Registry Keys Infected

By Manjit
Jan 17, 2009
Topic Status:
Not open for further replies.
  1. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Ok,

    First go to Start -> run -> type cmd -> press enter
    At the prompt -> type ipconfig /all -> click the icon at the top left -> edit -> select all
    Click the icon again -> edit -> copy

    paste the log here

    =======================================

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O20 - Winlogon Notify: fin42u - C:\WINDOWS\
      O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    =================================================

    Go to start -> control panel -> add/remove programs -> uninstall:
    Hijackthis

    =================================================

    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      explorer.exe
      
      :Reg
      [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fin42u]
      [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPfeE]
      
      :Files
      C:\Program Files\Trend Micro
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    Paste the log from ipconfig and attach here the OTMoveit log

    Then I want you to redownload a fresh copy of hijackthis now that we deleted the backups and run a fresh scan - attach this new log here as well
  2. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    Here are the logs requested.
  3. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    Here is a fresh HJT log, it appears that the bad files have been removed. Thou I am still getting the DCOM Exploit message from time to time.
  4. jobeard

    jobeard TS Ambassador Posts: 13,025   +221

  5. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,279   +152

    The article also makes an excellent point: the network firewall (i.e. router) may not be enough. ALL host computers should be firewalled to protect you from this exploit (which means configuring all computer software firewalls). One example: "email borne" viruses which can get past your router firewall and then infect your LAN. Let us know if you might need any help in configuring your computer's firewall from this exploit.

    I'd also recommend a look here for a tool to also test your current vulnerability
  6. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    @ LookinAround

    I've used the tool that you recommended, and it stated that port 135 was open. I'm not really sure as to what my next step is? My firewall keeps blocking DCOM Exploit attacks.
  7. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Manjit

    So much in this thread could you recap what issues are remaining. What do we need work on?

    Mike
  8. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    Hi Mike,

    Essentially I keep getting the DCOM Expolit message which my firewall is blocking. So I am assuming we need to work on either obtaining a patch for this problem or somehow fixing this problem? From the reading the Microsoft document 'jobeard' i'm a little confused.
  9. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,279   +152

    Manjit

    Suggest the very first thing you do is:
    purchase a basic router (which you then put between your computer and the connection to your Internet Service Provider)​

    => Check at whatever local store you go to but any of the basic Broadband/LAN/Ethernet routers should also provide your first line-of-defense network firewall as well.
    => IN ADDITION to that suggest check Microsoft updates as well
    => AND, (IMO and advised by the MS article) configure each personal firewall on each computer on your LAN to filter tcp/135 traffic as well.

    But you should buy the router (which is also your hardware network firewall) asap and add it to your configuration!
  10. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Well if your FW is doing its job byblocking it then you are safe till you do get a Router at least.

    My concern is if you have gotten reinfected.

    Since you can't do anything else till you get the router do the below to be sure.

    Open then Update SuperAntiSpyware

    Then Click Preferences
    then click Repairs

    Then counting down from top do the following entries

    Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

    Then do a Quick scan with SAS!

    Update and do a Quick scan in MBAM.

    Post logs!

    Mike
  11. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    Here are the logs requested 'mflynn'

    I should say it Avast network shield that is giving me protection from 'Dcom Exploit' at the moment. As my firewall is 'Online Amour' and is only free thus only offers limited tools.

    @LookinAround

    I've got a wireless router that I used to use to connect my broadband internet modem to another laptop in the house. Would that router work for the purposes of what we are trying to achieve here?

    Thanks for your helps guys.
  12. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Opps run SAS again as it found some Vundo! We need to confirm it clean!

    Then Start-Run
    type
    combofix /u
    Click OK or hit Enter key

    This uninstalls Combofix.

    Now get new and run it.

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
  13. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    Here are the logs requested.

    I did a full scan with SAS with TeaTimer in SpyBot turned off and the realtime protection turned off in Windows Defender. In the full scan it did not show any Vundo.

    Manjit
     
  14. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Wait for LookinAround opinion also.

    But it seems exactly what he was proposing!

    Your logs are now clean.

    Mike
  15. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,279   +152

    Yes, that router should work just fine. I'm guessing the wireless router also has LAN ports so it can connect both wireless and wired?

    But now i'm curious.. if the computer in question is not usually connected to the router you mention BUT you do have a router connected to your modem connected to your ISP?... how do you usually connect the computer in question?? As, if in fact, your "broadband modem" allows for more then just one LAN cable.. my guess is it might be able to function as a router itself!
  16. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    @LookinAround

    It's all getting rather confusing lol.

    The best I can explain is that I have a broadband connection which comes from a seperate broadband modem it only allows for one 'LAN connection' (i.e ethernet cable). This is what I am currently using to connect to my laptop.

    A while ago I used a wireless router to connect the broadband modem. This enabled my laptop and my brothers computer to share the internet connection.

    So I guess the best thing to do would to re-set the wireless router just for my laptop, re-installing the software and block tcp/135.

    Or could I adjust the settings with the broadband modem?

    Once again thank you for assitance. Your help is greatly appreciated.
  17. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,279   +152


    I just re-read your earlier post and see it should be simple. (I didn't notice before you had said it in past tense as in "used to use it" so just my confusion, but now fixed :) '

    So it sounds like it will be connected something like this:

    Code:
    Broadband                           [I]wired (or wireless) connection [/I]
      Modem <=================>Router <=============================> Laptop1
                                   ^
                                   :         
                                   :     [I]wireless connection [/I]
                                   :..................................> Laptop2
    And,
    => Unless you're certain as to current router settings (which includes knowing its current settings / open ports)
    => yes, is best / easiet to simply reset router to manufacturer defaults and then make only changes then needed to support your two laptops
    => Advise working first on the wired connection to Laptop 1
    => Then wireless connection to Laptop 2

    And give a shout if you need any assist as we're all here and happy to help!
  18. jobeard

    jobeard TS Ambassador Posts: 13,025   +221

    unless you explicitly port forward from the router to a specific system, no ports will
    be accessible from the internet which is there intended protection of a router.
    NEVER port forward 135-139 nor 445!
  19. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,279   +152

    ^^^^ Good advice (jobeard's post above) to remember whenever changing router settings ^^^^
  20. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    I've managed to set up the wireless router and the software up. Everything seems to be working fine. Thou a little slowly which is to be expected given my brother is also sharing the connection.

    I've tested the connection with DCOMbob and it says that Port 135 is closed. Which is alot better than it being open which is was before. Since having the router Avast has not come up with any DCOM Exploit messages. But i've not adjusted anything on the router settings in the software.
  21. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Should not notice any slowness unless brother is doing Heavy heavy file downloads!

    You did connect directly with cable and not wirelessly right?

    Mike
  22. Manjit

    Manjit Newcomer, in training Topic Starter Posts: 82

    I think he is downloading some stuff plus because he has not used his laptop for a while he has alot of Windows Updates to upload.

    I did connect directly with cables.

    Some final questions before close this epic thread down lol.
    -Can I uninstall Super Anti Spyware/ Malwarebytes/ HJT or is it worth keeping on the laptop to be safe?
    -Also is it worth keeping Spybot and Windows Defender? Do they not do the same job? Should I uninstall one.
    -At the moment i'm using Avast, in conjuction with Online Armour, would I be better off with a better firewall? Or should Avast do the job?

    Once again thanks for your assitance.
  23. mflynn

    mflynn Newcomer, in training Posts: 2,793

    My closing covers most of that.

    After doing the closing if you have questions just ask!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.


    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner.
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.