RBlackhall

Please help with Trojan.crypt!E2

Recommended Posts

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I downloaded combofix.exe as combo-fix.exe, disabled AVG, shut all windows, and executed combo-fix.exe. It said AVG anti-spyware was still active.

I went into AVG and disabled everything I could find. Every option showed inactive.

I told combo-fix to go ahead

It opened a dos-box and

Created a recovery point

Said it was scanning for infected files.

A few minutes later, the computer rebooted

After reboot, I could not find C:\Combofix.txt or C:\Combo-fix.txt, so I can't attach it.

There is a FOLDER called C:\Combo-fix but it is empty

I waited a few minutes, reanbled AVG and connected to the internet.

About 5 minutes later, the computer displayed another AVG message and abruptly rebooted, which it never did before.

After the reboot, I haven't seen any messages for over 30 minutes or seen any problems, which is better than it has been. I was getting an AVG notice every 15 minutes.

Share this post


Link to post
Share on other sites

We're going to need that ComboFix log (I can analyze it to see if there are any signs of an infection that were not removed), so go ahead and uninstall any AVG software, restart your computer, and then run the utility at this link (restarting your computer when asked) to make sure that nothing was left behind. You can reinstall AVG once I've been able to make sure that your computer is clean.

After uninstalling AVG, go ahead and run ComboFix again, and get me a copy of the log. ;)

Share this post


Link to post
Share on other sites

I must apologize. There may have been a combofix.txt file before. The c:\combo-fix is not empty, but refuses to show the files under explorer. Hower, under a dos window, I am able view and copy those files. I have worked with various WIndows versions over the years but I don't understand why I can't view the files under c:\combo-fix folder. According to properties/security on C: I have complete access to every file on the C: drive. Anyway, here is the combofix.txt from the last run.

The combo-fix.exe ran through Stage_5, then rebooted.

Share this post


Link to post
Share on other sites

Please follow the instructions at this link to run TDSSKiller, and allow it to either Cure or Delete anything bad it detects.

Share this post


Link to post
Share on other sites

Hello, Auther.

I ran TDSSKILLER. It found two things, VIRUS.WIN32.ZACCESS.K and ROOTKIT.BOOT.PIHAR.B

After it rebooted I was not able to properly log on. I got sparse desktop a balloon that said "failed to connect to a window service" or similar. It went away before I could capture it all. Something about the USER PROFILE SERVICE not working. I went to SERVICES, and USER PROFILE SERVICE was started, so I logged off and was able to then log back on to the ADAM userid successfully.

Now, TDSSKILLER shows VIRUS.WIN32.ZACCESS.C and I have lost internet connection on that computer.

Awaiting the next round of instructions.

Share this post


Link to post
Share on other sites

ZeroAccess? This is a very nasty rootkit that. I was talking to someone the other day who has extensive experience removing the ZeroAccess rootkit, and it is possible that we will have to use a boot disk to get rid of it.

Before we go to that extreme, please try ComboFix one more time, and attach the log to a reply. Make sure to download the latest ComboFix from one of the links below:

Link 1

Link 2

Share this post


Link to post
Share on other sites

I believe I have some good news.

I downloaded combofix to a USB drive and copied it to the problem system (no internet access)

I ran Combofix and it reported "You are infected with Rootkit.zeroaccess! ...."

It rebooted.

Tried to logon 'ADAM' user, and it said "User PROFILE SERVICE FAILED THE LOGON", etc with an OK box, which I clicked.

Then it logged on and I got a blue combo-fix box --

Combofix is preparing to run

Then it ran stage_1 through stage_50 and listed out a ton of files.

Then it said it was rebooting and "Tried to write to a nonexistant pipe"

After the reboot, got a combfix box saying "do not run any programs until Combofix has finished"

while it was running, the Windows Installer ran and installed something.

Also, a windows box popped up labeled "STATUS" saying "The feature you are trying to use is on a network resource that is unavailable." Click OK to try again or enter an alternate path to a folder containing the installation package "status.msi" in the box below.

filename box user source: C:\Users\Adam\AppData\Local\Temp\7Zs%DB4 .... can read rest.

That box is still on the screen --- I haven't clicked OK or Cancel yet.

THe Combofix seemed to end. It said "Combo Fixes' Log shall be located at C:\combofix.txt and the file popped up in Notepad.

The Internet works again through my wireless device, and I'm replying on the infected machine. I'm attaching the combofix.txt to this reply

Share this post


Link to post
Share on other sites

ZeroAccess? That is a pretty nasty rootkit, and I hadn't heard anything about ComboFix being able to clean up the latest variants of it, so lets get some more information to make sure that it did really get removed.

Please get me a log from TDSSKiller by following the instructions below:

  1. Download TDSSKiller from this link and save it on your desktop.
  2. Run the TDSSKiller download that you saved.
  3. Click on Change parameters as it shows in the following screenshot:
    tdsskiller_report_001.png
  4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
    tdsskiller_report_002.png
  5. Click the Start scan button as in the following screenshot:
    tdsskiller_report_003.png
  6. You will see the following as the scan runs:
    tdsskiller_report_004.png
  7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
    tdsskiller_report_005.png
  8. Click on Report in the upper-right corner, as in the following screenshot:
    tdsskiller_report_006.png
  9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
    tdsskiller_report_007.png
  10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
    tdsskiller_report_008.png
  11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
  12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
    tdsskiller_report_009.png
  13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
    tdsskiller_report_010.png

Share this post


Link to post
Share on other sites

Ok, Arthur, I have done as you asked. The report is attached. (still have the hanging INSTALL box open from yesterday asking me where to find status.msi -- maybe that is holding up the virus for a bit)

Share this post


Link to post
Share on other sites

OK, according to that log ComboFix did not completely remove the ZeroAccess infection, and one of your system files is still infected. Fortunately, the ComboFix log shows a backup copy of the infected system file that appears to be clean. That backup copy can be used to replace the infected file. Before we do this, however, I will need some more information to ensure that we are not missing anything when we do this fix.

Please run OTL again (you can download it from here if you need to), before clicking Run Scan make sure to type or copy and paste NETSVCS into the Custom Scans/Fixes box, and then click on the Run Scan button to start the scan. Please save the OTL log on your desktop when done, and attach it to a reply.

Share this post


Link to post
Share on other sites

OK, that log didn't show me what I thought it was going to show me. Lets go ahead and replace that file with the backup copy that ComboFix found, and then see if ComboFix will run normally after that.

Please restart your computer (you may want to print out these instructions first), and immediately after the manufacturer's logo disappears (the one that you see every time you turn on your computer) start gently tapping the F8 key on your keyboard until you see a black screen with a list of options that looks like the screenshot below (you may need to click on the screenshot to see a larger version of it):

Make sure that the Repair Your Computer option is highlighted (use the arrow keys on your keyboard to change which option is highlighted) and then press the Enter key on your keyboard to start the recovery environment.

After Windows loads the recovery environment, you should be presented with a System Recovery Options screen that allows you to select your keyboard layout. If you don't know which one to select, then just click the Next> button.

You will now be asked for the username and password to log in with. Please log in to an account that has administrative rights. If you only have one user account set up on your computer, then go ahead and use it. Windows should have automatically filled in the username for you, and if you don't use a password then just leave the box empty and click OK.

Windows will present you with a list of recovery options. Please click the option for Command Prompt.

In case you are not familiar with the Command Prompt in Windows, it is a program that will allow you to execute commands that you type out. You need to press Enter on your keyboard after you type in a command. Please go ahead and type in C: and then press Enter (this will tell the command prompt to switch to your C: drive).

Now we need to delete the infected system file and replace it with the backup copy. Type in the following command to delete the infected file (making sure to press Enter afterwards):

DEL c:\windows\System32\drivers\tdx.sys

Assuming that there are no errors when attempting to delete that file, please type in the following command to replace it with the backup (making sure to press Enter afterwards):

COPY c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys c:\windows\System32\drivers\tdx.sys

After that, you can close the command prompt by clicking the X button in the upper-right corner, and the restart your computer by clicking the Restart button.

Once your computer is running normally, please download a new version of ComboFix from one of the links below, save it on your desktop, turn off any anti-virus and anti-spyware software that you have installed, and then run ComboFix and get me a new log.

Share this post


Link to post
Share on other sites

I did as you asked -- booted into recovery console, deleted and copied the file you requested.

After reboot, I no longer have internet access again.

I downloaded Combofix on another computer loaded it to the desktop via USB drive.

I am still getting the popup to install STATUS. I attached a screen print of that. If I click CANCEL it pops up again. Over and over.

I ran Combofix again. It detected zeroaccess and asked to reboot. After reboot, it ran a while and produced a log, which I've attached, as well.

Share this post


Link to post
Share on other sites

Please download Crysis Aversion Tool from this link (you can run it from your USB flash drive), run it on the computer that is unable to access the Internet, and select the following fixes:

  • Flush DNS Resolver Cache
  • Repair Internet Explorer
  • Reset All Networking Interfaces

After selecting those three fixes, click the Apply Checked Fixes button, and it will tell you the progress in the lower-left corner. When it says that it is complete, you can close Crysis Aversion Tool, and restart your computer. Let me know if that repairs your Internet connection.

Share this post


Link to post
Share on other sites

Thank you, I have internet access on that system again.

I still have the STATUS.MSI install popup boxes.

There was also a popup box TMController.exe System Error "The program can't start because Hookdll.dll is missing from your computer" I forgot to mention this last time.

I also have something new -- WINDOWS SECURITY ALERT - Windows Firewall has blocked some features of this program ... Akamai Netsession Client

What's the next step?

Share this post


Link to post
Share on other sites

Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

  1. Disconnect from the Internet and close all running programs.
  2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
  4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  5. Allow the driver to load if asked.
  6. You may be prompted to scan immediately if it detects rootkit activity.
  7. If you are prompted to scan your system click "No", save the log and post back the results.
  8. If not prompted, click the "Rootkit/Malware" tab.
  9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  10. Select all drives that are connected to your system to be scanned.
  11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
  12. When the scan is finished, click Save to save the scan results to your Desktop.
  13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
  14. Exit the program and re-enable all active protection when done.

Share this post


Link to post
Share on other sites

That log looks OK. Go ahead and get me a fresh OTL log, and we'll go from there.

Share this post


Link to post
Share on other sites

There's still some strange services in that log. Please download Farbar Service Scanner, save it on your desktop, and follow the instructions below to get me a log.

  1. Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

[*]Press "Scan".

[*]It will create a log (FSS.txt) in the same directory the tool is run.

[*]Please attach the log to a reply by clicking on the More Reply Options button to the lower-right of where you type your reply.

Share this post


Link to post
Share on other sites

OK, we should be able to use ComboFix to get rid of some of those broken services. I have written a script that will tell ComboFix how to delete some broken services from your logs. Here are instructions on what to do with the script:

  1. Download an updated version of ComboFix from one of the following links:
    [list=]
  2. BleepingComputer
  3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/

KillAll::

Driver::
zppinger
zpjava
zpaction
zdeviceservice
ZDCNDIS5
zBackupAssistService
z800obex
yediex
yats32
XilinxPC4Driver
XFX_program
XDva004
xaudioservice
wzcsvc
Wuser32
WUSB54GPV4SRV
WUSB54GCSVC
WPFFontCache_v0400
wpdusb
wmp54gv4svc
WmFilter
WmBEnum
WLAN_USB
wkscfgsrv
WISTechVIDCAP
winvnc4
winpowerrmi
winpower
windowblinds
winachcf
WimFltr
WGX
websenselogserver
websensecommunicationagent
webrootenterpriseclientservice
w810obex
w800obex
w550bus
w39n51
w300bus
vzupsvc
vzfw
vtserver
vserial
vsapint
vrfwsvc
VRcore
VrAcFil
vpn5000service
vncdrv
vmparport
vmodem
vmnetuserif
vmkbd2
vmauthdservice
videX32
Video3D
viaudio
vet-rec
vetmsgnt
vetmonnt
vetfddnt
VCIDRV
VCAM
VAIOMediaPlatform-PhotoServer-HTTP
VAIOMediaPlatform-MusicServer-HTTP
vaiomediaplatform-integratedserver-upnp
USBModem
usbio
USBCamera
usb_rndisx
USB_NDIS_51
UCTblHid
U81xmdfl
U81xbus
U2SP
tvtpktfilter
TUWinStylerThemeSvc
tunnelguardservice
trufos
truecrypt
trioservice
trayman
traprcvr
transarcafsdaemon
tosrfcom
tosporte
tomcatcws3
tng-dtmg
tnbrlds
tmesrv3
tifm
TIEHDUSB
thpsrv
teefer
tdsmapi
tdimsys
TClass2k
tbhsd
syslogd
sysenforce
symsecureport
symlcbrd
SymIMMP
symids
symevent
symc8xx
symappcore
symantecantibotagent
sym_u3
swwd
SWUMX51
SWUMX20
SWNC8U20
SWNC5E00
SWMX00
svv
svcwrsssdk
suservice
surveyor
stylexphelper
stunnel
StkAMini
stirusb
sthda
steamdvr
statusagent
StarOpen
ssscsisv
sr
SQLBrowser
spsslm
sprtsvc_smartagent
spmd
sparrow
sonypvu1
softfax
SNP2STD
snmptrapdservice
SndTDriverV32
snac
SMTPSVC
SMNDIS5
SMCB000
SlWdmSup
slservice
slapd-data52
sisnic
siskp
siside
SiSGbeXP
SiS7018
SIODRV
si3114r
Shockprf
sglfb
SGHIDI
sfusvc) Zd1211u(zydas
sfsync04
sfng32
sfman
sfhlp01
SerTVOutCtlr
ser2plms
SECYPUSB
SeaPort
se59mdfl
se58obex
se58mgmt
se58bus
se44mdm
SE2Emgmt
SE2Emdfl
se2Cunic
SE2Cbus
SE2Bmdm
SE26mdfl
sdhelper
sddmi2
sdcoreservice
screadspool
scdemu
sbservice
SaiU040B
SaiMini
sagefserver
S7oppilx
s616obex
s616mdfl
s125mgmt
s117nd5
s116nd5
rxmssync
RTLE8023xp
RTL8023xp
rtl8023
rt2500usb
rt2500
rsvp
RSAFAL
RR2Ctrl
rpcapd
rollbackclientservice
ROB_V
RMSvc
rmedia
rksample
rkhdrv31
risdptsk
rimsptsk
remotelyanywhere
regsrvc
Rawwan
RAPIProtocol
rapapp
QV2KUX
qserver
ql1240
qconsvc
pxfhbus
pwisvc
PTDCMdm
psdistributionagent
psadd
prtg4service
prodrv06
procexp90
prevxdriver
prevxagent
PQNTDrv
pmsveh
pmj151la
pinetmgr
PhilCam8116
pgsql-8.0
pepifilter
pensup
penrendezvous
pdlnepkt
pdlnebas
pdlndldl
pdiddcci
pcx1unic
pctoolsfirewallplus
PCTINDIS5
pclepci
pca
pav_service
passthru
papyjoy
papycpu2
Packet
p2pgasvc
P16X
ossrv
OsaFsLoc
oraclesnmppeermasteragent
oracleservicelocalora
oracleorahomepagingserver
oracleorahomedatagatherer
oraclemtsrecoveryservice
oracleformsserver-forms60server-oraform
oracledbconsoleorcl
openvpnservice
ooclevercacheagent
olapserver
odysseyIM4
odysseyIM3
NWSNS
NWFILTER
NWDNS
NVXBAR
NVTCP
nvstor64
nvport
nvnetbus
nvgts
nvatabus
nvata
nv4
nuvaud2
ntuneservice
ntlmssp
nscservice
NPPTNT
npkcusb
npkcsvc
npfmntor
npapimon
nod32krn
nmwcdcj
nmap
nidomainservice
NICSer_WPC300N
ni_nic
nhcDriverDevice
ngserver
ngdbserv
netw4x32
NETw3x32
netsvc
neokdss
NCPro
navapel
navap
mysqlinventime
MxlW2k
MTsensor
mssql$microsoftsmlbiz
MSSQL$AUTODESKVAULT
mskservice
msi_wlan_service
msgsrvservice
MSFWDrv
MSCamSvc
mrobeservice
MRESP50a64
MRESP50
mraid35x
mqdmmdm
MQAC
mps9
MpFilter
mmc_2K
mhn
mgabg
mdmxsdk
mdm
mcvsrte
mcusrmgr
mcproxy
mcontrol
mcmscsvc
mclogmanagerservice
maxbackserviceint
MaVctrl
MaRdPnp
mail2ec
MagicTune
mafwboot
macformatservice
MA8032U
MA8032M
lxdm_device
lxcz_device
lxcg_device
lxcf_device
lxcc_device
lxby_device
lxbx_device
lvsrvlauncher
lvpr2mon
lvmvdrv
lvckap
LVBulk
lpx
lp6nds35
logmein
lockmgr
LMS
LMouKE
LMouFilt
LMIRfsDriver
lmimaint
lktimesync
LHidFilt
lcs
lbrtfdc
L1e
Ktp
KS0108
KMW_KBD
kmixer
KLOGNT
kbfiltr
k750obex
jsdaemon
JiaoIO
JiaoCap
jaguar
iwebcal
IWCA
ithsgt
iteatapi
itchfltr
issvc
issm
iSMBIOS
isapisearch
ipssvc
ipsraidn
IPSECSHM
IPFilter
ipcsvc
iPassPeriodicUpdateService
iPassPeriodicUpdateApp
ip6fw
Invoker
IntelC52
inport
ino_flpy
infrastructure
incdsrv
incdrm
incdpass
imap4d32
iksyssec
IJPLMSVC
igateway
iftpsvc
IFP700
idisw2km
icollectservice
ibmcicstransactiongateway
IASJet
iap
iam
iAimTV6
iAimTV5
iaimtv1
iAimFP7
i81x
i2omp
hwpsgt
hwdatacard
hsxhwazl
HPFECP20
hpci
houdinilicenseserver
hidgame
hf30service
hcwPVRP2
hap17v2k
GVCplDrv
gotomypc
GoToAssist
GoogleDesktopManager-010708-104812
GoBack2K
giveio
ghaio
gdrv
GBDevice
FVXSCSI
ftpds
FreeTdi
freepops
freebsd
forcewarewebinterface
fix
FirePM
firelm01
fips
filterservice
filemon701
filechecker
FETNDIS
fa_scheduler
Exportit
EU3_USB
epoxusdm
eloggersvc6
elockservice
elnkupdateservice
eamon
eabfiltr
DynDNS_Updater_Service
dvpapi
dsproct
dsbrokerservice
drvnddm
drvmcdb
dntus26
dnsexit
dmio
d-link_st3402
DLH5X
dlbu_device
dlaudfam
digictrl
DeviceScanner
Defrag32b
deckzpsx
dcstor32
dcpflics
DCamUSBMke2
DCamUSBGrandTek
DCamUSBDXGTech
dbmang
db2jds
CXAVXBAR
cwafreportscheduler
cusrvc
ctxcpuusync
ctprxy2k
CTEXFIFX.DLL
CTEDSPSY.DLL
ctdvda2k
ctaud2k
cpqnicmgmt
cpqfcalm
cportclm
COMMONFX.DLL
com0com
cmdagent
clr_optimization_v2.0.50215_32
citrixxteserver
cicsclient
centennialclientagent
CDRPDACC
cdr4_xp
cdr4_2k
cdmservice
c-dillasrv
CdaD10BA
CdaC15BA
ccsetmgr
ccalib8
cavasm
ca-messagequeuing
CAMCHALA
CAMCAUD
Cam5603C
caisafe
cachemgr
caccprovsp
CA561
bwsvc
bwmservice
btwrchid
btwmodem
btnhnd
btnetfilter
bt3cser
BsHelpCS
BRCMDECO
botcbs
blueservice
blueletaudio
bh611
bgsvcgen
beatjamupnpmusicserver
bdselfpr
bdfdll
bcftdi
bantext
backupexecrpcservice
backupexecagentaccelerator
axsnmsvc
avp
avgtdi
avgfwsrv
avgclean
avg7updsvc
AVerBDA
ATSWPDRV
atmeltpm
atkkeyboardservice
atkdisplf
ativraxx
atinrvxx
atikmdag
ATIBTCAP
ati
atfsd
atdisk
AtcL002
atchksrv
asuskeyboardservice
aslm75
artourservice
arp1394
Appn
APLMp50
antivirservice
amon
AmdLLD
ALYac_PZSrv
Alpham1
AlKernel
aliadwdm
alcxsens
alcan5wn
akshhl
aic78u2
agpcpq
agnwifi
agentsrv
AFGSp50
aexnsclienttransport
aec
aeaudio
ADSMService
adobeversioncue
adobeactivefilemonitor5.0
acsvc
ac97intc
abp480n5
a8djavs
A88xEnc
a016obex
a016mdfl
{a7447300-8075-4b0d-83f1-3d75c8ebc623}
{85ccb53b-23d8-4e73-b1b7-9ddb71827d9b}

NetSvc::
zppinger
zpjava
zpaction
zdeviceservice
ZDCNDIS5
zBackupAssistService
z800obex
yediex
yats32
XilinxPC4Driver
XFX_program
XDva004
xaudioservice
wzcsvc
Wuser32
WUSB54GPV4SRV
WUSB54GCSVC
WPFFontCache_v0400
wpdusb
wmp54gv4svc
WmFilter
WmBEnum
WLAN_USB
wkscfgsrv
WISTechVIDCAP
winvnc4
winpowerrmi
winpower
windowblinds
winachcf
WimFltr
WGX
websenselogserver
websensecommunicationagent
webrootenterpriseclientservice
w810obex
w800obex
w550bus
w39n51
w300bus
vzupsvc
vzfw
vtserver
vserial
vsapint
vrfwsvc
VRcore
VrAcFil
vpn5000service
vncdrv
vmparport
vmodem
vmnetuserif
vmkbd2
vmauthdservice
videX32
Video3D
viaudio
vet-rec
vetmsgnt
vetmonnt
vetfddnt
VCIDRV
VCAM
VAIOMediaPlatform-PhotoServer-HTTP
VAIOMediaPlatform-MusicServer-HTTP
vaiomediaplatform-integratedserver-upnp
USBModem
usbio
USBCamera
usb_rndisx
USB_NDIS_51
UCTblHid
U81xmdfl
U81xbus
U2SP
tvtpktfilter
TUWinStylerThemeSvc
tunnelguardservice
trufos
truecrypt
trioservice
trayman
traprcvr
transarcafsdaemon
tosrfcom
tosporte
tomcatcws3
tng-dtmg
tnbrlds
tmesrv3
tifm
TIEHDUSB
thpsrv
teefer
tdsmapi
tdimsys
TClass2k
tbhsd
syslogd
sysenforce
symsecureport
symlcbrd
SymIMMP
symids
symevent
symc8xx
symappcore
symantecantibotagent
sym_u3
swwd
SWUMX51
SWUMX20
SWNC8U20
SWNC5E00
SWMX00
svv
svcwrsssdk
suservice
surveyor
stylexphelper
stunnel
StkAMini
stirusb
sthda
steamdvr
statusagent
StarOpen
ssscsisv
sr
SQLBrowser
spsslm
sprtsvc_smartagent
spmd
sparrow
sonypvu1
softfax
SNP2STD
snmptrapdservice
SndTDriverV32
snac
SMTPSVC
SMNDIS5
SMCB000
SlWdmSup
slservice
slapd-data52
sisnic
siskp
siside
SiSGbeXP
SiS7018
SIODRV
si3114r
Shockprf
sglfb
SGHIDI
sfusvc) Zd1211u(zydas
sfsync04
sfng32
sfman
sfhlp01
SerTVOutCtlr
ser2plms
SECYPUSB
SeaPort
se59mdfl
se58obex
se58mgmt
se58bus
se44mdm
SE2Emgmt
SE2Emdfl
se2Cunic
SE2Cbus
SE2Bmdm
SE26mdfl
sdhelper
sddmi2
sdcoreservice
screadspool
scdemu
sbservice
SaiU040B
SaiMini
sagefserver
S7oppilx
s616obex
s616mdfl
s125mgmt
s117nd5
s116nd5
rxmssync
RTLE8023xp
RTL8023xp
rtl8023
rt2500usb
rt2500
rsvp
RSAFAL
RR2Ctrl
rpcapd
rollbackclientservice
ROB_V
RMSvc
rmedia
rksample
rkhdrv31
risdptsk
rimsptsk
remotelyanywhere
regsrvc
Rawwan
RAPIProtocol
rapapp
QV2KUX
qserver
ql1240
qconsvc
pxfhbus
pwisvc
PTDCMdm
psdistributionagent
psadd
prtg4service
prodrv06
procexp90
prevxdriver
prevxagent
PQNTDrv
pmsveh
pmj151la
pinetmgr
PhilCam8116
pgsql-8.0
pepifilter
pensup
penrendezvous
pdlnepkt
pdlnebas
pdlndldl
pdiddcci
pcx1unic
pctoolsfirewallplus
PCTINDIS5
pclepci
pca
pav_service
passthru
papyjoy
papycpu2
Packet
p2pgasvc
P16X
ossrv
OsaFsLoc
oraclesnmppeermasteragent
oracleservicelocalora
oracleorahomepagingserver
oracleorahomedatagatherer
oraclemtsrecoveryservice
oracleformsserver-forms60server-oraform
oracledbconsoleorcl
openvpnservice
ooclevercacheagent
olapserver
odysseyIM4
odysseyIM3
NWSNS
NWFILTER
NWDNS
NVXBAR
NVTCP
nvstor64
nvport
nvnetbus
nvgts
nvatabus
nvata
nv4
nuvaud2
ntuneservice
ntlmssp
nscservice
NPPTNT
npkcusb
npkcsvc
npfmntor
npapimon
nod32krn
nmwcdcj
nmap
nidomainservice
NICSer_WPC300N
ni_nic
nhcDriverDevice
ngserver
ngdbserv
netw4x32
NETw3x32
netsvc
neokdss
NCPro
navapel
navap
mysqlinventime
MxlW2k
MTsensor
mssql$microsoftsmlbiz
MSSQL$AUTODESKVAULT
mskservice
msi_wlan_service
msgsrvservice
MSFWDrv
MSCamSvc
mrobeservice
MRESP50a64
MRESP50
mraid35x
mqdmmdm
MQAC
mps9
MpFilter
mmc_2K
mhn
mgabg
mdmxsdk
mdm
mcvsrte
mcusrmgr
mcproxy
mcontrol
mcmscsvc
mclogmanagerservice
maxbackserviceint
MaVctrl
MaRdPnp
mail2ec
MagicTune
mafwboot
macformatservice
MA8032U
MA8032M
lxdm_device
lxcz_device
lxcg_device
lxcf_device
lxcc_device
lxby_device
lxbx_device
lvsrvlauncher
lvpr2mon
lvmvdrv
lvckap
LVBulk
lpx
lp6nds35
logmein
lockmgr
LMS
LMouKE
LMouFilt
LMIRfsDriver
lmimaint
lktimesync
LHidFilt
lcs
lbrtfdc
L1e
Ktp
KS0108
KMW_KBD
kmixer
KLOGNT
kbfiltr
k750obex
jsdaemon
JiaoIO
JiaoCap
jaguar
iwebcal
IWCA
ithsgt
iteatapi
itchfltr
issvc
issm
iSMBIOS
isapisearch
ipssvc
ipsraidn
IPSECSHM
IPFilter
ipcsvc
iPassPeriodicUpdateService
iPassPeriodicUpdateApp
ip6fw
Invoker
IntelC52
inport
ino_flpy
infrastructure
incdsrv
incdrm
incdpass
imap4d32
iksyssec
IJPLMSVC
igateway
iftpsvc
IFP700
idisw2km
icollectservice
ibmcicstransactiongateway
IASJet
iap
iam
iAimTV6
iAimTV5
iaimtv1
iAimFP7
i81x
i2omp
hwpsgt
hwdatacard
hsxhwazl
HPFECP20
hpci
houdinilicenseserver
hidgame
hf30service
hcwPVRP2
hap17v2k
GVCplDrv
gotomypc
GoToAssist
GoogleDesktopManager-010708-104812
GoBack2K
giveio
ghaio
gdrv
GBDevice
FVXSCSI
ftpds
FreeTdi
freepops
freebsd
forcewarewebinterface
fix
FirePM
firelm01
fips
filterservice
filemon701
filechecker
FETNDIS
fa_scheduler
Exportit
EU3_USB
epoxusdm
eloggersvc6
elockservice
elnkupdateservice
eamon
eabfiltr
DynDNS_Updater_Service
dvpapi
dsproct
dsbrokerservice
drvnddm
drvmcdb
dntus26
dnsexit
dmio
d-link_st3402
DLH5X
dlbu_device
dlaudfam
digictrl
DeviceScanner
Defrag32b
deckzpsx
dcstor32
dcpflics
DCamUSBMke2
DCamUSBGrandTek
DCamUSBDXGTech
dbmang
db2jds
CXAVXBAR
cwafreportscheduler
cusrvc
ctxcpuusync
ctprxy2k
CTEXFIFX.DLL
CTEDSPSY.DLL
ctdvda2k
ctaud2k
cpqnicmgmt
cpqfcalm
cportclm
COMMONFX.DLL
com0com
cmdagent
clr_optimization_v2.0.50215_32
citrixxteserver
cicsclient
centennialclientagent
CDRPDACC
cdr4_xp
cdr4_2k
cdmservice
c-dillasrv
CdaD10BA
CdaC15BA
ccsetmgr
ccalib8
cavasm
ca-messagequeuing
CAMCHALA
CAMCAUD
Cam5603C
caisafe
cachemgr
caccprovsp
CA561
bwsvc
bwmservice
btwrchid
btwmodem
btnhnd
btnetfilter
bt3cser
BsHelpCS
BRCMDECO
botcbs
blueservice
blueletaudio
bh611
bgsvcgen
beatjamupnpmusicserver
bdselfpr
bdfdll
bcftdi
bantext
backupexecrpcservice
backupexecagentaccelerator
axsnmsvc
avp
avgtdi
avgfwsrv
avgclean
avg7updsvc
AVerBDA
ATSWPDRV
atmeltpm
atkkeyboardservice
atkdisplf
ativraxx
atinrvxx
atikmdag
ATIBTCAP
ati
atfsd
atdisk
AtcL002
atchksrv
asuskeyboardservice
aslm75
artourservice
arp1394
Appn
APLMp50
antivirservice
amon
AmdLLD
ALYac_PZSrv
Alpham1
AlKernel
aliadwdm
alcxsens
alcan5wn
akshhl
aic78u2
agpcpq
agnwifi
agentsrv
AFGSp50
aexnsclienttransport
aec
aeaudio
ADSMService
adobeversioncue
adobeactivefilemonitor5.0
acsvc
ac97intc
abp480n5
a8djavs
A88xEnc
a016obex
a016mdfl
{a7447300-8075-4b0d-83f1-3d75c8ebc623}
{85ccb53b-23d8-4e73-b1b7-9ddb71827d9b}

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

CFScriptB-4.gif

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

Share this post


Link to post
Share on other sites

OK, it looks like we still need to fix some services, so here's another script. Here is another script with instructions on what to do again:

  1. Download an updated version of ComboFix from one of the following links:
    [list=]
  2. BleepingComputer
  3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\
 76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\
 65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\
 00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
 62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\
 49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\
 57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\
 6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\
 61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\
 52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\
 75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\
 63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\
 68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\
 56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\
 73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,6e,61,70,61,67,65,6e,74,00,68,6b,\
 6d,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6c,6c,48,\
 57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,57,6d,64,6d,50,6d,\
 53,4e,00,00

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

CFScriptB-4.gif

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

Share this post


Link to post
Share on other sites

Lost Desktop, Lost internet access and have Hookdll.dll missing popup. Attaching Combofix.txt and picutre of "desktop" via USB drive on another machine

Just caught window in bottom right saying Failed to Connect to Group Policy Client service.

Share this post


Link to post
Share on other sites

I'm sorry, that's my fault. I exported the NetScvs from Windows XP, and you're using Windows 7. Here's the proper script and instructions for Windows 7:

  1. Download an updated version of ComboFix from one of the following links:
    [list=]
  2. BleepingComputer
  3. InfoSpyware

[*] Turn off your Anti-Virus software.

[*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

[*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"netsvcs"=hex(7):41,65,4c,6f,6f,6b,75,70,53,76,63,00,43,65,72,74,50,72,6f,70,\
 53,76,63,00,53,43,50,6f,6c,69,63,79,53,76,63,00,6c,61,6e,6d,61,6e,73,65,72,\
 76,65,72,00,67,70,73,76,63,00,49,4b,45,45,58,54,00,41,75,64,69,6f,53,72,76,\
 00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
 62,69,6c,69,74,79,00,49,61,73,00,49,72,6d,6f,6e,00,4e,6c,61,00,4e,74,6d,73,\
 73,76,63,00,4e,57,43,57,6f,72,6b,73,74,61,74,69,6f,6e,00,4e,77,73,61,70,61,\
 67,65,6e,74,00,52,61,73,61,75,74,6f,00,52,61,73,6d,61,6e,00,52,65,6d,6f,74,\
 65,61,63,63,65,73,73,00,53,45,4e,53,00,53,68,61,72,65,64,61,63,63,65,73,73,\
 00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,57,6d,69,00,57,6d,\
 64,6d,50,6d,53,70,00,54,65,72,6d,53,65,72,76,69,63,65,00,77,75,61,75,73,65,\
 72,76,00,42,49,54,53,00,53,68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,\
 4c,6f,67,6f,6e,48,6f,75,72,73,00,50,43,41,75,64,69,74,00,68,65,6c,70,73,76,\
 63,00,75,70,6c,6f,61,64,6d,67,72,00,69,70,68,6c,70,73,76,63,00,73,65,63,6c,\
 6f,67,6f,6e,00,41,70,70,49,6e,66,6f,00,6d,73,69,73,63,73,69,00,4d,4d,43,53,\
 53,00,77,65,72,63,70,6c,73,75,70,70,6f,72,74,00,45,61,70,48,6f,73,74,00,50,\
 72,6f,66,53,76,63,00,73,63,68,65,64,75,6c,65,00,68,6b,6d,73,76,63,00,53,65,\
 73,73,69,6f,6e,45,6e,76,00,77,69,6e,6d,67,6d,74,00,62,72,6f,77,73,65,72,00,\
 54,68,65,6d,65,73,00,42,44,45,53,56,43,00,41,70,70,4d,67,6d,74,00,00

[*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

[*] Close Notepad and verify that the CFScript file is saved on your desktop.

[*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

CFScriptB-4.gif

When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

Share this post


Link to post
Share on other sites

OK, that log is looking much better. ;)

Let me know if your computer is still showing any signs of an infection, and if you are still seeing that weird installer thing on startup then get me a fresh OTL log.

Share this post


Link to post
Share on other sites

Hello, Arthur.

Things appear to be ok. I reinstalled AVG and ran a full scan. It found one file it didn't like (C:\Windows\winsxs\x86_...\afd.sys which it said was a "Trojan horse PSW.Agent.ASTO" and it quarantined. I rebooted and reran the full scan a few hours later and nothing shows up. I'm hoping this means everthing is clean.

I deleted all the recent backups and took a couple full-system backups. All seems well.

To fix the unable to find "Status.msi" problem, I reinstalled the HP Printer software. That problem has cleared up.

To fix the missing "hookdll.dll" problem, I uninstalled TMMonitor. I will finish fixing this later.

Repeated boots seem clean now.

I believe the computer was infected some time ago. The system had anti-virus (McAfee) at the time, but it was silently quarantining the viruses. I found 80,000+ McAfee quarantined entries when I was cleaning up files this week.

I gave the user of the computer a rather stern and lengthy lecture about NOT EVER disabling anti-virus, even if it is taking a lot of the processor. This is where things probably went bad -- during the times the user had shut anti-virus off. Having to do without the computer a few days reinforced my argument to the user that disabling anti-virus leads to severe consequences.

When we recently switched to AVG, I believe it was already too late.

Arthur, I appreciate your assistance in getting rid of all the problems. Thank you!

Share this post


Link to post
Share on other sites

You're quite welcome. ;)

Here's some final instructions for you:

1. Make Sure Java is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Uninstall a program
    .

  4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.

  5. Click on
    this link
    and download and install the latest Java (the
    Windows Online
    download will be faster).

2. Make Sure Adobe Flash is Updated:

  1. Click on
    this link
    and download the latest version of Adobe Flash Player for your web browser.

  2. You will need to close your web browser when installing Flash.

3. Make Sure Adobe Acrobat Reader is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Uninstall a program
    .

  4. Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you
    do not
    need to uninstall it).

  5. Click on
    this link
    to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader.

(please note that some people do prefer to use third-party PDF viewers such as
PDF X-Change Viewer
and
Foxit Reader
which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader)

4. Make Sure Your Computer Has The Latest Windows Updates:

  1. Click on the
    Start
    button.

  2. Go to
    All Programs
    .

  3. Click on
    Windows Update
    .

  4. Click
    Check for updates
    in the menu on the left (should be near the top).

  5. Once it is done checking for updates, click the
    Install updates
    button on the right.

  6. Make sure that if your computer wants to restart after the updates are done, that you allow it so.

5. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click
this link
and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

6. Empty The System Restore:

  1. Click on the
    Start
    button.

  2. Right-click on
    Computer

  3. Select
    Properties
    from the list.

  4. In the window that pops up, click on the
    System protection
    link in the menu on the left.

  5. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you
    C:
    drive) and click the
    Configure...
    button.

  6. Click the button near the bottom-right that says
    Delete
    to clear all System Restore data.

  7. Once finished, click
    OK
    to close that window.

  8. Now you will want to make sure that the correct drive is selected again (usually your
    C:
    drive) and click on the
    Create
    button to create a new restore point.

  9. Fill in a name for the restore point, and click the
    Create
    button.

  10. Once it is done, you can close the windows that were opened to get to the System Restore settings.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.