Katusha.A, BackDoor.Generic14.ANAA and Rootkit.0Access

[cmlion]

No, I don't want to follow my own directions.

I did what you want me to do regarding ubhide, tfc and ESET. Now I did a scan from IE and not from Mozilla as I did before. Sorry!

I asked you why to unhide? For ESET reasons?

Now I'm writing to you from my desktop computer who is also linked to my home wireless router

I will reset the router now because I want to have untill now conection with you with no surprise.

Of course I want you to tell me what to do next because I don't want to leave with a virus. Or maybe the format C partiton

will be the only one solution I do not want to apply.

Again thank you very much for your kindness and professionalism

logeset.txt

[AdvancedSetup]

I wanted you to run Unhide as a safey precaution before running TFC.EXE because there are some infections that will move your files to the temporary file location and TFC would then delete them.

Okay, I don't think you are infected at this time.

I'm guessing that the only time you're getting an IP block is when Skype is running.

What might normally be a bad IP address for many users around the World could possibly be okay because you do live in Romania.

Please locate the MBAM Protection Logs located here and post back the 3 newest/latest versions.

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

If you don't have Skype running do you still get any IP blocks at this time?

[cmlion]

Do you want me again to reset the router or is enough just to change the router password and key passphrrase?

On the other hand I do not know what do you mean by IP Block? When skype running !!!

You said before to disable Skype and YM but them are not disable in startup programs(??!)

Where do I have to see whhere are these IP blocks???

I will send you the next post the MBAM logs.

But more important thing is:

what about cryptographic issues in combofix logs? How to fix them?

What do I have to do to start DHCP service, TCP, etc. They don't want to start.

As I told you before I do not use right now an IP gave by DHCP but a static one set by me in the wireless TCP/IP properties

Thnaks, and I like very much your approaches

[AdvancedSetup]

Okay let's start over a bit as I think we're out of sync here. For now don't touch the router.

Please do the following.

STEP 01

Please download a new fresh copy of Combofix and run it as before and post back the new log when done and let's see what it says now.

I think the Cryptography issue was already fixed, but just to make sure.

Combofix download

STEP 02

Download the attached GetNetworkInfo2.zip file to your desktop.

STEP 03

Set your Network connection to DHCP and then reboot. If you need directions how please let me know.

STEP 04

Now open the GetNetworkInfo2.zip file and double-click the QueryServices2.bat file and post back the NetworkDetails2.txt file it will create in the root of your drive on your next reply.

Hopefully it will help us to figure out what might be causing DHCP to not work.

GetNetworkInfo2.zip

[cmlion]

I was liable(owed) with MBAB Logs. Unfortunately Ido not have directory Logs. But I have on in

C:\Documents and Settings\m\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

I send you the newest 3 but I have 10 logs from oct 2011, 10 logs from 2011 and 4 logs from 2010

I send you the 6 ones i asked me but I'm not so sure thew are more relevant

mbam-log-2011-10-29 (14-22-37).txt

mbam-log-2011-10-31 (21-47-02).txt

mbam-log-2011-10-27 (21-09-46).txt

mbam-log-2010-06-16 (23-29-52).txt

mbam-log-2010-07-12 (19-47-24).txt

mbam-log-2010-09-18 (13-01-23).txt

[cmlion]

STEP 01

Please download a new fresh copy of Combofix and run it as before and post back the new log when done and let's see what it says now.

I think the Cryptography issue was already fixed, but just to make sure.

You have in attach

STEP 02

Download the attached GetNetworkInfo2.zip file to your desktop.

You didn't give me any link to this!!!!! But I have one on my computer and gave it a try. You have the attach

STEP 03

Set your Network connection to DHCP and then reboot. If you need directions how please let me know.

I set to obtainn an IP address automatically

but at "Use the following DNS server addresses:" I let to be the former IP address (208.67.222.222)

I lost internet connectivity and run QueryServices2.bat

I set Ip at a static one and now I'm on internet.

ComboFix.txt

NetworkDetails2.txt

[AdvancedSetup]

This Combofix log no longer shows the Cryptography error as it was fixed in a previous run.

Please download the attached GetNetworkInfo2.zip file above (I forgot to attach it before)

Save it to your desktop. The change your network settings to DHCP and reboot. You will not have Internet access but that's okay.

I need you to run the batch file again while DHCP is enabled.

Then when done you can reset it to manual to gain Internet access again.

[cmlion]

Is the same GetNetworkInfo2.zip I used before but if you want me to run yours It's ok.

You got the attach

NetworkDetails2.txt

[cmlion]

I'm waiting Ron to instruct me further, but who are you Joejitsu you hope they(who?) are paying me to do what???? What is DA MAN? I don't unddrstand

[AdvancedSetup]

I've removed the post from Joejitsu

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :reg
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[cmlion]

You got it

SystemLook.txt

[AdvancedSetup]

Do you have the Windows XP install CD ?

[cmlion]

An old one without SP2 I think (I have SP3 on my computer)

[AdvancedSetup]

That's okay.

Please review the following site and run the System File Checker

Basically something has removed all the settings for the NetBT entry. This procedure may not actually correct it but it should find and install or replace invalid system files for you.

If it does not correct the DHCP issue then you will probably need to download the complete network card driver software from the MFG website.

[cmlion]

1) 1)What is MFG website?

2) scannow /sfc asking for Windowx XP SP3 CD but as I told you I have just Windows XP 2

3) Ok, I run scannow /sfc with my CD and things seems to run all right

but DHCP service further could not started and we got the error:

"Error 1075 The dependency service does not exist or has been marked for deletion"

[cmlion]

You mean ocmplete network card driver software from the Dell website. Can you precioussly show me the link?

[AdvancedSetup]

What is the make and model of your computer as well as the Service Tag?

You can visit this site as well which has more information on the Service Pack 3 issue you describe.

http://www.bleepingcomputer.com/forums/topic43051.html

[cmlion]

You said:"...to download the complete network card driver software from the MFG website. ". What is that? MFG site?

[AdvancedSetup]

MFG is Manufacturer in your case I assume Dell. If you can please post your Service Tag I can go look for the proper link for you.

Please run the following and post back both of the logs.

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt

[cmlion]

Let's respond sequencially

1)"You can visit this site as well which has more information on the Service Pack 3 issue you describe.

http://www.bleepingc...topic43051.html " No that page didn't help me. I used a WSP2 CD . For ex my case is:

In the event the the system asks you for the CD, you must visit Windows Update immediately after the scan is completed (Please note that there won't be any confirmation dialog - the program will just exit without telling you anything).

I didn't know I have to visit Windows Update, for what???!!

........

If you run Windows XP SFC and it asks for your "Service Pack 3 Disk", you can extract the service pack 3 files as follows:

Download the standalone windows XP SP3 package from here:http://www.microsoft.com/downloads/details...;displaylang=en and save it to your desktop.

SFC didn't ask me about SP3 disk

2) What is service tag? I have Dell Vostro 1015

3) There are some days(maybe a week) I don't have any antivirus on laptop. Do you thing is good to install AVG? Only I do have is MBAM. how to disable script blocker

[cmlion]

here are the logs

attach.txt

dds.txt

[cmlion]

Unfortunatey I see now they said about zip attach.tct Why? I send it to you as it is

[AdvancedSetup]

STEP 01

This is the download link to obtain drivers for your system from Dell. Just set the selection to XP

Vostro Notebook 1015

Under network it will list 8 different drivers for XP

Please download and install the Dell Wireless WLAN 1501 Half Mini-Card driver which is 117MB in size.

Then reset the Network connection back to DHCP and see if it now works or not after rebooting.

STEP 02

Please visit this site for instructions on disabling the Nero scout indexer which is failing.

STEP 03

You may have an issue with your hard drive according to this entry in the Event Logs. Its difficult to tell for sure as there are many potential causes for this type of error including Nero which I've asked you to stop the indexing above.

error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

STEP 04

Please click on START - RUN and copy/paste the following into the run line and click OK

CMD /C Driverquery.exe /v > C:\MYDRIVERS.TXT

Then attach the C:\MYDRIVERS.TXT file on your next reply please.

STEP 05

After running the above and rebooting please run a NEW DDS scan and post back the new logs.

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt

[cmlion]

Ok I'll do that you asked for after 8 hours.

But now I want to resppond to me, please:

1) Why attach.txt must be zip-ed before send to you. Ala these logs I send to you maybe help the person who made the backdoor to control my PC indeed.

2) I want to reinstall AVG. It's ok?

3) What do you mean by "I'm guessing that the only time you're getting an IP block is when Skype is running.What might normally be a bad IP address for many users around the World could possibly be okay because you do live in ...."

4) In case I Want to connect to net by UTP(wire) do I have to install in addition Realtek RTL811DL Ethernet controller? Or that will be installed just in case I will format C and reinstall XP?

Please again respond to me punctually

thanks a lot

[cmlion]

Ala these logs I send to you=All these logs I send to you(sorry ab. that)