Please help, got stuck with a Trojan and a rootkit

Viruses and worms
21

Rubbing my eyes :slight_smile:
Have you come to save me at lastā€¦ :smiley:

22

Shall I run a " scan " or a " quick scan " ?

23

Sorry about that I had to do some actual work today :slight_smile:

Press run scan and that should reveal anything that combofix missed

24

Itā€™s ok. Iā€™m glad you came back anyway.
Iā€™m running it at the moment, meanwhile I want to let you learn about a few things:
1- I checked " all users", " LOP", ā€œPurityā€ for this scan iā€™m running now, just as the very first one Iā€™d run.
2- I saw the black screen of the recovery console on reboot this time.
3- There seems to be a folder called Qoobox in my C:/ drive now, shall I look for any logs there?
4- Thereā€™s also a copy of " my computer" called ā€œcombofixā€ in C:/ drive
5- This time after the reboot a message came from the tray saying that I was insecure and I had my firewalls turned off, is it dangerous?

I know itā€™s a lot of things, but just wanted to make sure itā€™s ok.

25

Once done we will hide the recovery console until you need it (hopefully never)

Qoobox is where combfix quarantines the bad boys

We will check the firewall next, is it just the windows one ?

26

yes, I think itā€™s the windows firewall, shall I have any others?

Here I attached the log from the OTL scan of today and youā€™ll find also the one after the running the fix yesterday together with that of the quick scan before running combofix.

27

Looks good, can you confirm that the avast alerts have ceased ?

Lets now look at the firewall

Download and run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick ā€œAllā€ options.
Press ā€œScanā€.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

28

Yes, theyā€™ve ceased since the very first scan run by OTL yesterday, even along going online no alerts or pop-ups since then. ( previously I couldnā€™t get online without those alerts poping every couple of minutes that I disconnected the cable most of the time)

29

Good so it is now repair time :slight_smile:

30

Glad to hear itā€™s good. :smiley: But for you, it wouldnā€™t have been so. :slight_smile:
hereā€™s farbarā€™s logā€¦

I want to tell you that Iā€™ve been having some difficulty since yesterday, after runing the OTL fix, making me unable to download anything, even a few megabytes, without being stopped at the 95% point exactly and getting a message in a window saying that whatsoever I was downloading couldnā€™t be downloaded because the operation timed out.
Yesterday I tried downloading Combofix about 6 or 7 times and getting to the same cut end. In the last time I went clicking continously on the download window at the 95% point and then it completed and I got the file at last.

Today, the same exact story happened with Farbar and was resolved in the same way.
Iā€™m sorry for such a long story, but I want to know if itā€™s something to do with the either the infection or the fix.

31

OK we will need to run combofix one more time, this time it should run smoothly

Run combofix and allow it to update if it asks

The problems may be due to the shared access registry file being deleted by the malware, this time combofix should repair it

32

Itā€™s been running for more than 30 minutes now, but hadnā€™t stopped like before.
Itā€™s scanning the machine while ā€œ-ā€ is still blinking and the screen seems responsive.
Iā€™m afraid it could freeze the same way as before if left to run to long, any advice ?

33

Ok, here we go back to zero point.
Combofix has made everything freeze like it did yesterday.
It seems that you are offline, anyway Iā€™ll wait for a couple of hours in case you replied.

34

OK reboot again and we will try a different fix

I will just create a registry fix for it

35

Here we go ā€¦ The manual method :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000]
"Service"="SharedAccess"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Windows Firewall/Internet Connection Sharing (ICS)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control]
"ActiveService"="SharedAccess"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
  6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch]
"Epoch"=dword:00000012

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
  00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001


:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

36

Ok, Iā€™ll begin immediately.
I beg you to stay online just for a while till we get through it all together.

37

Yep the wife has let me have the computer back :slight_smile:

38

here are both logs
I renamed the old OTL log so that it may not be overwritten, so this the most recent.

39

OK could you confirm the firewall is now working ā€¦ Next how is the computer behaving what problems still remain

I will look at the latest log now whilst you let me know

40

ok, first almost all the toolbars in IE went black before the fix. Now everything is normally back.
As for the firewalls, I can no longer see the red balloon in the tray, so most likely itā€™s working.
I may also mention that till the very moment, IE becomes unbearably sluggish the first time I run it after the reboot. Eventually it becomes ā€œnot respondingā€ , Iā€™d have to end the process manually and start all over again.
This has been the same for weeks, maybe months, and until now.

As for combofix, I doubt that itā€™d been corrupted during download because I donā€™t find a reason for the ā€œfreezeā€ it causes whenever run. Shall I redownload it? Is it crucial to use it with my infection? Could the computer ever get 100% clean once more without running it?

finally a big thank you :slight_smile: