Katusha.A, BackDoor.Generic14.ANAA and Rootkit.0Access

[cmlion]

AVG said yesterday I'm deal with Trojan horse BackDoor.Generic14.ANAA and "Virus identified Win32/Katusha.A".

MBAM said Files Infected:"c:\WINDOWS\system32\drivers\cdrom.sys (Rootkit.0Access) -> Quarantined and deleted successfully."

My MBAM could nou reinstall,AVG has problems with Identity protection

The worst part it was when for couple hours(8) hours I could not typein with my laptop keybord! Incredible!

Then I used in safe mode AVG(only with mouse),a removal tool from Kaspersky setup_11.0.0.1245.x01_2011_10_22_23_42.exe,

return to Windows normal Mode, MBAM runs and seems to get rid of katusha.

No threats with MBAM, AVG and with Spy Bot

But after 4 online hours, terror again:

AVG says again:

Trojan Horse Generic25.AKAG

Backdoor.Generic14.AVBQ

and again Katusha and BackDoor.Generic14.ANAA

ESET online says as you can see on ESET_23.10.2011.txt attached

Rootkit Unhooker LE says: RKU_23.10.2011.txt

MBR Check says: MBRCheck_10.23.11_17.32.08.txt and as I saw at other topic mbrdump.dat.txt(becauz only mbrdump.dat doesn't work

at uploading time)

Please help

I forgit this

ESET_23.10.2011.txt

RKU_23.10.2011.txt

MBRCheck_10.23.11_17.32.08.txt

mbrdump.dat.txt

mbrdump.dat.txt

ComboFix.txt

[AdvancedSetup]

STEP 01

Uninstall all versions of Java

STEP 02

For now please temporarily fully uninstall your AVG Anti-Virus and reboot.

STEP 03

Download and install this Free 30-Day Trial of Kaspersky Anti-Virus 2012

Update it and do a Full Scan with it and send me back the log

STEP 04

Disable both Skype and Yahoo messenger from loading on startup for now.

STEP 05

Click on START - RUN and type in MSCONFIG and select NORMAL and click OK and immediately restart the computer.

STEP 06

Please download the following tool and uzip it and run the program and post back the results (You'll need to provide a screen shot)

DHCP Rogue Checker

[AdvancedSetup]

Just checking back to see if you had time to run the above items yet.

[cmlion]

I'm doing right now. I'm on KAV installation and I have to pass a lot of "continue anyway ..." with the hardware found by KAV in device manager(some devices)

Very interesting your approach.

Thanks

[cmlion]

Wow! Very complicated with KAV update. What to do?

[AdvancedSetup]

Not sure what you mean by difficult update. There should be a single button that says to check for updates unless they've changed their latest version and have made the interface different.

Can you maybe take a screen shot and show me what you're seeing please.

[cmlion]

I'm here again. I tryed this on updating process:

http://support.kaspersky.com/kav2012/settings/update?qid=208284619

And I tryed to make an manual update.

You can see the attachments and:

"License number:11A4-00572-1380A98D

Status Invalid

License type:trial for 1 computer for 30 days

License problem detected.

Expiration date:30.11.2011

Update is anavailable. Reinstall the aplication"

[cmlion]

the manual update process seems reacting wrong when using a trial version.

Do you want me to scan without update?

[AdvancedSetup]

Did not expect that and have not run into that issue before myself but no sense in dragging you into some licensing issue with Kaspersky.

Please go ahead and uninstall it. Then run the following online scan and send back the results.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

[cmlion]

Hi

You have log.txt for eset attached.

Then I run RogueChecker.exe and obtain 4.jpg and 5.jpg, then run again RogueChecker.exe

and obtain 6.jpg(None rogue servers Detected)

log.txt

[cmlion]

What to do with java, skype, mes? Why should I uninstalled java?

[AdvancedSetup]

Are you still having any issues or indications of an infection?

Please download a new fresh version of Combofix and run it as before and send me back the new log.

[cmlion]

Are you still having any issues or indications of an infection?

Before you pointed me with kindness I run AVG and the result was:

;"C:\WINDOWS\system32\drivers\netbt.sys";"Trojan horse BackDoor.Generic14.BGEY";"Object is white-listed (critical/system file that should not be removed)"

I removed netbt.sys and then I Downloaded a new version of netbt.sys It seemms no more backdoor

MBAM also run without threads. But I'm very afraid I'm in situation with no threads but very vulnerable

Please download a new fresh version of Combofix and run it as before and send me back the new log.

Regarding combofix,I downloaded a new version from combofix servers and run it. You have the attach.

After that I unistall comboofix.

log_combofix.txt

[AdvancedSetup]

What to do with java, skype, mes? Why should I uninstalled java?

Because these plugins are very often targeted for old compromised code that makes it easy to infect your computer. Once all is back working normally you can install the latest versions.

Notice this error.

Cryptography Services Error !!

I'm concerned that you're either still infected, or at the least your Cryptography service for one reason or another is not functioning correctly.

Please uninstall all of the Anti-Virus products for now.

Is this computer on work network?

It now shows another DHCP server once again providing information to the computer.

IP address: 213.154.124.1

Host name: dns1.rcs-rds.ro

213.154.124.1 is from Romania(RO) in region Eastern Europe

Please do a Factory Reset on your Router. Then ensure you also provide the router with a strong password on the Admin account.

If you have access to another clean computer that can burn a CD then I recommend you download and run the following offline scanning tool from Kaspersky.

Kaspersky RescueDisk

If you need a FREE utility to properly burn the ISO image: ImgBurn

How to write an image file to a disc with ImgBurn

[cmlion]

Because these plugins are very often targeted for old compromised code that makes it easy to infect your computer. Once all is back working normally you can install the latest versions.

ok

Notice this error.

Cryptography Services Error !!

I'm concerned that you're either still infected, or at the least your Cryptography service for one reason or another is not functioning correctly.

Where is this error?

Please uninstall all of the Anti-Virus products for now.

Now I uninstall ESET. It is the only one. I havve more MBAM

Is this computer on work network?

No is may personal laptop. Because the TCP/IP stack is compromised (see all the topics in forums neither one can reinstall this stack) I gave a static IP, and interet can work

(DHCP service could not be strated,as TCP IP either)

It now shows another DHCP server once again providing information to the computer.

IP address: 213.154.124.1

Host name: dns1.rcs-rds.ro

213.154.124.1 is from Romania(RO) in region Eastern Europe

Please do a Factory Reset on your Router. Then ensure you also provide the router with a strong password on the Admin account.

Ok ,I'll do that tonight

If you have access to another clean computer that can burn a CD then I recommend you download and run the following offline scanning tool from Kaspersky.

Kaspersky RescueDisk

If you need a FREE utility to properly burn the ISO image: ImgBurn

How to write an image file to a disc with ImgBurn

Ok I will do that!

Thanks a lot

[AdvancedSetup]

The combofix log is the one that showed the cryptography error.

Please go ahead and run those requested items and when done post back the logs or what was found/fixed.

Thanks

[cmlion]

I try to make theat KAV cd but seems as in case with KAV I told you some days ago database is obsolete. I could not run the task as you see in attachments.

Smth. is corrupting the databases. MaybeI still have the virus and for that reason I could not run everith is from Kaspersky.

I'm thinking to remove directory C:\Kaspersky Rescue Disk 10.0 and try again.

On the other hand last night when I shutdown the computer I receivede the mesage that I'm sure what I.m doing because another person is loging

to my computer. Is this a false alarm or is true?

[cmlion]

I forgot to tell you in Programas Files I have a new entry "Join Air" . What is this?

[AdvancedSetup]

Try creating a new KAV Rescue Disk 10 from a CLEAN computer.

Then just scan with it, don't tell it to update. It should be able to be ran without an update.

[cmlion]

A.

Try creating a new KAV Rescue Disk 10 from a CLEAN computer.

I created a new one from a new computer, but the behaviour is the same. In fact what can I observed:

1) Booting from DVD result in a menu with KAV in graphic mode, in text mode, etc.

2) I picked up the first one, graphic mode, and waiting half an hour with a black screen(the same behaviour from yestraday)

3) Then reset and choosed text mode, result a screen smth like norton comander and type an "X" to exit on graphic mode

4) this time the scren with KAV RD in graphic mode appeared, but when I clicked on scan, the message with the database alterated appears again.

The issue is not what you said,regarding no matter update passed or not, the issue is the fact that the existing not updated database is altered

and I cannot scan

Then just scan with it, don't tell it to update. It should be able to be ran without an update.

As I told you beffore I didn't tell him for update, and not be able to run

B.

You said:

"It now shows another DHCP server once again providing information to the computer.

IP address: 213.154.124.1

Host name: dns1.rcs-rds.ro

213.154.124.1 is from Romania(RO) in region Eastern Europe"

You said another. Wich was the one in tha past and wich is the DHCP in the prezent??

[AdvancedSetup]

Right here in your last Combofix log it has it listed.

TCP: DhcpNameServer = 213.154.124.1 192.168.0.1

If you check that IP address you see it is not valid unless perhaps you live there in Romania.

Trying the KAV Rescue Disk was just an idea. We can try other tools.

STEP 01

Please try doing a FACTORY RESET on your router. Typically most home routers have a small pin hole that you can insert a paper clip and hold for a few seconds to reset it. You can also logon to the router and do a factory reset from within the router web pages. Check the support site for your router if needed.

STEP 02

Download and run this Unhide tool

STEP 03

Please use TFC to clear temporary files:

Run TFC by OldTimer to clear temporary files:

• Please download TFC from here and save it to your desktop.
  
• Close any open programs and Internet browsers.
  
• Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  
• Please be patient as clearing out temp files may take a while.
  
• Once it completes you may be prompted to restart your computer, please do so.
  
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.
  

STEP 04

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

[cmlion]

ok I'll do that at home.

At router I have 2 passwords, let say

1 of admin you said to change.

another one for encryption reasons (encryption key). Do I have to change that either?

You right about Romania, i leaven there. So the issue ramins in that conditions?

I have TCP: DhcpNameServer = 213.154.124.1 192.168.0.1 but you said if I understand accordingly that IP addres of DHCPname Server is changeble.

I think is only one(213.154.124.1). Or is possible my ISP to change it. We have 2 addreses:that one set in router and maybe another one give it to me by ISP.

I'm sorry KAV is not working I tryed 3 DVD's

Thanks

[AdvancedSetup]

A factory reset on the router would change the encryption keys as well.

Go ahead for now and just run the ESET scanner and let's see what it finds.

[cmlion]

Download and run this Unhide tool

Why unhide for TFC or foe ESET??

STEP 03

Please use TFC to clear temporary files:

I did it. No more temps to delete because I run ccleaner previously.

Next, please run a free online scan with the ESET Online Scanner

I used Mozilla

No threads!!!

[AdvancedSetup]

Okay then what issues are you currently having since you seem to want to follow your own directions.