Author Topic: [Resolved] Redirected searches, unexpected shutdowns, and Internet locked  (Read 8682 times)

0 Members and 1 Guest are viewing this topic.

Offline E310

  • Bronze Member
  • Posts: 75
Dang! I should have looked here before I went to my niece's! I was feeling bad for messing us up.

OK ... well here's the one RK log that I could get. I'll go back tomorrow and run CF as explorer.exe and see what I can get. But I'll check here FIRST before I do to make sure I don;t miss anything.


RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: ashley 2 [Admin rights]
Mode: Scan -- Date : 02/13/2012 22:23:57

Bad processes: 0

Registry Entries: 8
[ROGUE ST] HKCU\[...]\Run : 1726765432 (C:\Users\ASHLEY~1\AppData\Local\Temp\tmph7047515151046104399.tmp) -> FOUND
[ROGUE ST] HKUS\S-1-5-21-440622061-367233804-2337667113-1001[...]\Run : 1726765432 (C:\Users\ASHLEY~1\AppData\Local\Temp\tmph7047515151046104399.tmp) -> FOUND
[SUSP PATH] BearShareNAG.job : C:\Users\Adriana\AppData\Local\Temp\BearShare_setup.exe -> FOUND
[SUSP PATH] winupd.job : \\?\globalroot\Device\HarddiskVolume2\Users\ASHLEY~1\AppData\Local\Temp:winupd.exe -> FOUND
[SUSP PATH] ZooskMessenger.lnk : C:\Users\ashley 2\AppData\Local\Temp\ZooskMessenger.exe -> FOUND
[PROXY FF] tyclpdf5.default\ 127.0.0.1:53535 -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]

Infection : 

HOSTS File:
127.0.0.1       localhost
::1             localhost


MBR Check:

Finished : << RKreport[1].txt >>
RKreport[1].txt


Eddie

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2677
Hi Eddie

It appears that there a few different types of infections on Ashley's machine.  On annoying infection specifically blocks the use of malware removal tools, so we have to work around that.  Although there are a lot of really smart people writing malware, there are also a lot of really smart people removing it.
Before you do anything else, let's try this.

1.  Run RogueKiller again. 

2.  On the Registry tab, UNCHECK the following entries:

FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee}
FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D}

3.  Click the Delete button and click OK if necessary.

4.  Once that is complete click the ProxyFix button and click OK if necessary.

5.  Now click the Scan button and when that finishes, click on the report button to open RKreport.txt.

6.  Now open the RKQuarantine folder and right click on PhysycalDrive0_User.  Select send to compressed (zipped) folder.  Attach the zip file to your next post.

7.  Copy the code in the code box below.  Then click Start/Run and paste it into the input box.  Click OK.

Code: [Select]

cmd "netsh winsock reset"


Now reboot.


Remember to be sure Word Wrap is NOT turned on in any Notepad files you post and to be sure and check that all the data you entered was posted. 

Now please post the following to me as a reply to this post:
RKreport.txt
PhysicalDrive zip file
Let me know how your computer and brower are operating
If you have any other questions or problems, let me know that as well




Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Thanks, Bear. Do I not run ComboFix then? Also, in RK, do I leave the MBR box checked?

Eddie

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2677
Hi Eddie
Yes go ahead and run CF after you run the last set of instructions.  Also yes, leave the MBR checked. 
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Hello Bear ... having a difficult time. Nothing wants to work according to your instructions. For example, I can't reboot. The computer gets stuck on shutting down. Overnight. Never shut down.

Another attempt, running RK with MBR checked. Ran all night. Still "Reading MBR ..."

Ran it with MBR unchecked, was able to delete the registry keys you indicated, cleared proxy, but when I went to the quarantine folder, there wasn't a "PhysicalDrive0_User" file to click on.

Ran ComboFix at the end of it all and nothing happened. The program seemed to run, but then I wasn't prompted to do anything. It opened, it did something, and it closed.

All I have to show is this "4th" report ... which is what I got on your step 5, but with MBR unchecked:

RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: ashley 2 [Admin rights]
Mode: Scan -- Date : 02/18/2012 17:33:58

Bad processes: 0

Registry Entries: 0

Particular Files / Folders:

Driver: [LOADED]

Infection : 

HOSTS File:
127.0.0.1       localhost
::1             localhost


MBR Check:

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

------------------------------------------------
Eddie


Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2677
HI Eddie
The folder wasn't in the Quarantine file because by unchecking MBR you never created it.  Try running RK with MBR checked now that you have deleted the registry items.  I will also post additional instructions.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2677
Hi Eddie
Did you rename CF to explorer.exe before you ran it?
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2677
Hi Eddie

Let's see if we can restore some of Asley's PC functionality.

1.  Please download Junction.zip and save it to your flash drive.  Then copy it onto the desktop of Ashley's PC.
Unzip it and extract junction.exe to your C:\ drive so you haveC:\Junction.exe.

2.  Now open Notepad and copy the code in the code box below and paste it into Notepad.

Code: [Select]
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0


Save it to your desktop as File name: junc.bat
Save as type: All Files

3.  Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply. Make sure you get the full log.

4.  Now try and run the renamed ComboFix again.

5.  Copy aswMBR to Ashley's desktop.  Double click the aswMBR.exe.  It will open a command window and run.

6.  Click Scan.  When finished click save log.  Save it to your desktop as aswMBR.txt.

As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
Junction log
aswMBR.txt
Let me know how Ashley's computer and browser are operating
If you have any other questions or problems, let me know that as well


Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Bear ... when i went to post my reply this morning, I was blocked by this site with an error, because there was a virus detected on this, *my* family PC. MSE didn't find anything, so I downloaded Malwarebytes, ran it, and it *did* find the culprit.

I'll try to post my response now, if this is successful, with the scan logs from Ashley's computer.

Eddie

Offline E310

  • Bronze Member
  • Posts: 75
Hello again ... went to post my reply, but I got booted by your site again. I'm going to try to first post my report, then one scan log, and then the last to see how that goes.

Eddie

--------------------------------

Good morning Bear,

The first three steps did not work, until I ran junc.bat as administrator. I'll post the log below.

I renamed ComboFix to explorer, it did not run and the virus (I guess) renamed it back to ComboFix. I renamed it as winlogon. That didn't work, and it was renamed back to ComboFix again. So I tried renaming it as Notepad ... and that worked! But the same thing happened ... when ComboFix went to restart the computer, it was stuck on shutting down. I reran CF as Notepad in Safe Mode, and this time CF was able to reboot the computer and start cleaning ... but then it blue screened ... and it continues to blue screen and reboot at random.

You didn't provide a link for aswMBR, so I found one in another string, downloaded it, ran it, and was able to get a log.

I don't have the computer connected to the internet, so I can't test that. I'm afraid to, frankly.

Eddie

Offline E310

  • Bronze Member
  • Posts: 75
aswMBR version 0.9.9.1618 Copyright(c) 2011 AVAST Software
Run date: 2012-02-19 10:43:20
-----------------------------
10:43:20.070    OS Version: Windows 6.1.7600
10:43:20.070    Number of processors: 4 586 0x1707
10:43:20.070    ComputerName: ADRIANA-PC  UserName: ashley 2
10:43:20.709    Initialize success
10:44:03.320    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
10:44:03.320    Disk 0 Vendor: ST3250310AS 4.ADA Size: 238418MB BusType: 11
10:44:03.320    Disk 0 MBR read successfully
10:44:03.320    Disk 0 MBR scan
10:44:03.336    Disk 0 TDL4@MBR code has been found
10:44:03.336    Disk 0 Windows 7 default MBR code found via API
10:44:03.336    Disk 0 MBR hidden
10:44:03.336    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       39 MB offset 63
10:44:03.351    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       238377 MB offset 81920
10:44:03.351    Disk 0 MBR [TDL4]  **ROOTKIT**
10:44:03.351    Disk 0 trace - called modules:
10:44:03.367    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x862b449f]<<
10:44:03.367    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f39560]
10:44:03.367    3 CLASSPNP.SYS[8918a59e] -> nt!IofCallDriver -> [0x85dc5b80]
10:44:03.383    5 ACPI.sys[836343b2] -> nt!IofCallDriver -> \IdeDeviceP2T0L0-4[0x85d8c030]
10:44:03.398    \Driver\atapi[0x861d6770] -> IRP_MJ_CREATE -> 0x862b449f
10:44:03.398    Scan finished successfully
10:44:49.496    Disk 0 MBR has been saved successfully to "C:\Users\ashley 2\Desktop\MBR.dat"
10:44:49.512    The log file has been saved successfully to "C:\Users\ashley 2\Desktop\aswMBR.txt"

Offline E310

  • Bronze Member
  • Posts: 75
Seems to be the junction log, Bear. I get this:

HTTP Error 403 Forbidden

You don't have permission to access

/simplemachinesforum/index.php?action=post2;start=15;board=10 on this server.

Your computer may be infected with a virus or a trojan. The Firewall has determined that you: Request Entity Attack: [percent symbol, the number 2, and a lower-case f followed by an exclamation mark]

If you get this message in error, please contact the ADM1N and provide the date and time of this message.

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2677
Hi Eddie

Sorrry about the website problem.  We get thousands of attacks on the website, so the admins have installed some heavy duty software to prevent that.  Occasionally it will bite someone (I've been bit before).  The work around, if it happens again, is to zip the response and attach it.  That should work, but if there are still probs, just PM me.

I gave you a link to aswMBR in a prior post.  I thought you had downloaded it to your flash USB drive.

Good news we found the critter.  Now to get rid of it.  Be back with instructions.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2677
Hi Eddie

OK, let's go get this sucker!

1.  Re-run aswMBR.exe.  Click [Scan]  On completion of the scan Click the [Fix].

2.  On completion of the scan click [Save log], save it to your desktop and post in your next reply.

3.  Reboot your PC.

4.  You should already have TDSSKiller.exe on your USB flash drive.  If not download it using previous instructions.

5.  Doubleclick on TDSSKiller.exe to run the application. Now click Start Scan.

6.  Click on Change parameters and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

7.  If an infected file is detected, the default action will be Cure, click on Continue.  If a suspicious file is detected, the default action will be Skip, click on Continue.

Click on Reboot Now if you are asked to reboot the computer.

8.  If reboot is NOT required, click on Report.   Please copy that file.  If a reboot IS required, the report can also be found in your root directory (usually C:\ folder).   It's file name will take the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt]". Please copy that file.

As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
aswMBR.txt
TDSSKiller log
Let me know how Ashley's computer and browser are operating
If you have any other questions or problems, let me know that as well

PS  If MBAM found something on your personal PC, you might want to have a look at that as well.  If  you wish, you can post me the mbam-log-(date) and I'll look at it.



Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline E310

  • Bronze Member
  • Posts: 75
Hey Bear ... FYI ... I only got as far as Step 2 and the machine rebooted. But it won't start up on its own now. I am running "startup repair." Is that OK?

Eddie