Author Topic: Please help, got stuck with a Trojan and a rootkit  (Read 28214 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #30 on: June 26, 2013, 07:19:51 PM »
OK we will need to run combofix one more time, this time it should run smoothly

Run combofix and allow it to update if it asks

The problems may be due to the shared access registry file being deleted by the malware, this time combofix should repair it 

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #31 on: June 26, 2013, 08:34:30 PM »
It's been running for more than 30 minutes now, but hadn't stopped like before.
It's scanning the machine while "-" is still blinking and the screen seems responsive.
I'm afraid it could freeze the same way as before if left to run to long, any advice ?

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #32 on: June 26, 2013, 09:09:13 PM »
Ok, here we go back to zero point.
Combofix has made everything freeze like it did yesterday.
It seems that you are offline, anyway I'll wait for a couple of hours in case you replied.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #33 on: June 26, 2013, 09:55:06 PM »
OK reboot again and we will try a different fix

I will just create a registry fix for it


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #34 on: June 26, 2013, 10:07:41 PM »
Here we go .. The manual method :)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000]
"Service"="SharedAccess"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Windows Firewall/Internet Connection Sharing (ICS)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control]
"ActiveService"="SharedAccess"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
  6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch]
"Epoch"=dword:00000012

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
  00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001


:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #35 on: June 26, 2013, 10:15:29 PM »
Ok, I'll begin immediately.
I beg you to stay online just for a while till we get through it all together.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #36 on: June 26, 2013, 10:18:49 PM »
Yep the wife has let me have the computer back :)

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #37 on: June 26, 2013, 11:04:46 PM »
here are both logs
I renamed the old OTL log so that it may not be overwritten, so this the most recent.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #38 on: June 26, 2013, 11:07:49 PM »
OK could you confirm the firewall is now working ... Next how is the computer behaving what problems still remain

I will look at the latest log now whilst you let me know

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #39 on: June 26, 2013, 11:20:56 PM »
ok, first almost all the toolbars in IE went black before the fix. Now everything is normally back.
As for the firewalls, I can no longer see the red balloon in the tray, so most likely it's working.
I may also mention that till the very moment, IE becomes unbearably sluggish the first time I run it after the reboot. Eventually it becomes "not responding" , I'd have to end the process manually and start all over again.
This has been the same for weeks, maybe months, and until now.

As for combofix, I doubt that it'd been corrupted during  download because I don't find a reason for the "freeze" it causes whenever run. Shall I redownload it? Is it crucial to use it with my infection? Could the computer ever get 100% clean once more without running it?

finally a big thank you :)

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #40 on: June 26, 2013, 11:25:48 PM »
Oh I forgot to tell you that since yesterday, a new pale icon appeared on the desktop named "Thumb.db"
I've seen it before, a couple of months ago, thought it was just an old unused icon and deleted it.
Is it an important file or just a part of the infection?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #41 on: June 26, 2013, 11:26:42 PM »
Nope we don't need combofix now :) 

Thumbs is a system file and I will rehide them when we are done (it will be recreated after deletion so no problem)

Lets see if we can sus out the net speed next

This will reset the internet connections, I will just need the fix.txt that pops up when it finishes .. No need to run another scan

During this run several black boxes will popup and disappear :)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:Files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
netsh winsock reset catalog /c

[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #42 on: June 26, 2013, 11:42:37 PM »
here's the fix log
This time the computer didn't reboot and I didn't restart it manually, is this ok?
Also since first running combofix and till the momnent IE settings have been altered, it's no longer my default browser and it keeps asking about it, this's also fine, right?

By the way, I wanted to tell you that all the previous fix logs weren't saved to the desktop as the scan logs and I had to manually copy and paste them.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #43 on: June 26, 2013, 11:48:26 PM »
Yes accept the default for IE ..

Reboot the computer now and try out the internet, let me know if there is a difference

I will be going off line soon but will be back tomorrow dinnertime :) 

Jackiee

  • Guest
Re: Please help, got stuck with a Trojan and a rootkit
« Reply #44 on: June 27, 2013, 12:16:16 AM »
Thank you, Essexboy for your time and effort. :) I beieve I made you stay till late.
 As for the internet, it seems fairly better, still slow on the first launch but managable. I'll try it more tomorrow and I let you know about everything.