Hijack Analysis Report

[So_sad]

Excellent. Thank you.

 

Now, can you do the steps I posted in messages #19, #21 and #22 ? These would be :

 

1) Make a Notepad file named CFScript.txt containing the following lines (inside the "Code" box) :

KillAll::

Driver::
newycb
hsobzr
khweq

NetSvc::
newycb
hsobzr
khweq

File::
c:\cp1624.nls
C:\cp1185.nls
c:\windows\Ckyfea.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

SRPeek::
c:\windows\system32\drivers\ndis.sys

...and then put that file on a network share, then go into your account and grab it, save it to your Desktop, then click your mouse on it and keep pressing (left mouse button) and drag it onto ComboFix (Firefox.exe) and release the mouse button once the CFScript.txt is over the ComboFix icon. This will launch ComboFix for a full run. The log will popup onscreen, so just save it to the network share as ComboFix2.txt.

 

2) Follow the instructions to run TDSSKiller from your account. First, you'll need to download the tool and put it on the share. Don't forget to print the instructions from that web page :

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

 

Save the log it creates on the share.

 

3) If you have your connection back at this point, then launch MBAM and update it, then do a Quick Scan with it. Let it fix all that it finds, then save the log to the share.

 

=====

 

New step for your connection :

 

If you do not have a connection following ComboFix and TDSSKiller runs, the please try the following :

 

Click on the "Start" button, then on "Run...", then type cmd in the box and click "OK"; in the DOS window that appears, type exactly this next line (in bold) :

 

netsh int ip reset resetlog.txt

 

..and press the "Enter" key.

 

**It is possible that you'll be denied running this command from your account. You'll get an error if this happens, so just let me know.

 

If the command is successful, you'll need to restart your compupter.

After the restart, check your connection again.

 

Good luck ;-)

[So_sad]

Hi again Cecilia,

 

Sorry for posting again so quickly, but I've done more research and had to share this with you :

 

I examined some of the files that were on your computer more closely and have positively identified a network worm... One, maybe two. This is not good news, because it means your company's network may have been infiltrated and other computers could be infected as well. It depends on many things and these are impossible for me to evaluate from a distance. If the other 3 PCs and one laptop have good, updated antivirus programs, then they could be Ok, because these worms are well known and would have been blocked/detected. Your computer doesn't have an antivirus and doesn't have SP3 either, which makes it a perfect target for these types of viruses. Network worms find shares and infect other non protected computers through these shares. They install a backdoor and transmit information from your machine(s), and they also receive commands and are able to execute tasks from infected computers without you knowing. Pretty ugly stuff.

 

Now... if you can carry out those steps I outlined for you, then great. Just know there will be more work, and I would even have you check with the people running those 4 other computers if they have a working antivirus (updated). If this were my work machine, I would format it immediately and reinstall Windows. I don't know who's in charge of computers at your company and how involved they are in keeping them in good working condition, but this situation is pretty serious and I honestly don't know if I'll be able to get everything 100% clean. I'm kinda flying blind here, if you know what I mean. It would be so much easier if I had physical access to those computers...

 

Anyway, I'm willing to keep going, if that's what you wish.

 

See you soon :wink:

 

===

[angel84cecil]

Nevermind is alright. I'll try to run those steps that you were mention just now. If I unable to do it successful , I think I need to find the IT guys (which very hard to ask them to come over from another block...zzz) that's why I maintain this computer on my own. Thanks once again.

[angel84cecil]

Can I follow this step: #5 from http://www.bleepingcomputer.com/forums/topic291361.html ?

[So_sad]

Hi,

 

Do you mean instructions for MBAM in this post ? :

http://www.bleepingcomputer.com/forums/topic291361.html/page__view__findpost__p__1605470

 

If you wish to rename the mbam setup to zztoy.exe, that's fine, but you already have MBAM on that machine, I think. You also need an Internet connection to update the program, which you don't have right now...

 

You really should try ComboFix first (with the CFScript method) and then TDSSKiller. MBAM won't be able to do its thing properly until we get rid of rootkits and part of that worm.

 

I'll be back in about 7 hours from now.

 

Hang in there !

 

===

[angel84cecil]

I need to restore back due to working. I run twice Combofix. 1st time I run I did not get connection. 2nd time I run again and move the CFScript.txt to combofix.exe(firefox.exe) which also didn't help on the connection.

 

Restore = bring back the virus. combofix did clear up the pc, only problem is connection.

[So_sad]

Hi Cecilia :smile:

 

I understand your situation, needing the computer to "work". I'm sure you'll also understand that you and I won't be able to fix it under these conditions. The sequence of tools I had proposed to you was really important and I absolutely needed to see the logs from those tools (CFScript, TDSSKiller and MBAM) in order to make progress with those infections. Restoring the computer to an earlier date just doesn't work in situations like this one. That's one of the major problems when trying to fix company computers on forums : we need time to run scans and fix things, together. When the computer is needed for work, we can't do this...

 

You will need IT to come in and format the hard drive. IT people are generally not skilled in malware removal and usually prefer to format (or re-image the drive) because it takes less time. A format will fix all the malware problems you're having with the computer. If they ask for details, this is what you can tell them :

 

- Multiple infections including a network worm, a Master Boot Record rootkit, a DNS changer, a fake antivirus program (called "rogue") and more infections that were brought in through a backdoor. One critical network system file is infected (ndis.sys) and no healthy replacement can be found on the machine. This affects the Internet connection. ComboFix could have found a replacement well hidden, but we never got to that part...

 

- Make sure SP3 is installed before they give you the computer back.

 

- Make sure you have a working and updated antivirus program installed.

 

- They should check your D-Link router for possible DNS manipulation. Just check the DNS settings (inside the router) and make sure they are set to be obtained automatically. If Ukraine DNS servers are listed there, this would confirm a router hijack (check the IPs). Also make sure the router does not have default username and password for access ; this means setting a new password and making sure someone at the office knows what it is.

 

- Make sure all other PCs and the laptop have a working and updated antivirus program.

 

======

 

On top of this, someone from management should seriously look into tightening security on the network. There are many things that can be done for this, but I'll let IT handle this if they are asked.

 

======

 

If you have any questions, please don't hesitate to ask.

If IT have questions for me, you can relay them here without a problem and I'll answer as best I can.

 

======

======

 

That's about it :wink:

 

We can resume work on your laptop now lol.

 

 

See you soon,

 

====================================

[angel84cecil]

I still left MBAM to do. The New Step for connection is SUCCESSFUL.

 

Excellent. Thank you.

 

Now, can you do the steps I posted in messages #19, #21 and #22 ? These would be :

 

1) Make a Notepad file named CFScript.txt containing the following lines (inside the "Code" box) :

KillAll::

Driver::
newycb
hsobzr
khweq

NetSvc::
newycb
hsobzr
khweq

File::
c:\cp1624.nls
C:\cp1185.nls
c:\windows\Ckyfea.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

SRPeek::
c:\windows\system32\drivers\ndis.sys

...and then put that file on a network share, then go into your account and grab it, save it to your Desktop, then click your mouse on it and keep pressing (left mouse button) and drag it onto ComboFix (Firefox.exe) and release the mouse button once the CFScript.txt is over the ComboFix icon. This will launch ComboFix for a full run. The log will popup onscreen, so just save it to the network share as ComboFix2.txt.

 

2) Follow the instructions to run TDSSKiller from your account. First, you'll need to download the tool and put it on the share. Don't forget to print the instructions from that web page :

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

 

Save the log it creates on the share.

 

3) If you have your connection back at this point, then launch MBAM and update it, then do a Quick Scan with it. Let it fix all that it finds, then save the log to the share.

 

=====

 

New step for your connection :

 

If you do not have a connection following ComboFix and TDSSKiller runs, the please try the following :

 

Click on the "Start" button, then on "Run...", then type cmd in the box and click "OK"; in the DOS window that appears, type exactly this next line (in bold) :

 

netsh int ip reset resetlog.txt

 

..and press the "Enter" key.

 

**It is possible that you'll be denied running this command from your account. You'll get an error if this happens, so just let me know.

 

If the command is successful, you'll need to restart your compupter.

After the restart, check your connection again.

 

Good luck ;-)

[angel84cecil]

Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

 

Database version: 5041

 

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

 

04/11/2010 5:47:48 PM

mbam-log-2010-11-04 (17-47-48).txt

 

Scan type: Quick scan

Objects scanned: 155393

Time elapsed: 7 minute(s), 33 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

c:\cp1623.nls (Worm.Spambot) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\cp1623.nls (Worm.Spambot) -> Delete on reboot.

[angel84cecil]

1. Cannot fix the errors through MBAM. If I fix it, there's an pop-up keep popping written which I unable to close. So I restore back the 3 of the trojans.

 

2. Please recommend a free antivirus for me. Thanks a bunch.

[So_sad]

Hello Cecilia,

 

So you haven't called in IT, right ? I'm willing to try a few more things with you, but I can't garantee success simply because you don't have an administrator account. I also know you want to take care of this yourself really badly, but it may not be possible.

 

Now... I need to know if you were able to run ComboFix with that CFScript I gave you. If the answer is yes, then I need to see the report (log), which was saved on the machine at "C:\ComboFix.txt"

If you have that report, please get it on the network share and then copy/paste it here please. If you have your connection active, then no need for the network share.

 

Because you don't have full administrator rights on that computer, you may not be able to install a new antivirus program ; I just don't know yet. But before you can try to install a new one, we need to see if we can remove the rest of this worm (virus) with ComboFix. Just don't run ComboFix yourself without my instructions though... I need to see the report first, and then we can try fixing the rest. After this, we can try to install an antivirus.

 

See you soon :-)

 

===

[angel84cecil]

I did run ComboFix with that CFScript before the New Step for connection. When it wanted to prompt me the log, the machine restart. I think was the connection. I will run again on Monday as tomorrow is Deepavali holiday since my connection recover after using the New Step for connection.

 

So far, my windows update is recover.

 

.

 

Now... I need to know if you were able to run ComboFix with that CFScript I gave you. If the answer is yes, then I need to see the report (log), which was saved on the machine at "C:\ComboFix.txt"

If you have that report, please get it on the network share and then copy/paste it here please. If you have your connection active, then no need for the network share.

 

Because you don't have full administrator rights on that computer, you may not be able to install a new antivirus program ; I just don't know yet. But before you can try to install a new one, we need to see if we can remove the rest of this worm (virus) with ComboFix. Just don't run ComboFix yourself without my instructions though... I need to see the report first, and then we can try fixing the rest. After this, we can try to install an antivirus.

 

See you soon :-)

 

===

[So_sad]

Thanks for the explanation :wink:

 

Please do not run ComboFix again. I'm sure the log was created, so please look on the C: drive for a file named "ComboFix.txt" (that's the latest log).

To find this file, you can either right-click on the "Start" button and choose "Explore", then find this log directly on "C:", or... open "My Computer" and look on the "C:" drive for the file.

 

I have to see this log before we can run ComboFix again.

 

One last thing ; I don't quite understand what you mean when you say "So far, my windows update is recover."

Are you getting updates automatically again ?

 

Thanks..

 

===

[angel84cecil]

Here's the log.

 

ComboFix 10-11-02.05 - Cecilia 04/11/2010 17:07:43.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.46 [GMT 8:00]

Running from: C:\Documents and Settings\Cecilia\Desktop\Firefox.exe.exe

Command switches used :: C:\Documents and Settings\Cecilia\Desktop\CFScript.txt

 

FILE ::

"C:\cp1185.nls"

"c:\cp1624.nls"

"c:\windows\Ckyfea.exe"

.

[angel84cecil]

Getting error after my windows update.

[So_sad]

Hi Cecilia,

 

I'm not surprised you are getting these types of errors, considering how badly infected the machine is.

 

Thank you for the ComboFix log ; that is not the complete log, however. I need to see all of it, because it contains information I need to fix the machine. Could you please copy/paste the entire log, please ?

 

If ComboFix did not produce a full log and the one you posted is all you have, just let me know and we'll go from there. Do not run ComboFix again ; you can find the log I need at "C:\ComboFix.txt"

 

See you later !

 

===

[angel84cecil]

Then I think I gave up on the cleaning then. Thanks again.

[So_sad]

Wise decision, Cecilia.

 

Now just promise me one thing : you'll have IT look at the machine as soon as humanly possible.

 

I'd also appreciate if you could come back here and let us know when the machine is fixed. Perhaps we can set you up with proper protection :wink:

 

===

 

You could also let me know how your own laptop is doing, in the other topic. I'm very curious...

 

Good luck :-)

 

======

[angel84cecil]

Sorry for the late reply,

 

Well I sent my PC to IT department for reformatting due to while restoring my computer, sudden it freezes. So I restarted but couldn't get to login due to lost of this file:system32/ntoskrnl.exe My guy couldn't get to save it, so ended formatting is the last resort.

 

Lucky last week I went for holiday, that was the time I can leave it for him for 2 days to clean it up. Gave me COMODO antivirus and updated my XP to Service Pack 3. No more Lorraine Spying on me. =) Huge Relieve.

 

Home laptop I think I'm not going to do anything to do anything to it cos' everything seems to be getting smooth.

 

After the long run cleaning well good to learn something from you guys.

 

Thanks again.

[So_sad]

Good to see you again, Cecilia :smile:

 

That's great news for the office machine. Formatting was the best option.

I just can't believe an IT person would install Comodo antivirus... LOL. You can probably tell I'm not a big fan of Comodo antivirus... Anyway, it's better to have that than a few others that are even worse. Just keep it updated at all times, please. Do the same with Windows Updates.

 

And be careful with the surfing...

 

About your home laptop : I'm glad to hear it's going Ok for you. Just know that if you are still experiencing redirects, then we'd need to fix it. Don't worry, I won't have you format it :mrgreen:

 

If you ever want or need to continue working on the home laptop, you'll find the discussion here :

http://forums.iobit.com/showthread.php?t=8188&page=2

 

Be safe, and don't by shy to ask for help.

 

======