Posts by PhilliePhan

Apparently "Firefox can't find the server at www.malwarebytes.org." Same result with IE, and opera.

I get the same error on my laptop.

That's a bit worrisome - you may have some malware on the lappy, too.....

See if you can access it via Majorgeeks:
http://majorgeeks.com/Malwarebytes_Anti-Malware_Database_d6025.html

PP :)

EDIT:
Maybe a run of MBAM on laptop is warranted?

I did figure it was sport-related, though I didn't know know it was baseball :icon_razz:.

I can't update MBAM, it just gives me an error (code 732 (0,0)). I tried to download a new db from the link provided, but it gives me a 404 error. I'm stuck with version 2775. Should I run it anyway?

Download http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Run mbam-rules.exe - I'm not sure what database it will be, but definitely more recent than 2775.
Then try MBAM and let's see what it removes.

PP :)

Hey again. Apologies it took me so long to get back to you, been busy as hell yesterday evening and this morning :.

No worries - we all have "real lives" to contend with. :)
I am going to be pretty busy with typical fall chores this weekend + watching sports (don't know if PhilliePhan would give that away across the pond....)

Let's try MBAM
-- Run your MBAM and click the Update tab.
You should at least have Database Version 3027
--Then, run the Full Scan and post me the log. Be sure to have it fix what it finds and go ahead and Reboot when it finishes.

Let's see where that leaves us. Hang in there - I think we are almost to the finish line....

Cheers :)
PP

ok daownloaded it to the infected computer and ran it again,i have ful access to everything but wanna be sure that the virus is gone,here is the second log you asked for

There are still a lot of baddies showing that combofix will normally remove.
It appears you did not install the recovery console or disable Anti-virus as directed in the "how to run combofix" link.

This is a particularly nasty malware - you really need to do everything exactly and precisely. And, even then, it is sometimes not enough.

Keep the ill computer offline until I can work up the next step - busy weekend ahead of me, but will try to have it posted sometime this evening.

PP :)

combo-fix finally ran,here is the log,let me know if i'm ok,or if there is still a problem,I am posting this from the infected comp,lol so i have made some progress

Running from: K:\Combo-Fix.exe

The is still a lot to be done - You made some good progress, though.

-- Looks like you ran combofix from the flash drive. That's fine, but now we need to download a fresh copy to the Desktop of ill machine. I'm just going to copy&paste my standard instructions:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me that log and we'll go from there.

PP :)

So it wont start up at all. I don't know what to do at this point

-- Does it power up at all?
-- Are you able to burn a couple CDs on another computer?
We can use them to "get in and look around," assuming the machine powers up.
-- Do you have a lot of important data on the ill machine that you need to get back?
-- Do you have your Windows Disk?

Let me know and we'll go from there.

PP :)

No, I didn't touch it, it just hasn't moved. Same situation, 8 hours later.

Bloody hell.

I suppose it would be too much to ask for something to go right just once to make things easy on us...... Somebody is laughing at us.

I guess we'll have to power off and reboot. Then try the last step again complete with a fresh download of combofix.
--Rename combofix again at download as you did before to combo-fix, just to cover that base.

Let me know how that shakes out. I won't have another break for a few hours. Will check back then.

PP :)

Its a fairly new unit, bought it a year ago with xp on it. Im not sure how it did it, wont let me access any quickbooks files or any valuable info. eliminated my lower taskbar so i cannot access my comp or control panel seems like any exe files will not run???

See if you can do this really quickly:

Download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

PP :)

It went through all it's usual motions, started the scan, then... just stopped. I've been sitting at "Complete Stage_2" for the best part of half an hour, with no sign of life from the box itself, and I'm not sure what to do.

If you didn't touch it or do anything to cause it to stall, then just let it keep running. Overnight if you have to....
If it still hasn't completed, then we'll address that. Sometimes this will happen with some tougher malware, though given the previous runs there may indeed be a stall.
Let's just be patient and see what happens.

PP :)

I'm thinking I'll probably reformat once the computer is safe enough for me to lift my files off anyway. I've never done it before though, it should be interesting :-P.

OK - Let me know if you are definitely going to do that.
Otherwise there is a ton of other things we would need to do regarding your outdated Java and others, Security Programs, that error on boot (BIOS not found - probably your Promise hard drive controller) etc...

A reformat would render all that moot. Let me know & I can help you with that if you need it. Be sure you can find that Windows disk.
Also, you can use imgburn to burn an ISO of SP3 . . .. Guess you'll cross that bridge when you get to it.

OK - back to the problem at hand:

-- c:\program files\Mail.Ru -- You installed and use this? Just checking.

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

heres is the entire log from the Win32Diag dont laugh,lol

Not laughing - that is actually good.

Delete your copy of combofix and download a fresh one and see if it runs. Maybe the last DL really was corrrupted?

PP :)

I came across this on one of the laptops that I have to support, and after multiple scans with different software, and about a half day's worth of work, my only option was to back up the user's data, and recreate the system from an image that we have archived.

Lucky for me there was very little user data, which was scanned before installing on the new image.

Yup - that is usually the best option.
Unfortunately, it is unavailable to many because they fail to regularly back up important data and/or have no copy of Windows for re-install.
The big manufacturers not including Windows Disks with their machines ticks me off!
How many users actually burn recovery disks? I can tell you: too few!

/End Rant :)

Ok, that worked! Posting from the ill machine now.
Here's my new combofix log:

Great!

There is still some malware showing that we need to address - I will post something for you as soon as I can - probably won't be for a few hours as I am tied up at the moment.

A few things while I work that up:
-- Keep the ill machine offline

-- Disable SpyBotSD Tea Timer
http://russelltexas.com/malware/teatimer.htm

-- Remove ALL P2P stuff, at least until we are finished. I generally don't lecture about this - If you want more info on the ever increasing danger of P2P, I'll be happy to provide it. I will say that 90% of the machines I see infected with WPP or varaint have multiple P2P apps.....
Uninstall or, at the very least, disable:

Program Files\LimeWire
Program Files\BitTorrent
Program Files\DNA
Program Files\KCeasy

I'll post the next fix as soon as I can.

PP :)

You ever get that feeling like that somewhere someone is laughing at you? :/

All the time :)

Let's do this:
At the command prompt type: netsh int ip reset c:\resetlog.txt ENTER

Then type: netsh winsock reset ENTER

Then, Reboot and see if that works. If so, try combofix and recovery console again.

-- I can't remember if you said you have Windows Disk, but you can install recovery console from that, too.....

PP :)

have to go pick up the ole lady from work,ill be back in a while

No worries - heading out for a bit myself.

-- The win32kdiag log will say "Finished!" at the bottom if it completed.
If not, run it again - let it run while you are away. Should be plenty of time.

PP :)

Win32kDiag ran,but didnt list anything,just said warning could not get backup privileges and dragging and dropping onto inhereit did nothing at all

It takes a while to run - Try it again.

Let it run until it says "Finished. Press any key . . . ."
The log will be on the desktop.

PP :)

Ok, this is my MBAM log, post-reboot. I can't get back online on my tower, though.

OK - MBAM did not remove much of what was showing in last combofix log.

See if you can restore internet with the steps at bottom of the Combofix linky:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery

There is also info on manually installing recovery console - try that if still no internet.

Let me know if you run into trouble.

PP :)

ok ill try that,lol told ya this was bad

I've seen a lot of this baddie - It comes in different flavors and different degrees of difficulty.
Most of the compys I see this on have a lot of P2P apps.....

nope get a message saying registry editinf has been disabled by the administrator,this is making me feel dumb

This is the worst malware I've seen in 6+ years of volunteering in forums . . . and I've seen some doozies!

-- Were you able to extract the FindWPP folder from the ZIP?
If so:
Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop\FindWPP ENTER
then type
RunThis.bat ENTER

If that doesn't work:
Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop ENTER
then type
Win32kDiag.exe ENTER

If that runs, allow it to run until it finishes (it will say "finished")
Post the log.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

If no joy with any of the above, move Inherit.exe from your flash drive to the Desktop.
Then, drag and drop Win32kDiag.exe onto Inhereit.exe on the desktop. After a few seconds, a dialog box should pop up saying "OK"
If that works, try to run Win32kDiag.exe again.

PP :)

now it says installation files for combofix are corrupted,i cannot get it to install at all

OK - let's try something else for the time being:
RightClick on FindWPP.ZIP and Extract the FindWPP folder from the ZIP to the desktop.
In the FindWPP folder you'll find RunThis.bat
Run it and post me the log.

With any luck, that will work ok...

says combo-fix.exe is not a recognizeable command

Is combo-fix.exe on the desktop? You did rename it and it is not combofix (w/out dash)?

Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop ENTER
then type
combo-fix.exe /KillAll ENTER (or combofix.exe if not renamed)

It should run - let me know.

PP :)

Just tried to get it started in safe mode , but I got the blue screen.

This is a different wrinkle.

Power it off and let it sit for 5 min and then see if it will boot normally.

with both i get a message saying registry edit is disabled by administrator,

Open a command prompt and type %userprofile%\desktop\combo-fix.exe /KillAll ENTER
Note ther is a space here --> .exe<space>/KillAll

EDIT: Try using command.com to open prompt if that fails.

Combo-fix seems to be running. My only concern is how to get the log from one comp to the other. All the other comps in my house are Macs, will this be a problem?

That's a good question - last time I used a Mac was fifteen years ago.... :)
-- I know there used to be issues with .txt conversion.
Perhaps save the log as .doc or .rtf if it has issues with .txt?

After combofix runs you'll likely be able to get the ill compy back online and that would simplify things a bit....

PP :)

I can't download MBAM at the moment. I think their server is down :x.

Try here:
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

ok they are there,

With the three tools now on the Desktop, try this:

-- See if combofix will run. If not, try RightClick on it and Run As Administrator.

If it runs, let it finish and post the log.

If no combofix, then Extract the FindWPP folder from the FindWPP.ZIP
In the folder you'll find RunThis.bat
Run it and post me the log.

Let me know how you fare.

PP :)

I long paragraph came up about wanting to change to the parent directory. It goes through how to switch to what drives. Do you need me to retype all of this or do you know what we are looking for?

No - just checking that prompt was working properly.
Often I have to use command.com (the DOS shell) because this malware blocks cmd.exe (the native shell).

Do this at the prompt:

Type cd %userprofile%\desktop ENTER

Then Type combo-fix.exe /KillAll ENTER

If combofix runs, post the log.

PP:)

After typing that all in and hitting enter i got back

'C:\Documents' is not recognized as an internal or external command, operable program or batch file.

Hit START > Run > type cmd > OK
At the prompt, type cd /? and hit enter.

What happens?

yes to both questions

Allrightythen!

You'll need to put these tools on your flash drive:

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://swandog46.geekstogo.com/avenger.zip
• http://www.bleepingcomputer.com/combofix/how-to-use-combofix
With combofix, what I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to working compy and put it on the flash drive.
• FindWPP.zip
• DDS by sUBs
• http://download.sysinternals.com/Files/Junction.zip
• http://www.raktor.net/exeHelper/exeHelper.com
• http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
• SysProt Anti-Rootkit

Then, see if you are able to copy these to the desktop:
-- FindWPP.zip
-- Win32kDiag.exe
-- Combo-fix.exe

Let me know how you fare.

PP :)

When I type CMD in a screen pops up and I type this after C:\Documents and Settings\User>

Right - that is your command prompt. Just type in the command carefully - make sure all spaces and quotes are included - and hit ENTER.
If you get error messages, let me know.

I also forgot to answer your question about the flash drive. I do not have one but will get one if need be

If we are unable to get your existing combofix to run, you'll need a flash drive to transfer other tools onto the ill machine.

Let me know if combofix runs. Make sure it is still on desktop and that the name matches the command (combofix.exe or combo-fix.exe)

PP :)

-- Do you have a flash drive to transfer tools and scanlogs between computers?

-- Can you get a command prompt on ill machine?
START > RUN > type cmd > OK
or
START > RUN > type command.com > OK

Let me know.

PP :)

I haven't done anything yet, haven't restarted. I could download MBAM on this laptop and transfer it via flash drive, I guess, but I'll just leave the tower ticking over for now.

That's a good idea. Do that for MBA-M and run it.
Be sure to have it remove all it finds.

Then, Reboot.

Then see if you can access internet and DL a fresh combofix on ill compy and install recovery console and run combofix.
If no joy, then we'll install recovery console manually. No worries.

How are you holding up? Not too frustrated, I hope....

I will say this - If you have your Windows disk, I would still recommend a reformat after we clean the machine and you are able to pull your important data off somewhat safely. We can probably get it back and running in pretty good shape, but infestations such as this one can leave a system a bit unstable and you can never really trust that the machine is secure.
I do enjoy the challenge posed by a particularly nasty piece of malware, but if it were my machine, that is what I'd do........

Post me that MBAM log and let me know how you fare with the rest.

I'll be home in about 4 hours to check back in.

PP:)

I am not posting from the ill computer. I tried to run the combo fix and it is asking for the program I would like to open it with. So I tried to go online and dl the findwpp.zip but it will no longer connect to the internet.

-- Do you have a flash drive?

-- Can you get a command prompt on ill machine?
START > RUN > type cmd > OK
or
START > RUN > type command.com > OK

-- Can you RightClick on combofix and Run As administrator?

If not, and you can get a command prompt, type this at the prompt:
%userprofile%\desktop\combo-fix.exe /KillAll ENTER

If you followed my last set of instructions regarding downloading a fresh combofix and did not rename it that time, then remove the dash in combofix for the command.

Please post me the log, if it runs.

PP :)

One ComboFix log:

:)

The machine still doesn't seem right, though :/.

That's not surprising - we are nowhere near finished.... :)

But - you are starting to make good progress!

-- Let's restart eventlog.
Command prompt: type sc config "eventlog" start= auto ENTER
Don't reboot - just leave it for now.

-- Are you able to now download programs to the ill compy?
If so, please do this:
--- Download and run MBAM as per Step #8 in the linky below:
http://www.daniweb.com/forums/thread134865.html
Make sure to remove all it finds and post me the log.

THEN:
--- DELETE your current copy of combofix.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not need to rename it this time and it should be able to install Recovery Console.

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me that log as well and we'll see where that leaves us.

Cheers :)
PP

ComboFix is currently running atm, it's just made me reboot because it found the rootkit, which can only be good!

Having said that.... apparently I don't have Microsoft's system restore kit or something installed, so it says it won't attempt the fix of "some serious infections". Hopefully that won't be a problem.

That's the least of your worries . . LOL!

Actually, the Trinity Rescue Kit and Avira Tool operate much in the same way as the Recovery Console except TRK is Linux.

-- I realized why FindWPP didn't work properly - LOL - command.com prompt. I had a minor "brain cramp."

Let me know how combofix shakes out - keeping my fingers crossed it completes properly..... :)

PP

The command prompt certainly is useful. I gotta learn a bit more about how to play with it, I think.

Oh yeah - very useful to learn the various commands available to you!

That said, this is odd - that log looks as though my batch only partially ran properly - odd.

At least it was able to change this:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\pump.exe \"%1\" %*"

Back to what it is supposed to be:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

The rest is odd...

---- Try running Win32kDiag.exe again and see if same error.
If it won't run, try combofix below.
If it does run, post me the log.

ComboFix is on my desktop, too.

See if you can Run Combofix now - let me know.
type %userprofile%\desktop\combo-fix.exe /KillAll ENTER
You may not be able to update it - no worries.

PP :)

It won't run. It doesn't give me an error message or anything, it just doesn't do anything after I double click it :/.

-- What about command prompt:
type %userprofile%\desktop\FindWPP\RunThis.bat ENTER

-- See if you are now able to copy combofix to the desktop. Do that, if possible.

PP :)

Yep, it let me extract FindWPP.

OK - Run RunThis.bat in the FindWPP folder and see if it runs. If the log pops up, save it to the desktop. Put it on the re-writable disc to transfer it, if possible.

PP :)

I managed to get the files off the flash drive with no apparent problems, but it won't let me run Win32kDiag. Same error, not the required permissions. I haven't touched FindWPP, though.

-- Can you RightClick on it and Run as Administrator?

-- Did you try command prompt?
type %userprofile%\desktop\win32kdiag.exe ENTER

-- Can you RightClick and extract the FindWPP folder from the ZIP to the desktop?

PP :)

After that reboot, I tried to copy from the CD using the script, and it just says "Incorrect function."

Well . . . crap. It's not making things easy, is it?
-- You did change the source directory to the correct letter (probably D or E:\), right? (sorry - gotta check)

Try to copy them from the flash drive.

If that does not work, let's go ahead and try to run combofix from the flash drive. You'll not be able to update it, but run it anyway - If it runs, post the log.

PP :)

There are a lot things starting up when you logging. Follow http://netsquirrel.com/msconfig/index.html and disable things that are not needed.

msconfig is a diagnostic utility and not a startup manager :)

It should not be used as such - there are better ways to deal with these, but probably best to wait until machine is clean before addressing this.

Cheers :)
PP

The third: "[SC] ChangeServiceConfig SUCCESS".

Good - that's what I thought. It can't be stopped, but it can be disabled.

At the prompt, type sc query "eventlog" and tell me what the State is.
If it is still running, we'll need to reboot and then repeat the query to make sure it is not running.
('course, I am assuming this is replaced file - usually it is, but there have been others)

Then, let's try to copy FindWPP and Win32kDiag.exe to the desktop again. If you can't copy and paste, try the copy command.

Assuming external drive is, say, G:\ the command would be:
copy G:\Win32kDiag.exe "%userprofile%\desktop"
copy G:\FindWPP.zip "%userprofile%\desktop"

Obviously, if not G:\ , you'll need to change accordingly.

Let's see how that works.

Sorry about the delay - doing 10 things at once here :)
PP

Oh and it does not let me start in safe mode either. Is my comp basically toast?

Not quite yet . . . We really didn't get to finish up from before and a lot can happen in 4 days.

-- Are you able to run your existing combofix? Try that. Post the log if you can run it.

-- Are you posting from the ill computer?

Let me know.

If combofix won't run:
Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

PP :)

I'll try whatever you think will work.

We should probably try burning the tools onto a non-rewritable disk (not the ISOs, just the disk of tools). That way, we can use command line to copy them to desktop. Let me know if that is workable.

I am a little reluctant to try the flash drive just yet - I am fairly certain the malware has replaced the legit eventlog.dll and once we deal with that, we can make some headway with tools on the desktop. We just need to get them on there.

What happens when you type the following command at the prompt:

dir /s %windir%\eventlog.dll

Note it is dir <space> /s <space>%windir%\eventlog.dll

If error there, try:
sc stop "eventlog" ENTER

What happens?

If error there, try:
sc config "eventlog" start= disabled ENTER

What happens?

PP :)

How should I precede from here?

DELETE your current copy of Combofix.
Download a fresh Combofix and run it as you did before and post that log for me as well. You do not need to rename it this time.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

PP :)

I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.

That should come in handy.

-- Do this: Open a command prompt and type exactly as I have here in red:
dir /s %windir%\eventlog.dll > "%userprofile%\desktop\logit.txt" & hit ENTER

Logit.txt will be on the desktop - I need to see that, however possible.
I just need the various paths to eventlog.dll and the exact size in bytes for each. You'll not need to copy everything.

-- One of the options I was keeping in reserve in the event that nothing else works (nothing could be transferred to the Desktop of ill compy an then run) is to run Combofix directly from the flash drive.

Perhaps we should go ahead and try that? What do you think?
You won't be able to update it, but it should run and make some progress. Let me know if you want to jump ahead and try that.

But before that, give me the eventlog.dll info.

PP :)

Thanks for all you've done!
AND YES. It's gone! WOOO!

Glad we could help :)

Ok, well, everything is downloaded, burnt, and I'm ready to go. I believe Trinity is on a re-writable CD/DVD, too.

Great! - Trinity offers 4 AV scanners, but only Clam is onboard. It needs to update and download and rewrite itself. This is a legit option that uses freeware as opposed to pirated software.
(I wish they would add an option for MBAM or combofix to be downloaded and run...)

I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. .....Will that be an issue?

I doubt it - that message is not referring to your "system BIOS" - probably looking for a drive controller. Not a big worry at this time.
-- With any luck your compy will detect the CD on startup and offer the option to boot from it. We'll cross that bridge when we come to it.
Those CDs are strictly a last option in the event that nothing else works - Hopefully we'll not have to use them. (they are good to have around, though - hold onto them)

Let's start with the CD with all the tools on it.
-- See if you are able to transfer FindWPP to the ill computer.
RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop. Hopefully you won't be …

Well . . . things don't look too bad outside of all the P2P stuff. You are playing with serious fire there. A lot of forums won't help you unless those are removed.....

-- What is this folder?: C:\System32

-- Some forum volunteers would likely wipe this registry key:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

I'll leave that up to you - My feeling is that "people are going to do what they are going to do" . . .LOL.

I will say that you dodged a very big bullet - malware purveyors are really starting to take advantage of P2P stuff. I've seen a lot of borked machines.
Well. . . That's the extent of my lecture.

PP :)

Have done this myself, but stress to the user NOT to reboot . . . .

Yup - but you have to stress that really hard and still people will reboot when prompted to "reboot so changes take effect" or whatever the dialog box says....

PP :)