Bad worm...Refuses to die!

Dear friends, first let me thank you for your support. I am an intermediate advaced user with Windows 7 Home Premium, using a Linksys E 2500 dual band router [which I believe is compromised based on research in the registry].

Hope this doesn’t sound crazy, but I think I have been made a client computer on someone’s administrative account. Here are some of the problems:

Despite the fact that I just reformatted last week and have very few mega bytes taking up space, this HP p6710f is running very sluggishly. I did a ‘Leak test’ and Avast firewall failed the Leak test.

I found this in my MMC:

Computer-administrator
WIN-G2BTSRMU4GD [NOT MY COMPUTER!!!]
[a setting changed inside parental controls] [I have never set 'Parental controlsw]

459 Group Policy errors [didn’t think I was on Group policy]

DHCPv6 router adverting settings have changed?

DHCP client has received network hint

And there are numerous other small details which has caused my brain to fry. I suspect the use of shell scripts in WMI and other places. Have used almost every anti-virus available to no avail. Found settings [unknown area code] in Remote desktop that I did not do. Have run SFC and Disk Clean to no avail. Could not find Linksys info in registry…but many generic modem settings. Found MSHTA in Winsxs. 193 CAP12 events…

I am very sorry if I have included irre4levant info, but I am like the blind lady trying to describe the elephant.

I am at my wits end…a very short walk. I am ready to follow your directions explicitly. Please help. I look forward to your assistance

Hi there and welcome to the Forum :slight_smile:

Please read and follow These steps and attach the created logs: https://forum.avast.com/index.php?topic=53253.0

Please make sure to save the FRST Log as ANSI, otherwise it will look like chinese :slight_smile:

Please stay in this Topic, other two Topics will be removed, this is a Forum Software bug.

Steven where ya getting OTL from there?

FRST, MBAM and aswMBR logs is what we require.

Gentlemen, thank you for your support. I noticed the details of your mixed ntstructions. Because I want to do this correctly, please tell me again where to begin.

PS I also wanted to mention that I used AUTORUNS and found no network connections or boot image listed there.

Thanks again!

;D

Run these two initially to locate the problem

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the “Scan” button to start scan

https://dl.dropboxusercontent.com/u/73555776/AswMBR%20scan.JPG

On completion of the scan click save log, save it to your desktop and post in your next reply

Sorry for the confusion!

Follow Essexboy please. He knows what he’s doing better then I!!! Disregard any instructions by Steven or I

@Michael, i was looking for which one of the logs Needs to be saved as ANSI, and in one of the older Posts someone wrote that ist the OTL Log :slight_smile:

Dear EssexBoy, thank you for your time and expertise. I think I have attached the logs as instructed. I very much do look forward to the results. I know it sounds crazy but I think my router has been hacked. Could be my email? I’m rambling.

Thanks again!

Attach main FRST log please. That is the most important log!

Okay…sorry …Here is the FRST log

Did you previously have Comcast constant guard installed

There is a super administrator built in to all windows so that may be what you are seeing
Network hint will be used if you change routers or network ISP

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-2062462054-714083117-4280944507-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1001 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1001 -> {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1001 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1003 -> DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1003 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1003 -> {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = SearchScopes: HKU\S-1-5-21-2062462054-714083117-4280944507-1003 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = Toolbar: HKU\S-1-5-21-2062462054-714083117-4280944507-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-2062462054-714083117-4280944507-1003 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKU\S-1-5-21-2062462054-714083117-4280944507-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File 2014-12-03 17:00 - 2014-12-03 17:00 - 00000000 ____D () C:\Users\Mobo 9\Downloads\finddllhijack1 2014-12-03 10:18 - 2014-12-03 10:18 - 00028564 _____ () C:\Users\Mobo 9\Downloads\FIHJ1.zip 2014-12-03 10:16 - 2014-12-03 10:16 - 00028564 _____ () C:\Users\Mobo 9\Downloads\finddllhijack1.zip 2014-12-01 07:02 - 2014-05-13 08:15 - 00010240 _____ () C:\Users\Mobo 9\AppData\Local\Z@!-b500b5e1-6d57-4489-8c79-943fc0e4596e.tmp 2014-12-01 07:02 - 2014-05-13 08:15 - 00009216 _____ () C:\Users\Mobo 9\AppData\Local\Z@S!-a8245a7e-c07e-43ef-88b8-861e4d1cd53a.tmp 2014-11-23 14:51 - 2014-11-30 07:12 - 00000000 ____D () C:\ProgramData\{D13C0989-F3EC-4F44-A33D-B3F83DF90FAF} EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Dear EssexBoy, WOW, immediately following the FRST 64 FIX , my computer freaked out and stopped me from using any browser at all. Avast kept saying [just like last week] that the pages had security problems and would not open this page or hardly any others. Could not open control panel or windows explorer even though I was still online. So the only way that I could get back to you was to restore back to 12/5. Might have wiped out what we have done. Afraid to run AdwCleaner.exe

Did you previously have Comcast constant guard installed And I have NEVER USED COMCAST. This thing is FOOBAR!
Soo now what?

Seems as though something took umbrage at being removed, bigger hammer time

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[size=12pt]Allrighty then…With limited use the computer seems okay, but I did notice that the Welcome screen backround was changed [not by me] from the default HP sage green to the Windows 7 Upgrade colors of sky blue with little flowers or birds. I have no idea how that happened. Also I became concerned when glancing through the MMC and found this notation:
Computer-administrator
WIN-G2BTSRMU4GD
[a setting changed inside parental controls???

I am not using parental controls. Also I found some things regarding router advertisement flags being changed and I am worried that my router has been compromised.

Another thing that really freaked me out was that I started finding duplicates of my songs in my library with a long row of letters and numbers as identifiers. Also, I have two external hard drives not attached at this time that contain a rather larger personal music library. So please advise on these topics if possible.

[size=14pt] And thank you SO MUCH! PS I forgot to disable Windows Defender…then I looked at it and could not figure out how to turn it off anyway…sorry Sir, I will cheerfully accept my lashes!
[/size]

[b] I tried to post the entire log, but the page said it was too large. I could not find the C:\ComboFix.txt in that place, so I manually saved to the Desktop. But despite the fact that I can see it on my Desktop, when I use attach-choose file…IT’S NOT THERE. Let me know what to do about this glitch… thanks!
[/size]

Upload it to a file sharing site like wikisend or Pastebin and post a DL link for Martin

Finally managed to attach the ComboFix Log. Although while I’m sure there is a good reason, I don’t understand why I continue to enumerate my concerns and they somehow never are addressed. ???

I woke up this morning to a message that my computer had been successfully restore to 12-5…only thing is I did not initiate a restore. I shut down my computer to install updates. Got the restore message when I booted it up this morning. Seems a little fishy?

Thanks to you all for your ongoing support.

I have answered reference the administrator, see the attached screen shot of my users. Notice the built in administrator account

Where are you getting this other information from ?

Dear EssexBoy, of course I mean no disrespect. Please do not read a bad attitude into my words. It is only that some things are not right with this computer. I have asked about the dangers of connecting external hard drives…and a blue welcome screen that did not come with my Windows installation…a system restore that I did not perform…And I use event viewer in the Management console. I do not have nor have I ever been able to find a column called Local Groups and users. It is not available to add to the MMC. But I did find this event in the Event Viewer which causes me some concern. Below is the entry I saved from that log. I will attach the screen shot of the MMC that I just took. The computer designation, “WIN-G2BTSRMU4GD” does not match any number I have ever seen associated with my PC.

Again…I am grateful for your time and patience.

Log Name: Microsoft-Windows-ParentalControls/Operational
Source: Microsoft-Windows-ParentalControls
Date: 11/23/2014 3:13:36 PM
Event ID: 1
Task Category: SettingChange
Level: Information
Keywords: WPC
User: Mobo9-HP\Administrator
Computer: WIN-G2BTSRMU4GD
Description:
A Setting changed inside of the parental controls settings
Event Xml:



1
0
4
1
21
0x8000000000000010

14


Microsoft-Windows-ParentalControls/Operational
WIN-G2BTSRMU4GD




WpcSystemSettings
9


C:\Program Files\Windows Media Player\Wmpnscfg.exe


0
C:\Program Files\Windows Media Player\Wmpnscfg.exe


99% of entries in event viewer are of no import, they are just bookkeeping entries for windows to keep track of events that it has called

I am on windows 8 and having just checked my 7 VM that option, Local Groups and users, is not available.

There was a registry entry to run system restore

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "*Restore"="c:\windows\system32\rstrui.exe" [2010-11-20 296960]

I know of no malware that will run a system restore for you as that would defeat the object of the malware

If your external drives just contain music and data then they are not a threat

The system admin can be disabled but it cannot be deleted so at some stage it has been enabled

I can give instructions on how to disable it if you wish

Well then I guess your saying that everything looks okay. I appreciate your time and effort. Thanks :smiley: