Trojan Virus affecting my anti-virus
Closed
loukas78
Posts
19
Registration date
Thursday October 20, 2011
Status
Member
Last seen
November 3, 2011
-
Nov 2, 2011 at 07:37 PM
Anonymous User - Nov 12, 2011 at 10:06 AM
Anonymous User - Nov 12, 2011 at 10:06 AM
Related:
- Trojan Virus affecting my anti-virus
- Goose virus - Download - Other
- Ntuser.dat virus - Guide
- Can jpg have virus - Guide
- Attrib - r-h-s /s /d *.* virus - Viruses & Security Forum
- Uuuu.uuu virus - Viruses & Security Forum
63 responses
Step 1
Its the file for the kernel 32
http://speedy.sh/RPFdj/Fant-2.txt
i redid a separate run only for it
step 2. I thnk my internet connections was uninstalled. When I go to connect to a network I DON'T SEE MY ADSL INTERNET CONNECTION ICON. MOREOVER WIRELASS CONNECTION DOES NOT WORK AND WHEN I CLICK CONNECT ON THE ICON IT DEMANDS THE SECURITY KEY
SHOULD I GO AND INSTALL BOTH WIRE AND WIRELESS CONNECTION ?
step 3-4
I am not sure I did this right
COMMANDS TEXT FILE WAS PASTED TO SYSTEMLOOK and then I got this
http://speedy.sh/S6pMb/SL-1.txt
MOREOVER, SHOULD I DO SOMETHING WITH REGISTRY FILES? I SAW you typed some registries in your last message
Its the file for the kernel 32
http://speedy.sh/RPFdj/Fant-2.txt
i redid a separate run only for it
step 2. I thnk my internet connections was uninstalled. When I go to connect to a network I DON'T SEE MY ADSL INTERNET CONNECTION ICON. MOREOVER WIRELASS CONNECTION DOES NOT WORK AND WHEN I CLICK CONNECT ON THE ICON IT DEMANDS THE SECURITY KEY
SHOULD I GO AND INSTALL BOTH WIRE AND WIRELESS CONNECTION ?
step 3-4
I am not sure I did this right
COMMANDS TEXT FILE WAS PASTED TO SYSTEMLOOK and then I got this
http://speedy.sh/S6pMb/SL-1.txt
MOREOVER, SHOULD I DO SOMETHING WITH REGISTRY FILES? I SAW you typed some registries in your last message
Anonymous User
Nov 5, 2011 at 04:51 PM
Nov 5, 2011 at 04:51 PM
After doing the above steps
GO to
www.virustotal.com
Click on ''UPLOAD FILE ''
Now browse to
C:/windows/system32/kernel32.dll
Upload it
Now wait for sometime,when the report gets generated.Please post the link address here.
GO to
www.virustotal.com
Click on ''UPLOAD FILE ''
Now browse to
C:/windows/system32/kernel32.dll
Upload it
Now wait for sometime,when the report gets generated.Please post the link address here.
1) Step 1. Done but I STILL CANT browse (i checked again the wire ,router etc JUST IN CASE I AM WRONG BUT each and everyone of them works fine)
2) Here is the systemlook log
http://speedy.sh/k2HMv/SL-2.txt
3) Here is the virustotal report
http://www.virustotal.com/file-scan/report.html?id=cb287fcf1263ffbd5159e6a941c8b6c20d176ca05c8c9d5d6a2c7108a4055c24-1320532509
2) Here is the systemlook log
http://speedy.sh/k2HMv/SL-2.txt
3) Here is the virustotal report
http://www.virustotal.com/file-scan/report.html?id=cb287fcf1263ffbd5159e6a941c8b6c20d176ca05c8c9d5d6a2c7108a4055c24-1320532509
Anonymous User
Nov 5, 2011 at 05:59 PM
Nov 5, 2011 at 05:59 PM
Thanks
I'm analyzing your logs
Please download this
http://speedy.sh/QGwwx/CFScript.txt
Save it on your desktop
Now DRAG the CFScript file on to COMBOFIX icon
That should start the combofix again.Do not interfere while it runs.Please post the CF log file
I'm analyzing your logs
Please download this
http://speedy.sh/QGwwx/CFScript.txt
Save it on your desktop
Now DRAG the CFScript file on to COMBOFIX icon
That should start the combofix again.Do not interfere while it runs.Please post the CF log file
Didn't find the answer you are looking for?
Ask a question
Anonymous User
Nov 5, 2011 at 07:24 PM
Nov 5, 2011 at 07:24 PM
There was a issue running the script it seems
Go to run and type
notepad and click ok
Now copy this script
KILLALL::
Folder::
c:\windows\PIF
c:\users\MAKIS\AppData\Local\79121545
File::
C:\kgloypod.sys
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
drag the CFScript.txt into ComboFix.exe
Go to run and type
notepad and click ok
Now copy this script
KILLALL::
Folder::
c:\windows\PIF
c:\users\MAKIS\AppData\Local\79121545
File::
C:\kgloypod.sys
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
drag the CFScript.txt into ComboFix.exe
Anonymous User
Nov 5, 2011 at 08:34 PM
Nov 5, 2011 at 08:34 PM
I want you to run this again
STEP 1:
Download
http://jpshortstuff.247fixes.com/SystemLook.exe
Launch it,you will get a box,copy paste this
:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd /s
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt /s
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip /s
Click on look and post the contents
STEP 2:
http://download.sysinternals.com/Files/Junction.zip
Extract and save it to C drive
Now go to run and type
cmd and click ok,now run these commands.
cd c:\
junction -s c:\>log.txt
start log.txt
A notepad should pop up,Please post the contents here
STEP 1:
Download
http://jpshortstuff.247fixes.com/SystemLook.exe
Launch it,you will get a box,copy paste this
:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd /s
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt /s
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip /s
Click on look and post the contents
STEP 2:
http://download.sysinternals.com/Files/Junction.zip
Extract and save it to C drive
Now go to run and type
cmd and click ok,now run these commands.
cd c:\
junction -s c:\>log.txt
start log.txt
A notepad should pop up,Please post the contents here
Suundar,
Here is the new combofix log file
http://speedy.sh/YfyzR/Sun-2.txt
Here is the system look file
http://speedy.sh/CmQxG/sun3.txt
The last step was done BUT I AM NOT SURE IT WENT WELL.
I MANUALLY EXTRACTED THE FILES TO C SINCE PC DID NOT LET ME DO THE RANSFER FROM USB TO HARD DRIVE.
THEN I TYPED THE TWO COMMANDS.
HOWEVER AFTER THE JUNCTION COMMAND I got access is denied.
THEN I TYPED THE "START" COMMAND AND THIS FILE OPENED UP.
http://speedy.sh/S6u5b/log.txt
I suspect this is a file THAT ALREADY EXISTED IN MY PC (think was made on Thusday).
Here is the new combofix log file
http://speedy.sh/YfyzR/Sun-2.txt
Here is the system look file
http://speedy.sh/CmQxG/sun3.txt
The last step was done BUT I AM NOT SURE IT WENT WELL.
I MANUALLY EXTRACTED THE FILES TO C SINCE PC DID NOT LET ME DO THE RANSFER FROM USB TO HARD DRIVE.
THEN I TYPED THE TWO COMMANDS.
HOWEVER AFTER THE JUNCTION COMMAND I got access is denied.
THEN I TYPED THE "START" COMMAND AND THIS FILE OPENED UP.
http://speedy.sh/S6u5b/log.txt
I suspect this is a file THAT ALREADY EXISTED IN MY PC (think was made on Thusday).
Anonymous User
Nov 6, 2011 at 05:54 AM
Nov 6, 2011 at 05:54 AM
Go to start and type
services.msc and press enter
Now go to
TCP/IP netbios helper>>>right click and start it.Make sure it is set to automatic
Now go to
DHCP client >>Right click>>>start it
Now go to start and type
devmgmt.msc and press enter
On top ,you should have a VIEW option
Click on it and select ''SHOW HIDDEN DEVICES.
Now scroll down and expand NON PLUG AND PLAY DRIVERS
Check for
ancillary function driver
NETBT
TCP/ip protocol driver
Right click on them and click>>properties>>Drivers tab
Make sure all are started and are set to system
Run this fixit
https://support.microsoft.com/en-us/help/2970908/how-to-use-microsoft-easy-fix-solutions
Go to run and type
sfc /scannow and click ok
Let scan finish
Restart your PC
Please mention the errors you face at each stage.
JUNCTION issue
Open command prompt as administrator and run those commands.The log uploaded is CF log
I will look at systemlook logs soon
services.msc and press enter
Now go to
TCP/IP netbios helper>>>right click and start it.Make sure it is set to automatic
Now go to
DHCP client >>Right click>>>start it
Now go to start and type
devmgmt.msc and press enter
On top ,you should have a VIEW option
Click on it and select ''SHOW HIDDEN DEVICES.
Now scroll down and expand NON PLUG AND PLAY DRIVERS
Check for
ancillary function driver
NETBT
TCP/ip protocol driver
Right click on them and click>>properties>>Drivers tab
Make sure all are started and are set to system
Run this fixit
https://support.microsoft.com/en-us/help/2970908/how-to-use-microsoft-easy-fix-solutions
Go to run and type
sfc /scannow and click ok
Let scan finish
Restart your PC
Please mention the errors you face at each stage.
JUNCTION issue
Open command prompt as administrator and run those commands.The log uploaded is CF log
I will look at systemlook logs soon
1. I finished the junction issue. Here is the file
http://speedy.sh/WZYuf/sun-4.txt
2. tcpip: I restarted it. No error mentioned
3. DHP Client: I got Error 1075: The dependency service does not exist or has been marked for deletion.
3.ancillary function driver
NETBT
TCP/ip protocol driver
THIS STEP WAS DONE. Only issue is that the tcp/ip was in boot and I set it to system
4.I run the fix it. It asked for reboot and I REBOOTED IT
5.THEN I went to command prompt, run as administrator and typed the SCANNOW COMMAND
I GOT THESE:
Veryfication 100% complete. Windows resource protection found corrupt files bt was unable to fix some of them. Details are included in the CBS.Log windir\logs\CBS\CBS.log.
For example C:\Windows\Logs\CBS\CBS.log
The system file repair changes will take effect after the next reboot
6. I restarted the PC. ASA I restarted the PC I got a message on the bluescreen saying " Configuring upadtes ....bla bla"
http://speedy.sh/WZYuf/sun-4.txt
2. tcpip: I restarted it. No error mentioned
3. DHP Client: I got Error 1075: The dependency service does not exist or has been marked for deletion.
3.ancillary function driver
NETBT
TCP/ip protocol driver
THIS STEP WAS DONE. Only issue is that the tcp/ip was in boot and I set it to system
4.I run the fix it. It asked for reboot and I REBOOTED IT
5.THEN I went to command prompt, run as administrator and typed the SCANNOW COMMAND
I GOT THESE:
Veryfication 100% complete. Windows resource protection found corrupt files bt was unable to fix some of them. Details are included in the CBS.Log windir\logs\CBS\CBS.log.
For example C:\Windows\Logs\CBS\CBS.log
The system file repair changes will take effect after the next reboot
6. I restarted the PC. ASA I restarted the PC I got a message on the bluescreen saying " Configuring upadtes ....bla bla"
Anonymous User
Nov 6, 2011 at 10:19 AM
Nov 6, 2011 at 10:19 AM
Please I need more information.Can you boot into safemode?
Do you still receive blue screen in normal mode?
Boot into safemode with networking,does internet work?
Now go to start and type
devmgmt.msc and press enter
On top ,you should have a VIEW option,Click on it and select ''SHOW HIDDEN DEVICES.
Now scroll down and expand NON PLUG AND PLAY DRIVERS
Change TCP/ip protocol driver to boot again.
Download this
https://authentification.site/file/M3qhV/netbt.sys
Copy it to
C:/windows/system32/drivers
Replace it if asked for,if you receive access denied error ,let me know
Do you still receive blue screen in normal mode?
Boot into safemode with networking,does internet work?
Now go to start and type
devmgmt.msc and press enter
On top ,you should have a VIEW option,Click on it and select ''SHOW HIDDEN DEVICES.
Now scroll down and expand NON PLUG AND PLAY DRIVERS
Change TCP/ip protocol driver to boot again.
Download this
https://authentification.site/file/M3qhV/netbt.sys
Copy it to
C:/windows/system32/drivers
Replace it if asked for,if you receive access denied error ,let me know
1. Reboot in safe mode was done. No major problem except for the black screen that stays 1-1.5min just before the desktop appearenec.
2.Then I rebooted in normal mode. No problems with the "blue welcome screen". However, there's always a delay when the black screen appears
3. Then I rebooted with networking. However, I still can't browse. Do you suggest to uninstall and reinstall the Internet connection. Rooter was fine on the other PC. Same for the line and the wire
4. I put the netbt in the drivers folder. I was asked for replacement and did it.
I am still very puzzled. I have no idea of what is going on in my PC. I think you know better. Can you please give me a short "input"???
Anyway THANKS A LOT for your help.
2.Then I rebooted in normal mode. No problems with the "blue welcome screen". However, there's always a delay when the black screen appears
3. Then I rebooted with networking. However, I still can't browse. Do you suggest to uninstall and reinstall the Internet connection. Rooter was fine on the other PC. Same for the line and the wire
4. I put the netbt in the drivers folder. I was asked for replacement and did it.
I am still very puzzled. I have no idea of what is going on in my PC. I think you know better. Can you please give me a short "input"???
Anyway THANKS A LOT for your help.
Anonymous User
Nov 6, 2011 at 11:33 AM
Nov 6, 2011 at 11:33 AM
Here is the short input
This zero access rootkit infects network drivers.When we remove this rootkit,there comes a change in network setup and we could lose our connection which now your are facing.
Did you try to reboot and check internet after replacing netbt.sys?
Go to services and try to
DHCP client now,if you face same error
Run this again
https://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml
Launch it and click on repair.
Do you have the network drivers?Can you reinstall it again.?
Also Launch systemlook.exe ,copy this
:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp /s
Click on look and post the logs
Let me know
This zero access rootkit infects network drivers.When we remove this rootkit,there comes a change in network setup and we could lose our connection which now your are facing.
Did you try to reboot and check internet after replacing netbt.sys?
Go to services and try to
DHCP client now,if you face same error
Run this again
https://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml
Launch it and click on repair.
Do you have the network drivers?Can you reinstall it again.?
Also Launch systemlook.exe ,copy this
:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dhcp /s
Click on look and post the logs
Let me know
1) I rebooted and checked internet after replacing netbt. No browsing stil
2) The DHCP Client still gave me the same error
3)Winsock fix gave registry report information not found. Run time error "53". File not found.
Then repair competed please reboot. I rebooted and same things..No results
4)I tried to install the network drivers but could not. The system seems to not accept my password. Moreover, I have the wireless still active but I can't browse through it as well
5)The system look file
http://speedy.sh/M3FWV/Sun-5.txt
2) The DHCP Client still gave me the same error
3)Winsock fix gave registry report information not found. Run time error "53". File not found.
Then repair competed please reboot. I rebooted and same things..No results
4)I tried to install the network drivers but could not. The system seems to not accept my password. Moreover, I have the wireless still active but I can't browse through it as well
5)The system look file
http://speedy.sh/M3FWV/Sun-5.txt
Anonymous User
Nov 6, 2011 at 02:20 PM
Nov 6, 2011 at 02:20 PM
Uninstall AVG using this removal tool
http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_1796.exe
Step 1:
Download and install your drivers from here
http://h10025.www1.hp.com/ewfrf/wc/softwareCategory?os=2093&lc=en&cc=us&dlc=en&sw_lang=&product=3347732#N491
Step 2:
Download this
https://download.bleepingcomputer.com/farbar/GrantPerms.zip
extract and copy this script into the box
c:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
c:\Program Files\AVG\AVG2012\avgtray.exe
c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe
c:\ProgramData\Trend Micro\Trend Micro\HiJackThis\HiJackThis.exe
c:\Users\All Users\Trend Micro\Trend Micro\HiJackThis\HiJackThis.exe
c:\Users\MAKIS\Documents\All exe files and programs\SOF2.exe
c:\WINDOWS\bthservsdp.dat
c:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Temp\csp9C5E.tmp
Click on unlock
Run combofix again,post the log
Step 3:
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Just run a full scan,if you cant update ignore it.Please post the logs
http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_1796.exe
Step 1:
Download and install your drivers from here
http://h10025.www1.hp.com/ewfrf/wc/softwareCategory?os=2093&lc=en&cc=us&dlc=en&sw_lang=&product=3347732#N491
Step 2:
Download this
https://download.bleepingcomputer.com/farbar/GrantPerms.zip
extract and copy this script into the box
c:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
c:\Program Files\AVG\AVG2012\avgtray.exe
c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe
c:\ProgramData\Trend Micro\Trend Micro\HiJackThis\HiJackThis.exe
c:\Users\All Users\Trend Micro\Trend Micro\HiJackThis\HiJackThis.exe
c:\Users\MAKIS\Documents\All exe files and programs\SOF2.exe
c:\WINDOWS\bthservsdp.dat
c:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Temp\csp9C5E.tmp
Click on unlock
Run combofix again,post the log
Step 3:
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Just run a full scan,if you cant update ignore it.Please post the logs
1. I run the remova tool for AVG
2. I downloaded the driver from this site
http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=ob-61975-1&cc=us&dlc=en&lc=en&os=2093&product=3347732&sw_lang=
3.I run the GrantPerm, copied the script etc....
4.Here is the CF log file
http://speedy.sh/GtySg/Sun-6.txt
5. I am running malwarebytes now. HOWEVER, I CANT UPDATE SINCE THE INFECTED LAPTOP DOESN'T BROWSE
(each and every exe. file is downloaded on another laptop and transfer to the infected one through a USB)
2. I downloaded the driver from this site
http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=ob-61975-1&cc=us&dlc=en&lc=en&os=2093&product=3347732&sw_lang=
3.I run the GrantPerm, copied the script etc....
4.Here is the CF log file
http://speedy.sh/GtySg/Sun-6.txt
5. I am running malwarebytes now. HOWEVER, I CANT UPDATE SINCE THE INFECTED LAPTOP DOESN'T BROWSE
(each and every exe. file is downloaded on another laptop and transfer to the infected one through a USB)
Anonymous User
Nov 6, 2011 at 11:04 PM
Nov 6, 2011 at 11:04 PM
I do not find any issues with registry keys.
Did you install your drivers? Did you check your internet?
Still if you face issue then
Go to run and paste this
C:\WINDOWS\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c
and click ok
Copy afd.sys present in that folder to C:/windows/system32/drivers>>>replace when asked to
similarly,paste this and click ok
C:\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22662_none_b54f51417cd8f970
Copy tcpip.sys present in that folder to C:/windows/system32/drivers>>>replace when asked to
Reboot and check
Let me know if you have OS CD
Did you install your drivers? Did you check your internet?
Still if you face issue then
Go to run and paste this
C:\WINDOWS\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c
and click ok
Copy afd.sys present in that folder to C:/windows/system32/drivers>>>replace when asked to
similarly,paste this and click ok
C:\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22662_none_b54f51417cd8f970
Copy tcpip.sys present in that folder to C:/windows/system32/drivers>>>replace when asked to
Reboot and check
Let me know if you have OS CD
Anonymous User
Nov 7, 2011 at 12:36 AM
Nov 7, 2011 at 12:36 AM
Try this if previous steps fail
Go to startmenu and type
regedit and press enter
Now navigate to this path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT
Right click on NetBT>>>EXPORT>>save it as .reg extension as a backup
Now download this
http://speedy.sh/YfDVR/netbt.reg
Double click and click YES to add it into registry
Restart your PC
Go to startmenu and type
services.msc and press enter
Now start TCP/IP netbios helper and DHCP client service
See if you can browse now.
Let me know how it works
Go to startmenu and type
regedit and press enter
Now navigate to this path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT
Right click on NetBT>>>EXPORT>>save it as .reg extension as a backup
Now download this
http://speedy.sh/YfDVR/netbt.reg
Double click and click YES to add it into registry
Restart your PC
Go to startmenu and type
services.msc and press enter
Now start TCP/IP netbios helper and DHCP client service
See if you can browse now.
Let me know how it works
1) AFD sys completed succesfully
2) tcpip sys wasn't succesfull (it did not let me neither in norma nor in safe mode)
3)The entbt step : I download the new netbt put it on the desktop BUT I AM NOT SURE I ADDED TO THE REGISTRIES. What I did is I imported to services folder but I AM NOT SURE IT WAS DONE RIGHT
4)TCPTP was restarted succesfully BUT THE DHCP Client STILL GIVES ME THE SAME ERROR
As far as the OS CD is concerned I think my x-roomate has it somewhere in USA and I am miles away from him....I run vista on the laptop
2) tcpip sys wasn't succesfull (it did not let me neither in norma nor in safe mode)
3)The entbt step : I download the new netbt put it on the desktop BUT I AM NOT SURE I ADDED TO THE REGISTRIES. What I did is I imported to services folder but I AM NOT SURE IT WAS DONE RIGHT
4)TCPTP was restarted succesfully BUT THE DHCP Client STILL GIVES ME THE SAME ERROR
As far as the OS CD is concerned I think my x-roomate has it somewhere in USA and I am miles away from him....I run vista on the laptop
