Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need some information on what to do


  • This topic is locked This topic is locked
23 replies to this topic

#1 ElectroContractor

ElectroContractor

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 15 March 2013 - 11:03 PM

Hi all

Im new to the site and need some help on removing a virus and getting my network back together.

I dont know what type of virus I got  or if it's still present on my computer, so I hope this site has a really good protection plan. Sorry !

From what I can see, my AV failed to keep the darn thing from spreading throught my system even my DC is out.

Ok, I ran the DDS and have attached the files, Sense I first noticed or was informed of the infection back in November of 2013 I have been running MS network monitor and have noticed request for microsoft.com at address 107.14.47.35. I dont think thats right, checking whois tells me otherwise.

Im presuming a redirector.

Another thing I noticed was looking through win\sys32\drivers I find some of my DLL have creation dates listed as today and the modification dates listed around the install date( Im presuming) i.e Creation date = 3/15/2013 and mofdification date = 10/15/2009.

I ran MS system esentials autoruns and process explorer. I tried to remove some of the unknowen users but after restarting they were back.

Anyway the computer im currently working on is a Sony Vaio with win 7 ultra. as far as an Antivirus its symantec endpoint protection.

If anyone can help Let me know what else I can do

Electro

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:29 AM

Posted 17 March 2013 - 09:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
IMPORTANT !!! Save ComboFix.exe to your Desktop
 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.
 
How to : Disable Anti-virus and Firewall...
 
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.

  • Please post the C:\ComboFix.txt

Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.

  • Double click on AdwCleaner.exe to run the tool.

  • Click on Delete tab follow the prompts.

  • A log file will automatically open after the scan has finished.

  • Please post the content of that log file with your next answer.

  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

 
Please post the logs for my review. Let me know what problem persists.


#3 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 19 March 2013 - 10:35 AM

Hello Nasdaq

Ok that dident work. First I coulden't save the file (comboFix) to the desktop. Second, while downloading security warnings poped up from windows telling me my current settings do not allow me to download files. Third, ever sense I tried to download the file, all file associations point to internet explorer opening up a window to the view and tract your downloads. and the window is left blank.

Electro



#4 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 19 March 2013 - 10:39 AM

On another note. My Av cannot be shut off even through the services section. I have also noticed that while running disk management under computer management I have a new disk called system researve about 100Mb. How long that been on there Im not sure.

Electro



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:29 AM

Posted 19 March 2013 - 01:04 PM

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.

Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
====

#6 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 19 March 2013 - 08:27 PM

Hi Nasdaq

Well, it dosent seam to want to run. Yes I downloaded it to my desktop, stoied to runpped all running processes ( Ones that I could), and tried to run it.

All it does is open an explorer window, a pop up comes telling me my security settings dont allow this file to be downloaded.

I tried left clicking the icon to run as an administrator but that feature is not on the list.

Now what

Electro



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:29 AM

Posted 20 March 2013 - 08:16 AM


You should try to restore this computer to a date prior to the beginning of your problems.

If that does not work try startup repair.

Follow the instructions on this page.

http://windows.microsoft.com/en-IN/windows7/What-are-the-system-recovery-options-in-Windows-7

If at any time you need direction before proceeding please ask.

Keep me posted.

#8 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 20 March 2013 - 07:26 PM

Ok, Now I did a restore but the earliest date I got was from 3/5/2013. Ya, I know now, that was the earliest date on the list.

I was able to upload RougeKiller and run it. There are two errors under the regrestry can. Sense Im using another computer to get on the web, I cant do a cut and past for you so it looks like some typing work.

Found under Status 2 Errors. Boath KeyTypes are HJ Desk. They are boath Global  HKLM. The key  for boath are         

Software\Microsoft\Windows\currentVersion\Explorer\HideDesktopIcons\NewStartPanel

The Value on one is {59031a47-3f72-44a7-89c5-5595fe6b30ee}

the other is {20D04FE0-3AEA-1069-A2D8-08002B30309D}

Boath of these Keys have a data of 1

Other then that there are no processes,No Hosts, No Proxy, No DNS, No Drivers, NO files, No shortcuts.

Under the MBR I have

++++++++PhysicalDrive0: ST9500325AS++++++++++

[MBR] 49c4dc43aa6b42d37c121956aad77

[BSP] 72d866b0e68554097d66b8e40ff76e0a: Windows 7/8 MBR Code

Partition table:

0- [XXXXXX] ACER (0x27) [VISIBLE] Offset (Sectors):2048 | Size 10572 Mo

1- [ACTIVE] NTFS (0x07) [VISABLE] Offset (sectors): 21655552 | Size 100 Mo

2- [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 466265 Mo

User= LL1......Ok

User =LL2......Ok

Ok Now that was it, Im not going to run the FIX but would you like for me to try and fun the ComboFix?

Electro



#9 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 20 March 2013 - 08:48 PM

Ok, I was able to get online with one of the problem computers and I am able to upload the file.

Here it is.

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : JWannerR [Admin rights]
Mode : Scan -- Date : 03/20/2013 17:36:30
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 49c4dc43aa6b4db42d37c121956aad77
[BSP] 72d866b0e68554097d66b8e40ff76e0a : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10572 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21655552 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 21860352 | Size: 466265 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03202013_02d1736.txt >>
RKreport[1]_S_03202013_02d1736.txt



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:29 AM

Posted 21 March 2013 - 08:05 AM

Download and run the 3 tools suggested in post on 2.

If you cannot get a log from one of the tools run the others and post what you can.

#11 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 21 March 2013 - 09:08 PM

Ok, I was able to run all three tools. I am attaching the reports

Combofix

ADWCleaner

SecurityCheck

Hopefully these should help



I'll Look them over as well

Now wheres that post button

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:29 AM

Posted 22 March 2013 - 09:51 AM

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

#13 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 24 March 2013 - 08:19 PM

Hi there NasDaq

Well, I Found out the other day by running HiJack This on my Domain computer, That it had been Hijacked that explanes the problems. At least thats what the Hijack program tells me.  Fustrated for at least three years of problems with the domain and lack of help from my domain Name provider, I canceled my domain name. Im not sure if that was a good idea or the right thing to do, but I did it anyway. I would like to get my domain back up again but unfortunally I think they did some serious damage to the server.  Before when I shut down the domain server, the network light on the switch went out. Now when I turn off the domain server It stays on. I noticed something funny back in Janurary, when I came to the office the domain server was rebooted. At that time I thought it was from an update and really dident pay too much attention to it until recently.

Can ya give me an Idea on where to start.

Electro



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:29 AM

Posted 25 March 2013 - 08:27 AM

Who is you Internet Provider?

Can you not get an other Domain with a different name and rebuild you site?

#15 ElectroContractor

ElectroContractor
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 25 March 2013 - 11:43 AM

Attached File  AdwCleanerS1.txt   3.98KB   2 downloadsOk, First of all I started up AdwCleaner as an administrator and selected delete insted of scan. The report followes.

Second. My ip or the company I pay for Ip service is Time Warner. My domain name provider was Register.com.

As stated I canceled my subscription with them. I checked through networksolutions and found out that my domain name is available.

I have been thinking about changing the name to advert the problems that plagued me in the first place.

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users