Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry: http://kb-ribaki.org keeps getting back


  • This topic is locked This topic is locked
6 replies to this topic

#1 phustje

phustje

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 20 March 2017 - 09:52 AM

My registry keeps getting updated by something after each reboot. The following items is added at boot: "explorer.exe http://kb-ribaki.org"

I've manually removed from the registry entry but it keeps coming back.

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:02 PM

Posted 20 March 2017 - 08:27 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the following file => Attached File  fixlist.txt   594bytes   3 downloads and save it to the Desktop.

Copy FRST64.exe to your Desktop as well!

NOTE. It's important that both files, FRST64.exe and fixlist.txt are in the same location or the fix will not work.

 

Run FRST64.exe and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please restart your computer in Normal Mode and post back the log file in your next reply.

This script was written specifically for you, for use on that particular machine.

 

Let me know how are things after the fix above.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 phustje

phustje
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 21 March 2017 - 02:53 AM

Hi Greogi,

 

Thanks for your help. Unfortunately the fix did not help. I did all the steps mentioned in your post.

 

Edit: I've added the new FRST and addition files from after the fix.

 

Attached Files


Edited by phustje, 21 March 2017 - 03:00 AM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:02 PM

Posted 21 March 2017 - 03:55 AM

Hi,

 

Do you recognize the following IP's?

 

Tcpip\Parameters: [DhcpNameServer] 145.4.228.3 145.4.228.4

 

At least the scheduled task didn't recreate.

 

Task: {83BE0ACA-D77F-43E5-816A-B1FCA8AA2B52} - System32\Tasks\patrick => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v patrick /t REG_SZ /d "explorer.exe hxxp://kb-ribaki.org" <==== ATTENTION

 

 

Regards,

Georgi


cXfZ4wS.png


#5 phustje

phustje
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 23 March 2017 - 02:46 AM

Hi,

 

Do you recognize the following IP's?

 

Tcpip\Parameters: [DhcpNameServer] 145.4.228.3 145.4.228.4

 

At least the scheduled task didn't recreate.

 

Task: {83BE0ACA-D77F-43E5-816A-B1FCA8AA2B52} - System32\Tasks\patrick => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v patrick /t REG_SZ /d "explorer.exe hxxp://kb-ribaki.org" <==== ATTENTION

 

 

Regards,

Georgi

About the IP's: I'm not exacty sure if they're Ip's from work or not.

 

But it seems there's no way to get this damn registry issue sorted without deleting it ever time by hand?



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:02 PM

Posted 23 March 2017 - 11:38 AM

Hi,

 

 

It shouldn't be that hard. I checked a few similar topics and the problem there was resolved by deleting the scheduled task and the registry entry. I am not sure why it didn't work for you but I have some ideas to try. It is possible that your router settings are hijacked and needs to be restored to default (if you have a router), a program you are using is setting it on start, your dns are hijacked (the IP's I asked for above are located in Netherlands but your regional settings are for United States).

 

Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)

Tcpip\Parameters: [DhcpNameServer] 145.4.228.3 145.4.228.4 =>  Netherlands

 

Let's try this way:

 

 

STEP 1

 

 

Please download Process Monitor and save it to your desktop. Extract the archive to your desktop and run the file procmon.exe

 

Process Monitor will begin logging from the moment it starts running. To stop this, click the "Capture" icon (oTlpXrK.png).
 
CQrMXr2.png

 

Clear all the events that Process Monitor recorded by clicking the "Clear" icon (H44k8CX.png)

 

viGLOi7.png

 

Now go in to the Options menu and select Enable Boot Logging
 
3pVtey7.png

 

You will be presented with the following dialog. Ensure that profiling events are generated every second and click OK.
 
XcOomky.png

 

 

 

STEP 2

 

 

Please download the following file => Attached File  fixlist.txt   460bytes   3 downloads and save it to the Desktop.

Copy FRST64.exe to your Desktop as well!

NOTE. It's important that both files, FRST64.exe and fixlist.txt are in the same location or the fix will not work.

 

Run FRST64.exe and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Restart your computer if asked to do so and post back the log file in your next reply.

This script was written specifically for you, for use on that particular machine.

 

 

STEP 3

 

 

Wait the computer to boot in Normal Mode.

 

Allow the system to fully load windows and any associated startup programs (and see if the registry entry is back again).

 

Next double-click on the Procmon.exe file to run Process Monitor again.

 

Upon opening Procmon.exe, you will be presented with the following dialog.
 
h8ooJmB.png

 

Click Yes to save the collected data. Insert in the “File name” field the desired name for the output and select the "Save" button.

 

Close Process Monitor.

 

Compress and archive (zip) the PML file and upload it here then post the link to the file in your next reply.

 

 

STEP 4

 

 

Also please set the Google DNS servers.

 

Right click the Network icon in the task bar notification area, and then click Open Network and Sharing Center.

Click Change adapter settings.

 

Right click your network adapter and select Properties.

Highlight Internet Protocol Version 4 (TCP/IPv4) and click the Properties button.

Now change the option Obtain DNS server address automatically to Use the following DNS server addresses.

Set google's public DNS server as your alternate DNS server.

Preferred DNS server should be: 8.8.8.8

Alternate DNS server should be: 8.8.4.4

When you’re finished click OK.

 

 

Let me know how are things after the steps above.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 23 March 2017 - 11:54 AM.
typo.

cXfZ4wS.png


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:02 PM

Posted 28 March 2017 - 04:50 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users