Posts by PhilliePhan

Hi vantran012,

You would probably have better luck getting a helpful answer if you posted your question in the Hardware section of Daniweb.

Try here:
http://www.daniweb.com/forums/forum121.html

Best Luck :)
PP

Thanks to the people who responded to my problem.

Happy to see you got it sorted out! :)

Malwarebytes' Anti-Malware has successfully blocked access to malicious IP: 212.117.169.16

This belongs to a server that you are trying to contact:

inetnum: 212.117.160.0 - 212.117.175.255
netname: SERVER-LU
descr: root eSolutions
country: LU
admin-c: AB99-RIPE
tech-c: RE655-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: ROOT-MNT
source: RIPE # Filtered

role: root eSolutions
address: 35, rue John F. Kennedy
address: L-7327 Steinsel
address: Luxembourg
phone: +352 20.500
fax-no: +352 20.500.500
e-mail: info@root.lu

HERE are some of the sites they host. Torrents, warez and pron. No wonder MBA-M block access.....

PP:)

Files Infected:
C:\Program Files\Microsoft Works\cpitv11.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Works\pibase11.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\compiler\mcr\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\datafeed\datafeed\bbdatafeed.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\MATLAB71\toolbox\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

These look a lot like legitimate items to me. Very likely a bunch of False Positives.
You should probably hold off on any further action until Judy can have a closer look.

PP :)

More importantly, at about 2:30 last night, after I had been using my computer for 3 or 4 days with no problems, windows police pro popped up again. I was able to immediately end the processes, but still.......

This is odd . . . Your machine was as clean as we could get it in a forum setting without a format.

I'm wondering if we missed something that didn't show in logs and it phoned home for backup, or it got reinstalled "drive-by" style.

I've been seeing a lot of infected machines with multiple P2P clients and figured that was the source.
But then, I've also had the "you are infected" message pop up on my compy while I've been surfing. It is a Flash screen that purports to be "scanning" my compy, but really it is flash video.
I was awfully tempted to click the link and install it just to play around with it, but I allowed good sense to prevail...LOL

I was on Philly.com at the time and I've also seen where this has popped up on the NYTimes website......

PP:)

I wonder if SAS has those keys set for removal on reboot?

Plus, I don't see the HKCR key that it flagged on the scan....

Odd.

Plus, this doesn't seem a big deal to me - looks like an orphaned key that should be easy to remove.

PP:)

I've been following this thread cause I have had issues like this before but took a different method to solve the problem...I am not saying that it is the best way to go about doing it but it sure is fast and so far has been effective.
basically what I do is backup all important files and install a fresh copy of windows and boot record - this ensures that the virus(es) will be destroyed and your pc will perform faster (a fresh install is always faster)

No - It is the best and easiest and most effective way to address this (and most) malware. Especially this or any other malware with rootkit accompaniment......

There are only a couple things you need to take into consideration:
1) Backing up files from a rootkitted computer is a dicey proposition.
2) A lot of users do not have a copy of their OS. You cannot re-install what you do not have.... So, they are left with two undesirable options - Buy a new copy of Windows or try to clean the mess as best you can.

Personally, I enjoy the challenge of trying to clean the machine.
But, if it were my machine and considering that I have clean backups of 90% of my data . . . . I'd go the route you did.

Cheers :)
PP

Still same thing. I gave full control to myself and Administrator but still nothing.

What error message do you get when you try to delete this?

-- I am not sure any of the easy tools I have will work w/ Vista 64

Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type or Copy&Paste {6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} and Click OK.

-- You’ll need to save the log that pops up in Wordpad and then submit it for me.

I'll be back Monday night.

PP :)

Sorry but I had to work late (I work with beer and football season just started). I will be back on tomorrow. I will get on after work...which should be around 4pm central time. I will try what you posted last night then. Sorry

No worries!
"Real life" always takes precedence over computer stuff . . .LOL!

Plus, it's not as though you're using this machine and getting re-infected....

Mondays are typically busy for me, so I doubt I'll be on until after 8PM EST.

PP :)

Hmz... when I try to delete {6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} it gives me an error access denied.

You probably need to change permissions.

RightClick it and select Permissions and make sure the box for Full Control is checked for your user group (probably Administrators) then delete it.

PP :)

Ok, I agree all of them are out of date and many of the links in them no longer work.

Frustration I guess on my part for three weeks of wasted effort on my part.
I will now bow out.

Hey - we've all been there, right? Most security forums would have locked that thread after 3 days of inactivity.....

With any luck we'll be able to address some of the Read Me issues.

PP :)

I would have gigen up long ago and formated and reloaded the machine

In all honesty, that is the best and most effective course of action. Especially with this type of baddie . . . . But where's the fun in that? :)

WHO did tell you to boot to safe mode?
Why did you use the 2nd method of Safe Booting from the "Read Me: PC Cleaning Procedures & Detection Tools" when the 1st method noted is to use the F8 key?

The first method probably did not work.

With all due respect, Judy, that sticky post needs to be removed or edited. Stickies are there to be read and followed.

I do agree, though, that there was absolutely no follow-through in a timely manner by the OP and that probably could have avoided this mess....

@emmasyah - Do you have your Windows Disk?
If not, you'll need to download this Recovery Console ISO and burn it to CD.

Let us know.

PP:)

Please help... Thanks

I am sorry to say that you have been given bad advice . . . I hope it wasn't in this forum.

It is not recommended to force Safe Mode via msconfig as you have here. Some malware wipes the safeboot key in the registry. Then, when you use msconfig to boot to Safe Mode, it modifies boot.ini so that you get caught in a reboot loop, as you are now.

If you have your Windows disc, you can use recovery console to repair boot.ini.
Or, you could try a "non-destructive" recovery via recovery partition if that is available to you.

I suggest that you ask whoever told you to boot to safe mode via msconfig to help you fix the mess they got you into....

Best Luck :)
PP

Ya it removes them, tells me then to restart to have it completely removed. After restart I do a scan and it's there again...

I am pretty sure REGEDIT4 is supported in Vista 64, but you might want to open regedit and manually remove the key. That way you know for sure it is gone.
Then, if it comes back, you know for sure something is restoring it....

But only hack the registry if you are familiar or comfortable doing that. Could really bork a machine.

I'll be back Sunday night, if you guys are still having trouble with this.

Cheers :)
PP

First try Start>AllPrograms>Accessories>SystemTools>SystemRestore
then restore it to earlier state.
If still No good....

That is not an option with this malware (though we did try that nonetheless). Thanks anyway :)

I realize that 66 previous posts is a lot to read, but you should really read them before posting that at this juncture...

PP :)

I have work in the morning so im going to have to get off of here for the night. I will be back on tomorrow. Thanks for the help.

Ok - I'm about done, too.

See if you can RightClick the MBA-M installation file and Run As Administrator. If it installs, then you may have to Run as Administrator to get it to run. I am not sure this will have any effect.

If that doesn't work, do the steps in Post #60 and submit that log and we'll go from there.

--- You might also try this suggestion from MalwareBytes. See if that will do the trick....

I'll probably be back Sunday evening.

G'Night :)
PP

Sweet . . . We are making progress, finally!

Let's try this:

Do this bit again with The Avenger
-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

Just do this once and post the log. If there are error messages, just ignore them and go ahead and continue with MBA-M below. I'm just double checking and there will probably be a "file not found" type of error...

Then, install the fresh MBA-M you downloaded (can't remember what we called it this time).
When it is installed, you probably ought to then go into the ProgramFiles\MBA-M folder and Rename mbam.exe to zappa.exe (hey . . I like Frank, what can I say...)

Run the Quick Scan and have it fix what it finds and …

Also the title on the window thats open is C:\ Find3M

I think it got stopped again.

See if there is a C:\combofix.txt

If so, post it.

If not, extract junction.exe from the Junction.zip you downloaded and place junction.exe in your C:\Windows directory.
Start a command prompt and type:
junction -s > C:\Logit.txt ENTER
Let the tool run and then post the C:\Logit.txt for me.

PP :)

Can you explain to poster how this should be done? I am NEVER comfortable with registry fixes...as you well know!

Just save the text below in NOTEPAD:

REGEDIT4
[-HKEY_CLASSES_ROOT\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}]

-- Save it to the Desktop as type "all files" and name it Fixit.reg
-- DoubleClick on Fixit.reg and allow it to merge into the registry.

That ought to do it. If it returns, something is re-creating it.

PP :)

Great! Now let's run combofix.

If you still have combofix on your machine, DELETE it.

Then, move that renamed combofix - I think we went with Zappafix - to the Desktop and run it and hopefully we'll get a log this time....

Let me know how this shakes out.

PP :)

Ok I just ran the 2nd scan and it finished and I pressed the space bar to finish it...but where did the log save?

Should be on the desktop...

Dang! Did it remove them?

Just pull that key out manually, Judy.

PP:)

Great! - I'm going to need to see this one, too:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

If that doesn't run, use a command prompt.

Make sure you post the new log rather than the previous one.

PP:)

Knock on wood, but this might make things easier.... :)

You should have this handy:
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop

You'll probably have to copy the below to notepad and put it on the Desktop and then C&P it:
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

If you type that, remember the quotes and the spaces.
That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

PP :)

Ok Win32kDiag.exe is running.

Good - how did you get it to run? Cmd prompt?

PP :)

I just double clicked on DDS scan and it popped up the cmd prompt box for less than 1 sec then it went away???
I already deleted the old malwarebytes. I will download the new things now.

Ok - Let's do this first:

Transfer Win32kDiag.exe to the desktop.

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
If doubleclicking doesn't work, open a command prompt and then copy and paste "%userprofile%\desktop\win32kdiag.exe" ENTER
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

If it doesn't run, delete it and then rename it on laptop to Win32kDiag.com and transfer it to the Desktop and try to run it. Command prompt would be "%userprofile%\desktop\win32kdiag.com"

Let me know what happens.

PP :)

I am going in there to try the scan now.

Great!

I have to grabs something to eat - be back in a bit.

Here are two more tools we are going to need:

http://download.sysinternals.com/Files/Junction.zip
http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe

-- Are you able to uninstall the copy of MBA-M currently on the machine? If so, do that.
Let me know.

PP :)

"-- If your AV has a script blocker, please disable it"

Just see if DDS will run and we'll try something else.

BTW - How are you set up for reading/posting logs?
If you are posting via flash drive an another computer, we do risk infecting both the flash drive and the other compy . . . But, that's a risk we might have to take...

Sorry I couldnt get on last night due to have to work longer than expected. I will start on the stuff you posted right now. Thanks.

No worries!

This is possibly the nastiest POS I have ever seen and I've been volunteering in various forums long enough to remember some really nasty ones . . . LOL!

-- What I want to find out is just what has been accomplished , if anything, by the first run of combofix.
This baddie will let it run once, but then blocks it.

I do have a few tricks up my sleeve to try to get around that.

PP :)

when i went to start>run i pasted "%userprofile%\desktop\win32kdiag.exe" -f –r
on the "open" thing where i typed cmd the last time. and an error msg came up saying they cant find the file or something like that

Download a new copy and make sure it is on the Desktop and try that again:
http://ad13.geekstogo.com/Win32kDiag.exe

Post me the log.

If that doesn't work, open a command prompt START > RUN > cmd and then copy and paste "%userprofile%\desktop\win32kdiag.exe" -f –r and hit ENTER. That should work.

PP :)

No worries on the error message - just follow the steps below carefully and let me know how it shakes out.

Ok - Great . . . . Now the tricky part:

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop - You have to extract this tool - do not run from the zip!
If you need a tool to Extract Avenger from the ZIP, try 7Zip

Once Avenger has been extracted to the Desktop:
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know …

You know, going back through this thread, reading the logs, not finding anything...one thing I did notice is that nobody replying on this thread, unless I missed it, had you attempt one logical thing; Put your cursor on the taskbar, Right Click, choose Toolbars and see if that Search bar is in there and if it is, is there a check mark there? If there is then remove the check mark.

Or, you could probably disable this in Vista settings.

:icon_cheesygrin:

Thanks for all your help! It definitely looks like you fixed it.

You're welcome - Happy to help!

You can go ahead and mark this one as solved.

Be careful with the P2P/Torrents - I think most people are being infected with this baddie that way.

Cheers :)
PP

i did the run > enter

a window black window poped up...
C:\WINDOWS\system32\cmd.exe

Ok - Try this:
Be sure that Win32kDiag.exe is on your Desktop
Get a command prompt like before by clicking Start > Run > type cmd OK
Then type or Copy&Paste "%userprofile%\desktop\win32kdiag.exe" and hit Enter. It should say "searching windows..."
Let it run until it finishes.
If it runs please post the log (Win32kDiag.txt) - you'll find this on the Desktop.

PP :)

Ok Thank You

Happy to help . . . . But I don't have any good news for you:
I do not see anything in those logs.

Are you sure this wasn't installed with another program? Perhaps the recent install of Quicktime on 9/3?

It could be a legit toolbar that was re-directed, but I'd expect to see evidence of that in the logs.

You could try a System Restore to a point before you noticed this.
Or, you could probably disable this in Vista settings.

And, there is always the possibility I might have missed it in the logs, though I doubt it.

Sorry we couldn't be more help.

PP :)

Any suggestions would be greatly appreciated. Thank you.

You can either delete your current Firefox profile and then create a new one, or completely remove Firefox and reinstall it.

-- Uninstall Firefox
-- Delete the following folders:
Program Files\Mozilla
C:\Users\%username%\AppData\Local\Mozilla
C:\Users\%username%\AppData\Mozilla
and/or
C:\Users\%username%\AppData\Roaming\Mozilla

Then, reinstall the latest Firefox. (you'll need to completely re-configure all your previous settings/preferences add-ons etc...)

Maybe somebody else will have a better solution?

Cheers :)
PP

If you get a chance before I check back tonight, try this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

I would like to see that DDS.txt - At this point I am not sure what combofix was able to accomplish.

Also, if you can, download new copies of combofix and MBA-M.
Rename them BOTH before you download them:
Zappafix.exe and BAMM.exe

MBA-M
Combofix

We'll likely be using The Avenger and others as well, so have them handy.
Back tonight.

PP :)

Here you go.

Well . . .Combofix did not run as it should have - looks like the CFScript was not save to desktop properly.

No worries!

We'll do it this way:

1) You'll need to enable the viewing of hidden files and then navigate to the following files and DELETE them:
c:\windows\system32\pavogare.exe
c:\windows\DUMP7743.tmp
c:\windows\system32\REN1EE.tmp
c:\windows\system32\REN1ED.tmp

2) Once that is done, do this:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know if you run into any problems. If not, I think you're good to go.....

Cheers :)
PP

Ok ill see you on tomorrow. Thanks.

We can attack this in a different manner tomorrow . .. .

Hopefully we'll have better luck!

G'Night :)

It did not start scanning or anything like that again.

Let's try a command prompt and type:
%systemroot%\system32\restore\rstrui.exe

See if there are any viable restore points.

If not, we'll try something with Avenger, but it may be risky.

I am about to close it down for the night - got about 10 more minutes of computer time. We might have to pick this up tomorrow....

PP :)

It ran threw the whole test I guess it just wont let it restart. Should I just close it out and restart it?

Yes - do that and see if it completes.

PP:)

Do you have a known working link for Malwarebytes like your other links. I tryed to reinstall it again and it said the same thing so I probably need to redownload it all together.

Let's wait on that and try my previous post first.

PP :)

"-- First, try a command prompt and type rstrui.exe and see if there are any vaible restore points...."

It is not recognized as an internal or external command. That was what popped up when I tried it.

My fault - doing ten things at once here :)

I should've had you type this:
%systemroot%\system32\restore\rstrui.exe

But, let's wait and do this first:

Reboot.

If combofix doesn't start, run it again and let's see how that shakes out....

PP :)

I dont see this: C:\ComboFix.txt
I went into the C drive and didnt see it. I also went into program files and didnt see it.

This is quite a doozy!

-- What about in C:\Qoobox\ComboFix.txt ?

-- How did you transfer MBA-M to the compy?
You might need to reinstall MBA-M.

-- Maybe we can try running combofix again.

-- First, try a command prompt and type rstrui.exe and see if there are any vaible restore points....

PP :)

This is what it told me to write down:

Those are components of the rootkit that is causing this hassle.

-- Is there a log at C:\ComboFix.txt ?

PP :)

Ok it scanned then told me to write down somethings on paper...after I wrote it all down I clicked Ok and the computer restarted. Now it just has the desktop pulled up (no scans are running or anything).

What did it tell you to write?

Are things functioning better? Can you run MBA-M?

PP :)

yea that did not work either... i get the same error msg... just with the win32diag at the end of it...

Try renaming it to Win32kDiag.com and see if it will run.

Are you able to get a command prompt?
START > RUN > type cmd ENTER
or
START > RUN > type command.com ENTER

Let me know.

PP :)

I tried it again with just copy I: and it worked...the scan is running now.

Great!

Keep me posted :)

PP

ok i did that, then this poped up...

Let's try this:
Please Download Win32kDiag from a linky below and save it to your Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

PP :)