Solve : For a friend?

1.	Solve : For a friend?
Answer» Not sure these came out the way they should...Long Scans... [recovering space - attachment deleted by admin]New HJT... [recovering space - attachment deleted by admin]Yea, the bdscan results are in html format so I just have to save it to my PC as html and then view the results online.... But the BitDefender online scan is again my favorite now they have upgraded it. I am baffled that you are still stuck in Safe mode. Have you gone into MSCONFIG under BOOT.INI and checked that it is not set to boot in safe mode? Also click check boot paths. HJT looks MUCH better then when we started. There is one entry that needs to be examined. O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - c:\windows\$ntservicepackuninstall$\svchost.exe (file missing) This is running from the system32 folder so "could" be malicious. Try to scan that file path with www.virustotal.com and see what results are given please. Wakeup EF...i have managed to get this beast back into normal mode..... There was a reference in startup called Windows\driver.bat...... Thinking an unknown batch file was conspicious i disabled it. This is because even with hidden files and folders on Search found nothing... In normal mode i'm now getting rid of any unneeded apps and doing a general cleaning. One hangupi'm having though isthere are still some Admin functions that are acting up... Once again THANX a TON and let me know what's next. patio.Nice find!!!! Since we are now booting normal then we should take a look at a new HJT log. Could be some new nasties in the startups.Almost forgot. I ran across this not long ago researching another fix. It won't do anything for the malware but might fix the admin SETTINGS and give you some more control. Download to your Desktop this self-extracting ZIP archive FixPolicies.exe Double-click FixPolicies.exe Click the Install button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings. Delete the FixPolicies files and folders. HereYa Go...ididn't do anything yet with the suspicious entry 023... Thanx [recovering space - attachment deleted by admin]99.9% sure it is an infection from the SDBot trojan. It is showing as a service patch uninstaller so removing it isn't going to hurt anything even if it is legit (which I doubt it is) We will run a good scan that targets this type of trojan also for a good double check. Click Start > Run and type in: services.msc Click OK In the Services window find: .NET Connection Service Select/highlight and right click the entry, and choose: Properties On the General tab, under Service Status click the Stop button Beside: Startup Type, in the drop menu, select: Disabled Click Apply, then OK Now, go to Start > Run, and copy/paste the following into the Open box: sc delete .NET Connection Service Click: OK ---------- I haven't used this guide in a while but it should all still be relevant to the new version of program. Download and install The Cleaner Open The Cleaner Choose Yes to create a Restore Point Click Check For Updates > Yes Choose the Options tab > Heuristics and check Disable Heuristics Now choose Home > Scan System Once The Cleaner is finished click Scan Report Click Select All Click Save Report as HTML Name the report The Cleaner Save it where it can easily be found like the Desktop and click Save Next click Repair Selected and choose Yes to accept the changes. Now in The Cleaners Toolbar cilck File > Report Once the report is generated, in Notepad click File > Save As Name it TCReport and save it to the desktop. This log will be huge and MUST be added as an attachment in the next post Exit The Cleaner. Restart the Computer. . This scan will usually take a while so you might want to grab one of those Guinesses ---------- Let me know how it went along with the log.Also do you have an XP CD on hand? If so.......... 1. Download IEFix.zip and run it. 2. Click the Apply button. 3. You'll be prompted for the Operating System CD or the Service Pack Files location. 4. Once finished Restart Windows. If you're using Windows XP, insert the Operating System CD. For OEM systems, point to the Operating System source path when prompted. If you've applied a Service Pack separately, you need to insert the Slipstreamed Operating System CD (if you have one) or point the installer to the ServicePack source path when prompted (see example below). Mention the path as "C:\Windows\ServicePackFiles\i386" or "C:\Windows\ServicePackFiles" If you don't have the Windows installation CD, and if the installation source files are not present in the hard disk, you may click Cancel when you see a dialog similar to the example below. IEFix will continue with DLL registration part. Can't believe I have never run across this til now. RRT - Remove Restrictions Tool - http://en.sergiwa.com/modules/news/ Never used it but it is hosted on MajorGeeks as well so it is safe.OK...Long story but here's the short version.... After running everything you suggested there were still some Admin features dis-abled... Whatever this nastie was disabled the following: Windows installer ( and any other installer ) Uninstalling ( both in full Admin Mode and Safe Mode ) User account settings could not be changed or enabled. Password changes in Full Admin mode. After 2 sessions of digging around it seems these changes were slipped in thru a vulnerability in Administrator Templates of all things...since they affected the default Admin account ( which should NEVER happen ) it took some real sleuthing to find out where they were.... I promised the short version right ?... Had him run HJT and SAS yesterday and he just shot them to me... As of now the machine is running great; all Admin priveledges from what i can see are operable and installing/uninstalling is back to normal. Once again Huge Kudos and Thanx ! ! patio. [recovering space - attachment deleted by admin]WOW, good job!! I knew your knowledge would be invaluable on this one. Great work. Can you also write a script that smacks him every time he begins to go down this road again Looking at the logs........Pick one AV and loose the other. Besides that it looks fine. I usually say to clear infected restore points but think it may be better to hold off on that for at least a few days to make sure everything is actually OK. Instead run OTMoveIt's cleanup feature which will remove all of the specialized tools. I think I remember that Combofix was installed to a folder somewhere (tisk tisk ) so be sure to delete that. Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it) 1. Double click OTMoveIt2.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) When finished exit out of OTMoveIt2 . UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. * Help with Windows updates Learn more about how to protect yourself while on the internet READ this article by Tony Klien: So how did I get infected in the first place? I've been following this THREAD since the very beginning, and....great job, guys

Answer»

Not sure these came out the way they should...Long Scans...

[recovering space - attachment deleted by admin]New HJT...

[recovering space - attachment deleted by admin]Yea, the bdscan results are in html format so I just have to save it to my PC as html and then view the results online.... But the BitDefender online scan is again my favorite now they have upgraded it.

I am baffled that you are still stuck in Safe mode. Have you gone into MSCONFIG under BOOT.INI and checked that it is not set to boot in safe mode? Also click check boot paths.

HJT looks MUCH better then when we started. There is one entry that needs to be examined.

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - c:\windows\$ntservicepackuninstall$\svchost.exe (file missing)

This is running from the system32 folder so "could" be malicious.

Try to scan that file path with www.virustotal.com and see what results are given please.

Wakeup EF...i have managed to get this beast back into normal mode.....
There was a reference in startup called Windows\driver.bat......
Thinking an unknown batch file was conspicious i disabled it. This is because even with hidden files and folders on Search found nothing...
In normal mode i'm now getting rid of any unneeded apps and doing a general cleaning.
One hangupi'm having though isthere are still some Admin functions that are acting up...
Once again THANX a TON and let me know what's next.

patio.Nice find!!!!

Since we are now booting normal then we should take a look at a new HJT log. Could be some new nasties in the startups.Almost forgot. I ran across this not long ago researching another fix. It won't do anything for the malware but might fix the admin SETTINGS and give you some more control.

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

Double-click FixPolicies.exe
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies
Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.
Delete the FixPolicies files and folders.

HereYa Go...ididn't do anything yet with the suspicious entry 023...
Thanx

[recovering space - attachment deleted by admin]99.9% sure it is an infection from the SDBot trojan. It is showing as a service patch uninstaller so removing it isn't going to hurt anything even if it is legit (which I doubt it is) We will run a good scan that targets this type of trojan also for a good double check.

Click Start > Run and type in: services.msc
Click OK
In the Services window find: .NET Connection Service
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Now, go to Start > Run, and copy/paste the following into the Open box:
sc delete .NET Connection Service
Click: OK

----------

I haven't used this guide in a while but it should all still be relevant to the new version of program.

Download and install The Cleaner

Open The Cleaner

Choose Yes to create a Restore Point
Click Check For Updates > Yes
Choose the Options tab > Heuristics and check Disable Heuristics
Now choose Home > Scan System
- Once The Cleaner is finished click Scan Report
- Click Select All
- Click Save Report as HTML
- Name the report The Cleaner
- Save it where it can easily be found like the Desktop and click Save
Next click Repair Selected and choose Yes to accept the changes.
- Now in The Cleaners Toolbar cilck File > Report
- Once the report is generated, in Notepad click File > Save As
- Name it TCReport and save it to the desktop.
This log will be huge and MUST be added as an attachment in the next post
Exit The Cleaner.
Restart the Computer.

.
This scan will usually take a while so you might want to grab one of those Guinesses

----------

Let me know how it went along with the log.Also do you have an XP CD on hand?

If so..........

1. Download IEFix.zip and run it.
2. Click the Apply button.
3. You'll be prompted for the Operating System CD or the Service Pack Files location.
4. Once finished Restart Windows.

If you're using Windows XP, insert the Operating System CD. For OEM systems, point to the Operating System source path when prompted. If you've applied a Service Pack separately, you need to insert the Slipstreamed Operating System CD (if you have one) or point the installer to the ServicePack source path when prompted (see example below). Mention the path as "C:\Windows\ServicePackFiles\i386" or "C:\Windows\ServicePackFiles"

If you don't have the Windows installation CD, and if the installation source files are not present in the hard disk, you may click Cancel when you see a dialog similar to the example below. IEFix will continue with DLL registration part.

Can't believe I have never run across this til now.

RRT - Remove Restrictions Tool - http://en.sergiwa.com/modules/news/

Never used it but it is hosted on MajorGeeks as well so it is safe.OK...Long story but here's the short version....
After running everything you suggested there were still some Admin features dis-abled...
Whatever this nastie was disabled the following:
Windows installer ( and any other installer )
Uninstalling ( both in full Admin Mode and Safe Mode )
User account settings could not be changed or enabled.
Password changes in Full Admin mode.

After 2 sessions of digging around it seems these changes were slipped in thru a vulnerability in Administrator Templates of all things...since they affected the default Admin account ( which should NEVER happen ) it took some real sleuthing to find out where they were....

I promised the short version right ?...

Had him run HJT and SAS yesterday and he just shot them to me...
As of now the machine is running great; all Admin priveledges from what i can see are operable and installing/uninstalling is back to normal.

Once again Huge Kudos and Thanx ! !
patio.

[recovering space - attachment deleted by admin]WOW, good job!!

I knew your knowledge would be invaluable on this one. Great work.

Can you also write a script that smacks him every time he begins to go down this road again

Looking at the logs........Pick one AV and loose the other. Besides that it looks fine.

I usually say to clear infected restore points but think it may be better to hold off on that for at least a few days to make sure everything is actually OK. Instead run OTMoveIt's cleanup feature which will remove all of the specialized tools. I think I remember that Combofix was installed to a folder somewhere (tisk tisk ) so be sure to delete that.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt2

.
UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet READ this article by Tony Klien: So how did I get infected in the first place?
I've been following this THREAD since the very beginning, and....great job, guys

Solve : For a friend?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment