

Digging out this virus is quite a chore the folks that wrote it seem to be one step ahead of you good guys.

Today I followed your last set of instructions. The virus wouldn't let me get to the Microsoft Security control panel to shut it off. I hope I didn't do anything wrong but I installed a new copy Microsoft Security and didn't run it, hence it let me get to the control panel where I shut off everything.

I re booted the system and the virus went nuts tell me to turn on the security. Instead I ran Combofix from a thumb-drive. It ran. It did tell me I don't have Microsoft Windows Recovery Console which I am 99% sure I have as System Restore shows up in my Start menu and I couldn't log on to the intenet to download (the internet is now working).

I kept running Combofix past that warning and past other warning that showed up. Combofix has run all the way through except:

It rebooted the machine but no won't shut itself off instead I get a "dumphive.3xe Application error. I don't know if it is virus related so I haven't clicked on OK to "terminate" of Cancel to "debug."

The Combofix log was not at c: but a Combofix fix folder was. Inside was the Combofix.txt file which is attached.

There now is a an icon on my desktop for "catchme.log" I remember if it's from another program we ran or from the virus so I'm staying away from it.

Please advise what to do next. The internet is currently running so I can download the Windows Recovery Console if need be.

Thank you and all my best.

Steve

Link to post
Share on other sites

Hi Steve,

I am glad to hear there is some improvement with your wife and the computer. :)

I wish you the best of luck to you and your wife.

The combofix log is cut off. Can you please repost it?

Is this a laptop PC ? If so could you please tell me the exact model of your laptop ?

We need to download and reinstall the programs that were deleted by Combofix. (since they were infected by the rootkit)

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Please navigate to C:\Qoobox and attach the "Add-Remove programs.txt" in your next reply.

Next:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application.
    image000q.png
  • Click the Start Scan button.
    19695967.jpg
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\csrss.smk

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/

Regards,

Georgi

Link to post
Share on other sites

Hi Georgi

The combofix log is cut off. Can you please repost it?

Combofix didn't finish creating the log when I got a "dumphive.3xe Application error. I don't know if it is virus related so I didn't click on OK to "terminate" of Cancel to "debug."

Do you want me to re-run combofix?

Is this a laptop PC ? If so could you please tell me the exact model of your laptop ?

It's a laptop Dell Latitude D0830

We need to download and reinstall the programs that were deleted by Combofix.

Qoobox is attached

I'm holding off on the next steps you sent until I hear from you.

Thank you.

Steve

Add-Remove Programs.txt

Link to post
Share on other sites

Hi Steve, :)

Combofix didn't finish creating the log when I got a "dumphive.3xe Application error. I don't know if it is virus related so I didn't click on OK to "terminate" of Cancel to "debug."

Do you want me to re-run combofix?

Not now. We'll run a CFScript to clean some remnants a bit later.

It's a laptop Dell Latitude D0830

That information is enough. Thanks !

Please visit the DELL website and download and install the following drivers and applications:

Intel Intel® PRO/Wireless 3945ABG Network Connection

SIGMATEL STAC 92XX C-Major HD Audio

Java 6 Update 27

I can't find a valid download link for those two programs:

QuickBooks Enterprise Solutions: Contractor Edition 8.0

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

and

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition (ACT7)

Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

If you have their installers please re-install them.

Next please proceed with TDSSkiller, junction and Virustotal as described in my previous post.

Thanks !

Regards,

Georgi

Link to post
Share on other sites

Hi Steve,

STEP 1

Please download GrantPerms.zip and save it to your desktop.

Unzip the file and run GrantPerms.exe

Copy and paste the following in the edit box:

c:\Documents and Settings\Administrator\Desktop\rkill.exe

c:\Documents and Settings\Administrator\Desktop\sm021hnn.exe

c:\Documents and Settings\Administrator\Desktop\uSeRiNiT.exe

c:\Documents and Settings\Administrator\Desktop\malewear\it7k0n8m.exe

c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin

c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware(2)\Scans(2)\History(2)\CacheManager(2)\MpScanCache-0.bin

c:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine

c:\Program Files\Malwarebytes' Anti-Malware\explorer.exe

c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

c:\Program Files\Malwarebytes' Anti-Malware\stuff.exe

c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

c:\TEMP\hsperfdata_scottk\5908

c:\WINDOWS\system32\MRT.exe

Click Unlock. When it is done click "OK".

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

STEP 2

Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!

We need to execute a CFScript to clean some remnants.

Please do this:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:


http://forums.malwarebytes.org/index.php?showtopic=95788

KILLALL::
Collect::
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\csrss.smk
C:\WINDOWS\pss\csrss.smkStartup
DirLook::
C:\WINDOWS\pss
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000000
"TermService"=dword:00000000
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001

4. Save this as CFScript.txt, in the same location as ComboFix.exe

3734364_B.gif

5. Close any open browsers.

6. Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Also reply back to let me know how things are going.

Regards,

Georgi

Link to post
Share on other sites

Hi Steve,

The link to the image was expired. I fixed it.

Please refresh the page.

Sorry for the inconvenience.

I forgot to mention the follow:

6. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".

**NOTE**

  • IF for some reason Combofix fails to upload anything you will see that message:
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.

CF_UploadFailed.gif

Regards,

Georgi

Link to post
Share on other sites

Hi Steve,

We need to uninstall MSE temporarily because it will conflict with our tools.

You can reinstall it at the end of the cleaning process.

Click "start" on the taskbar and then click on the "Control Panel" icon.

Please doubleclick the "Add or Remove Programs" icon

A list of programs installed will be "populated" this may take a bit of time.

If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Microsoft Security Essentials

Additional instructions can be found here if needed.

Please leave it uninstalled until the computer is clean as we may have more work to do.

Just make sure you only connect to the net while running combofix or to download tools I request or you could get reinfected.

Regards,

Georgi

Link to post
Share on other sites

Hi Steve, :)

STEP 1

Run Scan with Malwarebytes - you should be able to do this after the permissions has been restored.

I see you have Malwarebytes' Anti-Malware installed on your computer.

Please start the application by double-click on it's icon.

Once the program has loaded go to the UPDATE tab and check for updates.

When the update is complete, select the Scanner tab

Select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad.

Please save it to a convenient location and post the results in your next reply.

STEP 2

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the RUN ESET ONLINE SCANNER button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    7. Now click on Advanced Settings and select the following:

        • Scan for potentially unwanted applications
        • Scan for potentially unsafe applications
        • Enable Anti-Stealth Technology

[*]Push the Start button.

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, push esetListThreats.png

[*]Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Push the esetBack.png button.

[*]Push esetFinish.png

STEP 3

We need to run an OTL Custom Scan

  1. Please download OTL from the link below:

[*]Save it to your desktop.

[*]Double click on the OTL.exe icon on your desktop.

[*]OTL should now start. Change the following settings:

- Click on Scan All Users checkbox given at the top.46625204.png

- Under File Scans, change File age to 90

- On the upper right be sure Use Company-Name WhiteList, Skip Microsoft Files and Use No-Company-Name-Whitelist are checked

- Check the boxes beside LOP Check and Purity Check

[*]Copy and Paste the following code into the customFix.png textbox.


netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%PROGRAMFILES%\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s

[*]Push the run scan button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Regards,

Georgi

Link to post
Share on other sites

Hi Steve,

STEP 1

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Open Erunt.exe. Follow the prompts leaving the values at default.

STEP 2

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

    :OTL
    PRC - [2009/05/29 12:19:52 | 000,126,976 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe
    SRV - [2009/05/29 12:19:52 | 000,126,976 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)
    DRV - [2009/06/12 17:07:44 | 000,020,742 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
    O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
    MsConfig - StartUpFolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^csrss.smk - - File not found
    [2010/06/18 10:34:51 | 000,000,004 | ---- | C] () -- C:\WINDOWS\vx86036.dat
    [2010/06/18 10:34:32 | 000,000,035 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
    [2010/06/18 10:34:28 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
    [2010/06/18 10:34:28 | 000,020,742 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
    [2010/06/18 10:34:28 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
    [2010/06/18 10:34:28 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
    :files
    C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\2\429aa6c2-40093ff3
    C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\57\22c9cd39-27e9b495
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\SeaMonkey\Profiles\d2gb0vlf.default\Cache(2)\6DAD41B2d01
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\SeaMonkey\Profiles\d2gb0vlf.default\Cache(2)\FE456542d01
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CPM9R3HS\warning[1].gif
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KO00H427\warning[1].gif
    C:\WINDOWS\system32\Crypserv.exe
    dir /s /a "c:\WINDOWS\$NtUninstallKB21658$" /c
    netsh winsock reset catalog /c
    ipconfig /flushdns /c
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=dword:00000001
    :commands
    [emptyflash]
    [emptytemp]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

STEP 3

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.

-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

STEP 4

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

You need to reinstall CrypKey. The program was infected/patched and I deleted it.

Did you reinstall those programs?

Intel Intel® PRO/Wireless 3945ABG Network Connection

SIGMATEL STAC 92XX C-Major HD Audio

Java 6 Update 27

You have some leftovers of Norton. Run the Norton Removal Tool 2012.0.0.19 to remove them all.

Regards,

Georgi

Link to post
Share on other sites

Hi Steve and Aundrea, :)

Logs are attached. Security Check did not produce a log. It also did not report finding anything.

This is odd. I asked the developer about that.

Maybe it's related with the WMI Repository.

I have not reinstalled any of the missing files. Is that critical to proceed.

No...you can reinstall them at the end of the cleaning process.

I would suggest you to reinstall the following drivers:

Intel Intel® PRO/Wireless 3945ABG Network Connection

SIGMATEL STAC 92XX C-Major HD Audio

those depend of your choice - if you use them - reinstall them (it's your call)

QuickBooks Enterprise Solutions: Contractor Edition 8.0

Microsoft SQL Server 2005

CrypKey

Those programs are critical to the security and need to be updated:

Upgrading Java:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 27.
  • Click the JDK 6 Update 27 JRE "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u27-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java.
    Java 6 Update 20
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version. (Vista users, right click on the jre-6u27-windows-i586.exe and select "Run as an Administrator.")

Your Adobe Reader is out of date.

Older versions may have vulnerabilities that malware can use to infect your system.

Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 8.1.2 via Start => Control Panel > Add/Remove Programs

* Install the new downloaded updated software.

Note: Note that the McAfee Security scan or Google Chrome are prechecked. You may wish to uncheck them before downloading.

Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 5x instead.

Foxit Reader 5x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Registry Editor / Cleaner Warning !!

The following is referring to CCleaner.

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:

  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

For more information about why you should avoid using a such programs please take a look here => Registry Cleaners and System Tweaking Tools

Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!

We need to execute a CFScript to clean some remnants.

Please do this:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:


KILLALL::
Folder::
c:\WINDOWS\$NtUninstallKB21658$

4. Save this as CFScript.txt, in the same location as ComboFix.exe

cfscript10uc2.gif

5. Close any open browsers.

6. Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Also reply back to let me know how things are going.

Regards,

Georgi

Link to post
Share on other sites

Hi Georgi,

Java removed and updated but not without incident the installer gsve me a "wrapper.createfile error 5 http://forums.malwarebytes.org/public/style_emoticons/default/mellow.gif

Adobe Reader removed and updated

CCleaner is history! :)

ComboFix was not without incidents: it still tells me that Microsoft Security is running (it's been removed)- and - I get a couple of Dumphive.3xe errors, which I ignore - the full log is attached

We can't believe you are doing all this - but we sure are thankful...

Steve and Aundrea

ComboFix 11-10-02.03.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.