Posts by PhilliePhan

this poped up,some black screen with words on it... called...

You need to Extract the FindIt folder from the ZIP to your desktop or it won't work properly.

RightClick on FindIt.zip and select Extract All and extract it to the desktop.

Let me know if you run into problems.

PP :)

I did not try the internet in safe mode networking. I will try that when I get back.

I think XCOPY might have borked it. I should have added switches.

Try this:

XCOPY F:\bunnyfix.exe “%userprofile%\desktop” /v /s /h

Let me know:)

Should I just download it again from the link in this thread or try somthing else?

Yes - let's try that again. Getting combofix to run is the best and easiest way to proceed.
This time, try COPY instead of XCOPY and see if that changes anything.

BTW - It is very possible that your Flash drive is infected . . . The best procedure is to burn the tools onto a CD (something non-re-writable)

Let me know how it shakes out :)

-- Did you try Safe Mode With Networking AFTER running WinsockFix?

PP

EDIT: - Let me doublecheck - may need to use a switch with the copy commands....

Happy to help :)

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log along with a fresh MBA-M scanlog (didn't get to see that one...) and we'll see if we can wrap this up.

P :)

the desote.exe blocks me opening any anti virus =/

For the life of me, I do not know why people don't read the threads before they reply.... :)

Please do this first:
Download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me. And, we'll go from there...

PP :)

OK - A couple more steps:

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log and we'll see if we can wrap this up.

PP:)

See you on in a few hours. Thanks again.

Happy to try to help :)

What is the path to your external drive? If I were to assume F:\ then we would do this:

Open a command prompt and type:
XCOPY F:\bunnyfix.exe “%userprofile%\desktop” ENTER

See if that works to put combofix on the desktop. If the path is different, you'll need to type the correct path. Note to leave a space after XCOPY and after .exe & don't forget the quotes...

Let me know if this works.

PP :)

Can you get a command prompt?
Either Start > Run > Cmd
or
Start > Run > Command.com

-- I have to run - be back in a few hours.

Also - I should've suggested this before - see if you can run winsock.fix to try to re-establish internet connection - if it will run.

http://majorgeeks.com/WinSock_XP_Fix_d4372.html

PP :)

I have them all except for #5 on your list.

Drat! - I should've posted a few mirrors.

If you get a chance, try this link:
http://ad13.geekstogo.com/RootRepeal.exe

I'll be back tonight when I have more time, but the first thing we need to try is this:

Transfer Combofix to the desktop and try to get it to run as bunnyfix.exe.

If it runs . . . post me the log :)

PP

Thanks once again for helping me with this.

Happy to help :)

Let's do this next:

1) DELETE your current Win32kDiag and download a fresh copy to the Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
-- Click START > RUN and then Copy&Paste all of the following text in Red into the command field:
"%userprofile%\desktop\win32kdiag.exe" -f –r
-- Please post that log for me

2) Download and run MBA-M as per the linky below and have it Remove what it finds. It should get some of what Combofix missed.
http://www.daniweb.com/forums/thread134865.html

3) Reboot.

4) DELETE your current copy of Combofix.
Download a fresh Combofix and run it as you did before and post that log for me as well.

Cheers :)
PP

Thanks a lot. This this is really starting to ......

I'm sorry - I should have written that more clearly.
I need you to copy and paste the main DDS.txt for me. That's the one I really want to see.
If you didn't save that log, just run DDS again.

As for the toolbar, I have a feeling that it might be one of those "quasi-legit" items that comes bundled in the installation package with another program you might have installed.
I know you said it "just appeared," but maybe she didn't notice it before? Do you remember installing any new software around the time the nuisance bar appeared?

Let's see what we find in the DDS.txt - Just copy and paste that one.

I'll be back tonight.

PP :)

Thanks for any time you have! Here's the find it results:

Happy to try to help :)

Let's try this:

If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Zappafix.exe and then download it to your desktop as that and follow the instructions in the linky very carefully to run Combofix and then post the Combofix log for me.

Let me know if you have trouble with that. I'll be back tonight.

PP :)

OK . . . . That looks good! Not totally clean, but a hell of a lot better than where you were.....

Interestingly enough, every infected computer I have seen with this baddie also has some sort of Torrent client..... Food for thought.
I'd like you to disable yours until we are done cleaning your machine. Hate to get re-infected.....

Since I won't be back until Thursday night, I'd like you to go ahead and do this:

1) Run a Full Scan with MBA-M and have it fix what it finds and post that log for me.

2) Reboot.

3) Delete your current Combofix.
Download a fresh Combofix and run it again the same way you did before and post that log for me. Be sure it is the new log.

Cheers :)
PP

I tried to connect in safe mode with networking last night and I didnt have any luck. I tried it again now to make sure and it still wouldnt connect.

Ok - That's going to make things a bit more difficult.

I'd like you to download all of these tools and put them on cd/flash drive and have them ready for use Thursday evening EST, if possible......

1) http://ad13.geekstogo.com/Win32kDiag.exe

2) http://swandog46.geekstogo.com/avenger.zip

3) http://download.bleepingcomputer.com/sUBs/ComboFix.exe
When you download Combofix and it asks you to "Save File As," rename combofix to Bunnyfix.exe and then save it to the desktop or wherever as bunnyfix.exe before you transfer it to cd/flash drive

4) FindIt.zip

5) http://rootrepeal.googlepages.com/RootRepeal.zip

6) Keep your MBA-M handy, too

I'll probably be back Thursday evening/night and will try to guide you through a fix then. Post back when you have those six tools.

Cheers :)
PP

If anyone has any info on fixing this I would appriciate it.

See if you can boot the ill machine to Safe Mode with Networking and access the forum that way. Let us know.

I'll probably be gone until Thursday night, but another volunteer ought to be able to help you.

Best Luck
PP :)

PP, With the flaming thing, I only meant that more than half of the posts up to that time were attacking or defending and not actually contributing to the solution. I just had to weed through that to find the helpful information that I was looking for.

No worries! :)
This guy comes out of nowhere and gives me grief for asking someone to start their own thread, as per forum policy.... In no other security forum would that be tolerated - we dedicated volunteers are hard to come by....

But I'm sure that there are also others that might see some of the things that I tried and help themselves. I'll be glad to provide more specific info to anyone that asks for it.

To be honest with you (and I mean absolutely no disrespect) - I would prefer that posters not try to follow any advice in other threads. YOU know what you are doing, but I have learned from many years in different forums that most posters are novices and we really need to walk them through things....

BTW - As far as this baddie, I am seeing a lot of the same rootkit (TDSS / seneka /UAC Rootkit) + it is often replacing a valid system file with a baddie. Usually eventlog.dll.....

Hey - If you are up for volunteering, I'm sure Daniweb could use the help!:)

Cheers :)
PP

Any further info would be appreciated. And sorry if I've forgotten anything, I was tired long before this happened.

Hi Xiados,

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

I will check back as time permits.

PP :)

Now attempting to use Malware.
Malwares is still not opening.

OK - Let's do this first.

DELETE all copies of combofix currently on your machine!

Once that is done, follow the instructions in the link below to DL a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky very carefully to run Combofix and then post the Combofix log for me.

I will check back as time permits.

Best Luck :)
PP

Thanks for looking at this, here is the log you asked for:

Great!

Let's do this next:

Please Download Win32kDiag from a linky below and save it to your Desktop. Leave it there for now.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

-- That should produce a log, as well. Please post it for me.

LASTLY:

If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a …

OK so I ran blacklight.

Log is fine.

Disable and then re-enable System Restore to flush Restore Points and re-install your AV and let us know how things are working.....

PP:)

That came up. For the record it took around 40-60 seconds, if that matters.

Not really - I just based that on what it took on my compy :)

OK - We need to do this:

Please Download Win32kDiag and save it to your Desktop. Leave it for now.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way …

im not really sure how to do all of that stuff, but i am going to try it, im having the same problem and this is very annoying since i dont know that much about all the stuff you said lol

And . . . . this is why "hit and run" posts of incomplete fixes are a pain in the ass in "open" forums such as daniweb.

You can call it flaming or whatever you want to call it, but the bottom line is this: I know an effective way to attack and try to clean all aspects of this infection (to the extent that a rootkit-infected computer can be cleaned) and I am willing to spend some of my free time sticking with a poster's problem and talking them through the cleaning process until it has been resolved.

@tinyart49 - Please start your own thread and a volunteer will be happy to help you.

Best Luck :)
PP

So looks like I'm stuck with this search bar for another while.

We really need a more thorough look at what is going on before we can say that :)
HijackThis is often insufficient when it comes to today's malware - Let's try this:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).
Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Judy, I, or one of the other volunteers will have a look as time permits.

Cheers :)
PP

The same type of thing happens when i try to do anything like extract files, open up controll panel, user accounts anything. Please help me! It's been this way for about 4 days and i've been searching but i still can't find a way to fix it.

Please start a new thread for your problem and I or one of the other volunteers will be happy to help you.

When you do that, please do this:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs.
Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Bset Luck :)
PP

I am currently running SpyBot in Safe Mode and have a few other tools to run after that, just to be sure. However, since this post was still only a week old I thought that I would share my experience in the hopes that it will help someone else out with this nasty problem.

Don't forget that this just addresses the obvious symptoms of the infection.
In just about all of the infections that I have seen, there is a rootkit component that you will need to remove as well. This is the real security risk to your machine!

If you'd like some assistance with that, please start a fresh thread as per forum policy and somebody will be happy to help you.

Cheers :)
PP

NOpe still doesn't work in safe mode...

While Judy is away, let's have a look at something:

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

I really don't know what to do and would appreciate anyone who can help me fix my friends computer.
Thanks in advance.

I'd like to try this first:

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

This is the trojan:
winjgf32.dll

The original post is from almost 3 years ago. :)

Plus, a ton of different malware could cause these symptoms.
That looks like old Vundo - definitely not something that would cause the issues that jp2code described.....

Cheers :)
PP

I answered your PM :)

No, this is on my work PC. Company managed Windows licenses and Trend Micro antivirus.
I would bring it to the daniweb admin's attention, but I don't know what to tell them to look for.

That is indeed odd - I and many others hit this site and forum a lot and no problems....

However, I am not going to dismiss your post because I have seen many legitimate sites get hacked, resulting in code insertions and the like. Plus, I have seen a lot of infected advertising from 3rd parties on legit sites as well.

I am sorry you got infected - too bad we couldn't see any info to try to pinpoint the problem.

PP :)

THANKS again!

You are welcome! Glad you got it sorted out!

I would suggest that you tell your computer guy that there very likely was a Rootkit(s) on the machine.

Cheers :)
PP

Let's wait for PP to weigh in on that one, ok?

I say go ahead . . . If it proves clean, then we'll flush the Restore Points again and re-install AV and see how it shakes out.

PP :)

It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

Actually, it is not.

And, by the way, it is incomplete.

If it worked for you, great! :)
Did you clean your infected pen drive[s]?

And, why not save some hassle and just remove the MountPoints2 key altogether? That seems easier to me....

Many of the people posting for help in this Forum are novices and likely not comfortable using a tool such as IceSword. Especially without detailed instruction. But, since this is an open Forum, all are allowed to give advice and the posters are left to sort it out.

If you are willing to stick around and talk posters through your fix and address any complications they encounter along the way, I am sure the Daniweb community would welcome you.

Cheers :)
PP

I got this same exact virus, the only one I've had in over 10 years, only after visiting Daniweb's site. Coincidence?

What "virus" might that be? It would probably be a good idea to bring that to the attention of site administration......

BTW - Are you using a cracked/pirated copy of Windows like the original poster?

Cheers :)
PP

sorry PP for not getting back - works crazy... thanks wll do that...thanks agian, K

No worries!

PP :)

Don't forget to delete the malware in addition to fixing with HJT.

I'm not sure any of the scanners will remove those, so you probably need to rip them out manually.

PP :)

It removed ComboFix with no problems.
Everything seems to be running normally
Thanks for all your help.

Great!
Happy to help!

Surf safely and beware of P2P stuff such as Torrents/Limewire/etc....

PP :)

Sometimes, running all the tools that we did can bork things - but I didn't see any evidence of that.

For the time being, I suggest uninstalling your resident AV (don't do any surfing of the web while it is uninstalled) and run MBA-M and ESET as Judy mentioned. Then, if those are clean, we'll run Blacklight.

If all is clean, we'll flush System Restore again and then you re-install your AV and we'll see what happens....

Best Luck :)
PP

At this point we just need to recover lots of data files before we re-format

At this point, without seeing exactly what is infecting you, It is difficult to comment with any accuracy - It sounds like you might have more than one infection.

Also, due to the rootkits involved with the infection you noted, putting those hard drives in another computer for data recovery is a bad idea - you could end up with another compromised machine.

-- Can you get me a HijackThis log?
-- Try running MBA-M in Safe Mode and see if it completes
-- If not, run it until it has found a bunch of baddies - abort the scan manually and then see if you are able to have it clean what it has found and run it again.

-- When MBA-M craps out, what file is it "hanging" on?

PP:)

Is there any chance that MBA-M won't run because my AV was on?

Wow - bad time for Daniweb to take a "maintainace day," huh?

At this point, I have kind of lost track as to what has been done since you uninstalled Combofix.

Maybe we ought to use System Restore to go back to the point set when combofix was removed and go from there...?

I imagine Judy will have some suggestions, too.

I probably won't be back here until Monday night - Hectic weekend!

PP :)

Hi Jon,

That looks better - are things running as they should?

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This should remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know if you run into trouble with this, as you are not running combofix from the proper location.

PP :)

Hi PP
Here's the current log file from HJT
O4 - Startup: Accessories

Great!

Run another scan with HJT and check to box for O4 - Startup: Accessories and then click Fix and you should be good to go. That will stop the Accessories folder from opening every time on Startup.

-- To add to what we discussed via PM, whenever you fix anything with HJT, it makes backups so, if you change your mind, you can restore the changes you made. As long as you keep HJT installed on your compy right where you have it now, you'll have access to those backups.

Cheers :)
PP

Did you run BlackLight?

At this point, I'd rather wait and deal with the other problems first.

-- Uninstall BOTH MBA-M and Windows Defender.

-- If you want Windows Defender, Download a fresh copy and reinstall it. Let us know how that shakes out.

-- Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type Malwarebytes and Click OK.

-- You’ll need to save the log that pops up in Wordpad and then submit it for me.

Not sure when I'll have a chance to look at it - busy weekend ahead.

PP:)

Hi Jon,

That didn't work real well - Let's try it one more time. You have to do this exactly as written or we'll run into problems:

-- You need to DELETE your current copy of Combofix

-- Down load a fresh combofix to your DESKTOP

-- Download that CFScript from Post #13 to your Desktop as well

-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

Post me the fresh log - I just want to remove that last remnants of that baddie......

PP :)

Download the attached FixMBAM.zip to desktop - extract the folder and DoubleClick on FixMBAM.bat and see if that works.

PP :)

when i ran that this came up

Those look OK to me.

Try crunchie's advice and stand by for his reply.

PP:)

Hello, I am new to Daniweb - apologies if I am wrong to say this, had something similar posted myself a few days ago and it turned out to be my keyboard.

No - You're fine to post that. After all, they linked to your thread, so probably a good idea to post that...

I was going to post something similar, but figured Judy had it covered.

This is most likely malware with the misdirection to strange url and then the multiple IE opening....

PP :)

thanks for the assistance much appreciated

Happy to help :)

You need to EXTRACT the the FindIt folder from the Zip to your desktop, or it won't work properly.
Rightclick on the ZIP and choose Extract All
Then run it.

-- What happened when you tried System Restore as crunchie advised? Ideally, we would like to restore your compy to a state where MBA-M and other tools can be run.

I am going to get out of crunchie's way - I've got limited time + too many cooks will ruin the broth, as they say . . .. .

Best Luck :)
PP

windows accessories folder when I start (only one though - and I can get out of it)

-- Let me clarify . . . It only does this one time and only upon startup?

Could you please run a fresh HijackThis scan and post the log for me - Sounds like we need to remove a run key so that doesn't open at startup....

PP :)

Here is the link for F-Secure Blacklight
I know PP mentioned Root Repeal also, not sure if that was the one he actually meant, which is a beta (in testing) program or Rootkit Reveal which is a fully released program. So try the Blacklight program only until we get word from him on the other one.

No - I meant Root Repeal.
But, let's do Blacklight - It is a bit easier to run.

Download it here:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Follow the instructions here:
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/help.html

DO NOT FIX anything - Just post the log for me.

BTW - Here is what F-Secure has to say regarding Rootkits (rather, hidden items):

F-Secure BlackLight found hidden items! What should I do?

If your computer has actually been hacked, removing the hidden items might not be sufficient. Even after a careful clean up the hacker might still be able to access your computer after it has been compromised once. The removed malware may have changed the system in a way that is impossible to detect or restore. An added or changed user right is a typical example of such changes. Formatting all hard disks and re-installing the computer is the only foolproof way to eliminate this risk.

First make sure the the hidden items are not a part of some harmless application you have installed on your machine. There are some benign applications that use hiding for various reasons. If after …