Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many viruses, hku s-1-5, tasks, possible winsock dmg?


  • This topic is locked This topic is locked
26 replies to this topic

#1 AbelsGambit

AbelsGambit

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 March 2016 - 10:26 PM

Hey BP guys. I love using this site as reference to fix any machines my friends and family ask me to fix, and have done so for years now. Until today I haven't come across one I couldn't troubleshoot myself!

I dunno why this one is so stubborn..

The biggest problem was an occurence (like an interrupt) that made your window inactive, and attempted to bring something else to the front, whatever it was it never ran, it just interupted you from your active window.

It started with an active internet connection, and after letting adwcleaner run and do a restart, internet stopped working, even in safe mode w/networking (which was BSOD until a Windows repair solved it). Tried the typical cmd line of winsock resets and ip flushes etc, but no good. The connection looks fine, you connect to the router (pinging the router works) but browsers and anything that connects to the network (steam, skype, etc.) won't even start, or pops up but instantly "stops responding"/crashes.

Things to note:

Ipv4 was set to a manual static ip, and dns 8 8 8 8. my routers assigns automatically but changing it to auto didn't help. I've had my laptop and even my desktop over his house and know their router assigns automatically, but he said it wouldn't connect unless it was set to those settings. I also found a teredo tunneller in network adapters, it had the yellow exclamation, uninstalling it did nothing. Some pseudo errors and file not found errors stopped happening with the ipconfig and netsh commands but they still didn't work after uninstalling that teredo tunneller.

MBAM only runs after a fresh install, and only installs 50% of the time, after adwcleaner, JWT and rkill have all been used. The other half a runtime error "could not call proc." stops the install (and even the uninstall). Mbam doesn't find anything anyway... **Rkill(iexplore.exe/com not needed) alone DOES NOT allow MBAM to run/install**

Internet explorer doesn't even open, it just simply never starts, or pops up but crashes before it's loads the homepage. Speaking of which, I checked LAN settings in the internet options, and the proxy box isn't checked. But the auto detect settings is. Mozilla is dead just like chrome btw.

There were like 12 scheduled tasks clearly viruses; runtask and scheduletask, the other were jumbles of letters/names I cleared all registry keys with their names because they kept coming back of you just deleted them from the task scheduler, this seemed to cut down on a lot of the "interrupt" problems and they no longer appear on the scheduled tasks list.

Under H_key_users, New s-1-5 Xxxxxxxxxxxx subfolders keep getting created, sometimes it's a few, sometimes a dozen but one of the logs has one of these s-1-5 folders in it, probably related?

Msconfig looks clean, services and startup tabs look fine....

Thanks for taking the time to read my post, I hope my detailed explanation helps lead to the answer quicker than normal, oh and these should help too:

Logs of the scans I have done so far... 😉

Attached Files


Edited by AbelsGambit, 26 March 2016 - 10:57 PM.


BC AdBot (Login to Remove)

 


#2 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 30 March 2016 - 01:55 AM

Hello AbelsGambit

 

I am Marie Curie and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
 

  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.

--------------------------------------------------------------

 

 

STEP 1
XrDFflh.pngCKScanner

  • Please download CKScanner and save the file to your Desktop.
  • Right-Click CKScanner.exe and select AVOiBNU.jpgRun as administrator to run the programme.
  • Click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Please run this programme only once.
  • A log (CKFiles.txt) will be created on your Desktop. Attach the log in your next reply.
     

STEP 2
DmqaAZx.pngMGADiag


  • Please download MGADiag and save the file to your Desktop.
  • Right-Click MGADiag.exe and select AVOiBNU.jpgRun as administrator to run the programme.
  • Click continue.png.
  • Click copy.png.
  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Click Edit followed by Paste in Notepad.
  • Attach the log in your next reply.
     

======================================================

STEP 3
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • CKFiles.txt
  • MGADiag log

 

 



#3 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 31 March 2016 - 10:07 PM

Here are the requested files.

Attached Files



#4 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 02 April 2016 - 02:31 AM

Hello AbelsGambit.

 

Did you have any troubles while running the tools? It seems you ran CKScanner twice.

 

Did you ever encounter problems on bootup with a message saying that Windows is not genuine?

 

To ascertain the state of your computer, I would like to take a look at the Addition.txt that is created by FRST. Whilst you are scanning, you may also attach the newly created FRST.txt log. Your computer is in a bad shape, so let me know if you have any troubles while following the steps below.

 

STEP 1
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Scan

  • Double-Click FRST64.exe to run the programme.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach the logs in your next reply.

 

 

STEP 2
aA7bkRO.pngaswMBR

  • Please download aswMBR and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click aswMBR.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes when prompted to download avast! virus definitions. Wait until AVAST engine defs: ### appears.
  • If you are prompted to enable the use of "Virtualization Technology", click Yes.
  • Click the AV Scan: drop down box and click C:\.
  • Click Scan.
  • Upon completion, you will see Scan finished successfully. Click Save log. Save the log to your Desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.

Note: Do NOT click Fix or FixMBR.
Note: A file (MBR.dat) will be created on your Desktop. Do NOT click or delete it.

 

 

======================================================
 
STEP 3
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • FRST.txt
  • Addition.txt
  • aswMBR log

 



#5 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 02 April 2016 - 04:38 PM

Not a problem, I just forgot to run ck as admin and I think it crashed, then reran it as admin.

I'm away from the machine right now but I can give you some details on the Windows genuine.

Windows genuine pop ups We're rampant like 3 or 4 would pop-up as soon as explorer started (desktop loaded) this didn't seem like normal Windows activity as the splashmark in the bottom right corner wasn't there and the copy was purchased with a student discount from university. I checked the slui.exe file in the Windows directory and it was a few MBs larger than the ones in my laptop and desktop directory, so I tried deleting it, and had to change all the permissions to do so. The pop ups no longer appear on boot, but pop up every time notepad opens, seems like just notepad not with Skype or games or anything else.

Can't reenter the prod. Key without the internet connection restored. A system restore does restore the internet connection, but probably also restores the virus as well, and putting the key over an infected machine probably means itl be all over the internet in minutes.

#6 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 02 April 2016 - 10:28 PM

Logs

 

EDIT: (since you wanted the contents pasted :S) 

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software

Run date: 2016-04-02 23:10:29
-----------------------------
23:10:29.195    OS Version: Windows x64 6.1.7601 Service Pack 1
23:10:29.195    Number of processors: 4 586 0x3A09
23:10:29.195    ComputerName: ZACH-PC  UserName: Zach
23:10:29.375    Initialize success
23:10:29.385    VM: initialized successfully
23:10:29.385    VM: Intel CPU BiosDisabled 
23:11:11.924    AVAST engine defs: 16033102
23:12:07.138    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
23:12:07.138    Disk 0 Vendor: Samsung_SSD_840_PRO_Series DXM05B0Q Size: 244198MB BusType: 11
23:12:07.138    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3
23:12:07.138    Disk 1 Vendor: TOSHIBA_MK8034GSX AH301D Size: 76319MB BusType: 11
23:12:07.148    Disk 1 MBR read successfully
23:12:07.148    Disk 1 MBR scan
23:12:07.148    Disk 1 Windows 7 default MBR code
23:12:07.148    Disk 1 Partition 1 80 (A) 07    HPFS/NTFS NTFS        75508 MB offset 63
23:12:07.158    Disk 1 default boot code
23:12:07.158    Disk 1 scanning E:\Windows\system32\drivers
23:12:09.142    Service scanning
23:12:14.664    Modules scanning
23:12:14.664    Disk 1 trace - called modules:
23:12:14.664    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
23:12:14.674    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa80072b4060]
23:12:14.674    3 CLASSPNP.SYS[fffff880018e943f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0xfffffa80070cb060]
23:12:14.884    AVAST engine scan E:\
23:14:41.758    File: E:\Program Files (x86)\OBS\OBS.exe  **INFECTED** Win32:MalOb-CA [Cryp]
23:16:06.702    File: E:\TDSSKiller_Quarantine\21.03.2016_17.46.19\tdlfs0000\tsk0003.dta  **INFECTED** Win64:Alureon-G [Rtk]
23:16:06.712    File: E:\TDSSKiller_Quarantine\21.03.2016_17.46.19\tdlfs0000\tsk0005.dta  **INFECTED** Win32:Alureon-BAN [Rtk]
23:16:06.722    File: E:\TDSSKiller_Quarantine\21.03.2016_17.46.19\tdlfs0000\tsk0006.dta  **INFECTED** Win64:Alureon-B@mbr [Rtk]
23:16:06.732    File: E:\TDSSKiller_Quarantine\21.03.2016_17.46.19\tdlfs0000\tsk0007.dta  **INFECTED** Win32:Malware-gen
23:16:06.742    File: E:\TDSSKiller_Quarantine\21.03.2016_17.46.19\tdlfs0000\tsk0009.dta  **INFECTED** Win32:Agent-ANVR [Trj]
23:16:19.252    File: E:\Users\Zach\AppData\Local\Temp\nspDF66.tmp\NSISHelper.dll  **INFECTED** Win32:Adware-gen [Adw]
23:16:19.292    File: E:\Users\Zach\AppData\Local\Temp\nspE30F.tmp\HhnuAbifk.dll  **INFECTED** Win32:Adware-gen [Adw]
23:16:19.302    File: E:\Users\Zach\AppData\Local\Temp\nspE30F.tmp\KitBiu.dll  **INFECTED** Win32:Adware-gen [Adw]
23:25:57.775    Disk 1 statistics 33378470/0/0 @ 51.14 MB/s
23:25:57.785    Scan finished successfully
23:26:16.746    Disk 1 MBR has been saved successfully to "E:\Users\Zach\Desktop\MBR.dat"
23:26:16.746    The log file has been saved successfully to "E:\Users\Zach\Desktop\aswMBR.txt"

Attached Files


Edited by AbelsGambit, 02 April 2016 - 10:30 PM.


#7 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 04 April 2016 - 06:20 AM

Please read the following warning before you proceed.

 

goGMWSt.gifBackdoor Warning
 
------------------------------
 
One or more of the identified malware is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal system, financial & personal information.
 
If your computer has been used for online banking, has credit card information or other sensitive data, using a non-compromised computer/device you should immediately change all account information (including those used for Email, eBay, Paypal, online forums, etc).
 
Banking and credit card institutions should be notified of the possible security breach. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
 
Whilst the identified malware can be removed, there is no way to guarantee the trustworthiness of your computer unless you reformat your hard drive and reinstall your Operating System. This is due to the nature of the malware, which allows a remote attacker to make any kind of modification. Many experts in the security community believe that once compromised with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

You now have the choice between cleaning the malware present or reformatting your computer. Ultimately, the decision is yours, and what you're most comfortable with. Once you've read the articles linked above, let me know if you have any questions, and how you wish to proceed.

 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script
  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    CreateRestorePoint:
    S2 Fukijo; "E:\Users\Zach\AppData\Roaming\BarhamShpi\Pufpi.exe" -cms [X]
    E:\Users\Zach\AppData\Roaming\BarhamShpi
    S2 Tampstring; E:\ProgramData\\Tampstring\\Tampstring.exe shuz -f "E:\ProgramData\\Tampstring\\Tampstring.dat" -l -a
    E:\ProgramData\\Tampstring
    
    2016-03-21 15:27 - 2016-03-21 15:27 - 00003138 _____ E:\Windows\System32\Tasks\updateTask
    Task: {89DFFB1F-AE28-4E6A-BDF0-BA2480CEE767} - System32\Tasks\updateTask => c:\task.vbs [2016-03-21] ()
    2016-03-21 15:27 - 2016-03-21 15:27 - 00003234 _____ E:\Windows\System32\Tasks\runTask
    Task: {19715460-2AB3-464C-B889-F0CB652A1FF5} - System32\Tasks\runTask => E:\Users\Zach\AppData\Local\Temp/Updater.exe
    
    FF user.js: detected! => E:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\08ipem8d.default\user.js [2016-03-21]
    
    2016-03-21 14:35 - 2016-03-21 14:35 - 00041710 _____ E:\Windows\madge.exe
    2016-03-21 14:35 - 2016-03-21 14:35 - 00014336 _____ (quietude) E:\Windows\bourke.exe
    2016-03-21 14:35 - 2016-03-21 14:35 - 00009216 _____ (looky) E:\Windows\shapers.exe
    2016-03-21 14:35 - 2016-03-21 14:35 - 00000019 _____ E:\Windows\SysWOW64\46877913.bat
    2016-03-18 01:00 - 2016-03-18 01:00 - 00000000 _____ E:\Users\Zach\AppData\Local\ok223.txt
    2016-03-13 21:29 - 2016-03-13 21:29 - 00000418 _____ E:\Windows\Disable task manager .bat
    2016-03-12 22:26 - 2016-03-12 22:26 - 00000201 _____ E:\Windows\call.vbs
    
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-2730457261-690507736-3919490537-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll No File
    Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll No File
    Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll No File
    
    2016-03-21 15:18 - 2016-03-21 15:18 - 00000000 ____D E:\Users\Zach\AppData\Local\Tempfolder
    
    Task: {0C905D4A-85C7-4A75-84FE-1F6F1D23F318} - \{C590CB19-4629-4FEF-AAA2-4BF9F876306D} -> No File <==== ATTENTION
    Task: {0FEE05D8-D236-4E8F-AEED-ED00E6747349} - \Adobe Flash Player Updater -> No File <==== ATTENTION
    Task: {115116C5-A50E-4F34-BD7E-44EAC96ED7F0} - \Admin Defrag -> No File <==== ATTENTION
    Task: {2ACFA262-E853-42F8-A563-D7061B6D45A3} - \{4314C2E7-74BC-452A-AB2B-C59AFE2DBAA1} -> No File <==== ATTENTION
    Task: {321841E8-ACE5-43E2-B583-72330C11F36B} - \{790D7847-0E7A-0F05-7D11-0F790D7A1108} -> No File <==== ATTENTION
    Task: {4EE50A3C-0290-48FE-85ED-530EF6B15EBB} - \{91875D32-60CB-4784-B663-1EFAB952794A} -> No File <==== ATTENTION
    Task: {8FD08282-38CC-4E41-A63B-587E2E8A9938} - \{F09DFF5A-7E22-460B-BB60-F307715903BB} -> No File <==== ATTENTION
    Task: {962EA35B-10F1-4A95-A306-4A476788EEC4} - \{32B69275-721A-4C0B-BCA9-F9FABAAEA8C0} -> No File <==== ATTENTION
    Task: {97A1C016-155E-40C3-A70E-F19BEB797FF1} - \{1645772C-9795-4AEC-AF64-5E304CCEBDEB} -> No File <==== ATTENTION
    Task: {A8729405-1380-45B1-8137-995AFDDC65C2} - \{607231E3-DE7F-4D64-852E-517B6E40D6BB} -> No File <==== ATTENTION
    Task: {AFD545E1-0396-4D3C-A55A-C8D11608E5D4} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
    Task: {B19D699F-AE46-454C-8494-7430E98F0A81} - \{E54BF89A-AD70-4445-9EB2-9ADD58AC6342} -> No File <==== ATTENTION
    Task: {B8A527A7-D5F6-4366-BC7B-FE62ABE6751A} - \{736F6A50-A757-41F4-84E7-B79CF7B9D6D7} -> No File <==== ATTENTION
    Task: {CB86BB1A-1C8A-444F-A6AF-24EC0147C5BA} - \{81CC1AAC-AA61-4F9E-B152-3F0118CDFC5D} -> No File <==== ATTENTION
    Task: {D15D5624-E9D4-472F-B327-3B0D3E21C802} - \{F0BE0743-1C6A-4576-B493-0489534C018D} -> No File <==== ATTENTION
    Task: {BA940EEC-BEC1-4D9F-BA29-B2319FFDF9FF} - \Gamma Task Menager Worker -> No File <==== ATTENTION
    Task: {E6DED054-2332-459E-9076-9A504913B416} - \AdobeAAMUpdater-1.0-Zach-PC-Zach -> No File <==== ATTENTION
    Task: {EA5C52CF-5763-4674-BACC-709F8C08A5ED} - \Jadeeph -> No File <==== ATTENTION
    Task: {F8D62297-C92A-4CD4-B27F-98C1AA1BD1C3} - \{7D3F84C5-7737-43B6-BDED-26D08B38E1A7} -> No File <==== ATTENTION
    
    Task: {00BF8B50-7586-43EC-8F3D-0A3C682AA57B} - System32\Tasks\{A519E655-169C-4EFD-9000-126B669F2FC4} => Chrome.exe
    Task: {08AEFF6D-4854-4CBB-8FDB-BC02407ED28C} - System32\Tasks\{3E17E1DE-9ABE-4898-A535-6CA5A4AA9DDD} => Chrome.exe
    Task: {206CB968-1139-4CCE-9E5B-C17BFDA5E433} - System32\Tasks\{53527860-D111-4AED-8ACA-D6D93A6D1BF2} => Chrome.exe
    Task: {633AF4AF-7DDD-488D-8338-D60CB6E81C3F} - System32\Tasks\{70E17274-3BA0-4CC2-B421-D774D08728C3} => Chrome.exe
    Task: {9FC69ED8-65BF-42E3-9172-C1C3DE013ED3} - System32\Tasks\{B99D1665-E896-4701-908A-6F69F3047A31} => Chrome.exe
    Task: {AD22A3CD-8911-46A9-A33B-45D1B031C54D} - System32\Tasks\{734AC68F-FC43-4549-83DE-95D2B62779F1} => Chrome.exe
    Task: {B9778B51-D16C-486D-93D7-6254EF46BB68} - System32\Tasks\{E87B0D1E-2234-4CEA-83E5-958A9A8704AD} => Chrome.exe
    Task: {BD81F78D-6BE9-4765-95E6-DB844C6FD97C} - System32\Tasks\{9CFF35E2-0BA8-4AA3-9D09-AEFE356516A8} => Chrome.exe
    Task: {D5780010-C682-4A0C-BB4F-E0572D37EA66} - System32\Tasks\{1D974D85-4639-42A7-8EFA-181E24B2E778} => Chrome.exe
    
    Folder: E:\Windows\system32\vam
    File: E:\Users\Zach\AppData\Local\80488381.txt
    File: E:\Users\Zach\AppData\Local\dotinstall.txt
    File: E:\Users\Zach\AppData\Roaming\agent.dat
    File: E:\Users\Zach\AppData\Roaming\Y-flex.tst
    File: E:\Users\Zach\AppData\Roaming\Installer.dat
    File: E:\Users\Zach\AppData\Roaming\Geofax.tst
    File: E:\Users\Zach\AppData\Roaming\Main.dat
    
    CMD: ipconfig /release
    CMD: ipconfig /renew
    CMD: ipconfig /flushdns
    CMD: nbtstat -R
    CMD: nbtstat -RR
    CMD: netsh winsock reset all
    CMD: netsh int ipv4 reset
    CMD: netsh int ipv6 reset
    EmptyTemp:
    end
  • Click File, Save As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
  • Right-click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.
STEP 2
9SN2ePL.png ComboFix
  • Note: Please read through these instructions before running ComboFix. 
  • Please download ComboFix and save the file to your Desktop. << Important!
  • Temporarily disable your Anti-Virus software. For instructions, please refer to the following link.
  • Right-click ComboFix.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 

  • Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
  • Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Attach the log to your next reply.
  • Re-enable your Anti-Virus software.

Important Notes:
  • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
  • Do NOT use your computer whilst ComboFix is running.
  • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.

  • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
  • ComboFix will disconnect your machine from the Internet as soon as it starts.
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If you are unable to access the Internet after running ComboFix, please reboot your computer.
======================================================

STEP 3
pfNZP4A.pngLogs
In your next reply please include the following logs.
  • Fixlog.txt
  • Combofix log

Edited by Curie, 04 April 2016 - 09:09 AM.


#8 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 04 April 2016 - 06:14 PM

Any chance at the virus spreading through my network? Could any machine connected to my network have been compromised? No way it gets through Kaspersky right?

 

This install has to last until around September, but obviously I'll pass along not to use it for anything with sensitive information.

 

EDIT: Not that I would want to recommend anyone using windows 10 yet, but do you know if windows 10 can do a complete re-format if it was upgraded?

 

Files.

Attached Files


Edited by AbelsGambit, 04 April 2016 - 06:24 PM.


#9 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 05 April 2016 - 05:09 AM

Hi AbelsGambit.
 

Any chance at the virus spreading through my network? Could any machine connected to my network have been compromised? No way it gets through Kaspersky right?

 


I did not find any hint of a malware that spreads on its own, so it is unlikely that it does. However, the system is infected with a rootkit whose purpose is to hide any malicious entries. More malware might become visible after removing the rootkit.

 

EDIT: Not that I would want to recommend anyone using windows 10 yet, but do you know if windows 10 can do a complete re-format if it was upgraded?

 

 

A reformat, i.e. formatting the HDD and reinstalling the operating system, will certainly help to get rid of the malware.

Upgrading the system without reformat is not recommended, because the malicious files will stay on the system. Please let me know if you decide to reformat the system instead of cleaning it.

 

This malware is stubborn and we will need to perform more fixes before it is gone.

Please tell me in your next reply if you have a USB device and access to a clean computer.



#10 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 05 April 2016 - 10:41 AM

Yah, lets try and clean it.

 

I have access to a clean machine and a thumb drive



#11 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 06 April 2016 - 02:32 AM

STEP 1
xlK5Hdb.png  FRST Recovery Environment Scan


Note: You require access to a clean computer and USB drive.
Note: Please print off these instructions, or ensure you have access to them using a different device.

  • Insert your USB drive into a clean computer.
  • Please download Farbar Recovery Scan Tool (x64) using your clean computer, and save the file to your USB drive.
  • Insert the USB drive into the affected computer.
  • Enter the Recovery Environment by choosing one of the options below.
     

Option #1: Enter Recovery Environment (Windows 7/Vista)


  • Restart the affected computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your the keyboard language settings, and then click Next.
  • Select the operating system you wish to repair, and then click Next.
  • Select your user account, and then click Next.
     

Option #2: Enter Recovery Environment (Windows Installation Disc)


  • Insert your Windows installation disc into your affected computer.
  • Restart your computer.
  • Configure your computer to boot from CD/DVD. Instructions on how to do this can be found here.
  • If prompted, press any key to start Windows from the installation disc.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the Operating System you want to repair, and then click Next.
  • Select your user account, and then click Next.
     

Advanced Boot Options Menu


  • Select Command Prompt.
  • In the command window type notepad and press Enter on your keyboard.
  • Notepad will open. Click File followed by Open.
  • Click Computer, write down your USB drive letter on a piece of paper and close Notepad.
  • Type: x:\frst64.exe in the command window.
    • Note: Replace letter x with the drive letter of your USB drive you wrote down earlier.
  • Press Enter on your keyboard. The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Click Scan.
  • A log (FRST.txt) will be saved to your USB drive. Please attach the log in your next reply.
     

======================================================
 
STEP 2
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • FRST.txt

Edited by Curie, 06 April 2016 - 02:32 AM.


#12 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 06 April 2016 - 06:46 PM

Okay, ran FRST from recovery and the log is attached

Attached Files

  • Attached File  FRST.txt   57.05KB   2 downloads


#13 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 PM

Posted 07 April 2016 - 02:51 AM

It looks like TDSSKiller took care of the rootkit. You can run the following steps after a normal startup.

 

STEP 1
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    CreateRestorePoint:
    Reg: reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment"
    
    File: E:\Windows\Disable  task manager .bat
    E:\Windows\Disable  task manager .bat
    
    2016-03-21 11:18 - 2016-03-21 11:18 - 06493696 _____ C:\Users\Zach\AppData\Roaming\agent.dat
    2016-03-21 11:18 - 2016-03-21 11:18 - 01622132 _____ C:\Users\Zach\AppData\Roaming\Y-flex.tst
    2016-03-21 11:18 - 2016-03-21 11:18 - 00127488 _____ C:\Users\Zach\AppData\Roaming\Installer.dat
    2016-03-21 11:18 - 2016-03-21 11:18 - 00072707 _____ C:\Users\Zach\AppData\Roaming\Geofax.tst
    2016-03-21 11:18 - 2016-03-21 11:18 - 00018432 _____ C:\Users\Zach\AppData\Roaming\Main.dat
    
    Folder: E:\Windows\system32\vam\ori
    File: E:\Windows\system32\netsh.exe
    File: C:\Windows\system32\netsh.exe
    EmptyTemp:
    end
  • Click File, Save As and type fixlist.txt as the File Name.
  • Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.


  • Double-Click FRST64.exe to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Attach the log in your next reply

 

Please tell me how your computer is doing at the moment. I suppose the internet is still not working?

 



#14 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 07 April 2016 - 03:43 AM

Internet is working fine. That BSOD error in safemode forced me to restore to previous date (**I did not restore during the repair/removal process** All the scans and logs since the beginning were after the last restore), it also returned access to the internet. Right now, the computer forces windowed programs to "hang" (Not Responding appears after their name) for a split second and deselect the current window (So like if your cursor was in microsoft word in the middle of a sentence, and the virus caused it to "hang" the cursor would vanish and the desktop would become active, it doesn't minimize the window, its just like clicking outside the window) This happens with varying frequency anywhere between every half second to every 3 seconds. Task scheduler is also filled with pretty obvious malware, probably linked to the above problem.

 

EDIT: Might as well add another description of the issues for google searchers, If I alt tab out of a fullscreen program I cannot return to it via desktop (like clicking the icon on the bottom). I have to open task manager and use the "switch to" option in the applications tab to return to it

 

The internet dying was linked to running ADWCleaner. Whatever it removed killed access to the internet. running the fix now....


Edited by AbelsGambit, 07 April 2016 - 03:57 AM.


#15 AbelsGambit

AbelsGambit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 07 April 2016 - 03:50 AM

Log after fix list 2 attached

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users