Recommended Posts

hi

 

making a new thread related to my internet connection and also suspecious files

 

2 weeks ago MBAM Anti-rookit detected

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe
i quarantined the file but today for no reason after rebooting a CMD.exe opened and closed
is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Image File Execution Options safe?

 

 

Share this post


Link to post
Share on other sites

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
Download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
SearchScopes: HKLM - DefaultScope value is missing.
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -  No File
S4 CiSvc; No ImagePath
S1 7273529drv; No ImagePath
U3 Partizan; No ImagePath
S3 taphss; No ImagePath
U3 TlntSvr;
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
C:\Program Files\idoo\Video Editor\Repair.txt
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Image File Execution Options are necessary. However, it is often manipulated by malware.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

NOTE: ComboFix is an advanced utility, and is not like traditional automated tools. It will delete anything that it knows is bad without asking for confirmation, it will save backup copies in it's quarantine automatically, it will restart your computer, and it will produce a log that allows me to analyze and determine if there is anything left over. This log will not contain any personal information, or information about any of your documents, pictures, music, videos, etc. It only compiles information on which applications/drivers/etc were installed within the last 30 days, any applications that have certain properties that could be used for malicious purposes, and most of the load points on your system that can be abused by malicious software. If there is a false positive, and something gets deleted that should not, then I can write a script for ComboFix that will tell it to restore specific items that it deleted.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**NOTE: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

NOTE:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

3. If you get a message that states "illegal operation attempted on a registry key that has been marked for deletion" restart your computer.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

ComboFix looks OK.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    tdss1.png

  • Click Change parameters

    settings20121003115955.png

  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    tdss3.png

  • Click on the Start Scan button to begin the scan and wait for it to finish.

    NOTE: Do not use the computer during the scan!

  • During the scan it will look similar to the image below:

    tdss4.jpg

  • When it finishes, you will either see a report that no threats were found like below:

    tdss5.jpg

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.

  • If any infection or suspected items are found, you will see a window similar to below:

    tdss7.jpg

    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.

Share this post


Link to post
Share on other sites

Everything is looking good. Let's keep digging.

Download Runscanner to your desktop and run it.

  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file runscanner.run and save it to your desktop. You will see the .run file on your desktop. Zip runscanner.run and attach it to your next reply.

    To create a Zip file in Windows:

    • Right-click on runscanner.run.
    • Select "Send To", and then click "Compressed (zipped) Folder". A new compressed file name runscanner.zip will be created.

Share this post


Link to post
Share on other sites

Download and save runscanner.zip to your Desktop: http://downloads.malwareteks.com/runscanner.zip

  • Save it to your desktop, extract the contents, then double click the runscanner icon this will run the program.
  • You will notice several entries in red and in blue.
  • Click the button at the top called Item Fixer
  • Accept the warning(s) and repeat until they are all gone.
  • Reboot your PC

Share this post


Link to post
Share on other sites

Let's try a different tool.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Copy and paste the report that opens into your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan

Share this post


Link to post
Share on other sites

Run RogueKiller and run a scan. After it finishes the scan, select the

Driver tab and then select any of the below that exist and then click

the Delete button.

Inline] SSDT[199] : NtRequestPort @ 0x805E6B17 -> HOOKED (Unknown @ 0xBA7F0480)
[Inline] SSDT[200] : NtRequestWaitReplyPort @ 0x8057D153 -> HOOKED (Unknown @ 0xBA7F0520)
[Address] EAT @firefox.exe (FREEBL_GetVector) : Normaliz.dll -> HOOKED (C:\Program Files\Mozilla Firefox\freebl3.dll @ 0x088A1000)
Restart your PC.

Run a new scan with RogueKiller and save a log as in original

instructions and attach the new log.

Share this post


Link to post
Share on other sites

i selected the files deleted them and restarted

did another scan and [Address] EAT @firefox.exe (FREEBL_GetVector) : Normaliz.dll -> HOOKED (C:\Program Files\Mozilla Firefox\freebl3.dll @ 0x088A1000)

was still being detected tryed to delete it and restarted my computer scan now it detect the two other malwares [Inline] SSDT[199] & [Inline] SSDT[200]

Share this post


Link to post
Share on other sites

Run TDSSKIller again. This time enable all options in "Objects to scan" and reboot is required. Once the system restarts and TDSSKiller loads select all options under "Additional options", click scan. Cure whatever TDSSKIller automatically selects for fixing and attach the TDSSKiller log to your reply.

Share this post


Link to post
Share on other sites

for some reason roguekiller still detect those two entry i cannot delete them

[inline] SSDT[199] : NtRequestPort @ 0x805E6B17 -> HOOKED (Unknown @ 0xBA72D480)
[inline] SSDT[200] : NtRequestWaitReplyPort @ 0x8057D153 -> HOOKED (Unknown @ 0xBA72D520)

Share this post


Link to post
Share on other sites

for some reason roguekiller still detect those two entry i cannot delete them

[inline] SSDT[199] : NtRequestPort @ 0x805E6B17 -> HOOKED (Unknown @ 0xBA72D480)

[inline] SSDT[200] : NtRequestWaitReplyPort @ 0x8057D153 -> HOOKED (Unknown @ 0xBA72D520)

I'm working on that, not sure what is actually hooked.

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

    Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Analysis
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Share this post


Link to post
Share on other sites

Looks like the Kernal Module dump_WMILIB.SYS driver is responsible for the ntoskernal hook.

How are things running?

Share this post


Link to post
Share on other sites

things are running great thank you again kevin

 

any idea how to fix my internet icon not showing in the task bar problem (i also can't see the internet status page)

Share this post


Link to post
Share on other sites

like i said in our private message i already tryed this method

its like my Network Connection is corrupted (i delete all the Network Connections with regedit in my registry but it didn't help)

even when i activate/deactivate the connection i have to right click -> refresh to see if the icon if activated or deactivated

Share this post


Link to post
Share on other sites

Thread Closed

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.