Cheshire Police Malware

[kuttus]

Okay Cool....... How's the Firewall settings now?


Please run the following utility so that I can get a log of your system...
STEP 1 : Run a scan with Combofix

Please read and follow very carefully the below instructions​

Download ComboFix from one of the following locations:

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------

How to run the Combofix scan :

1. Double click on ComboFix.exe & follow the prompts.
2. Accept the disclaimer and allow to update if it asks
3. When finished, it shall produce a log for you.
   [*]Please include the C:\ComboFix.txt in your next reply.

Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>



<hr />

 

[Vitesse]

[attachment=4723]

Firewall settings - has taskbar message that it is not on at startup but later check showed it was running.

OK ran Combofix.
Turned off AVG but could not find out how to switch off other recent programs (Hitman and Antimalware) but did not seem to be running so assumed was OK.

Log attached.

 

[kuttus]

Okay.. So how's everything now?

 

[Vitesse]

Still a VERY VERY slow start up (about 5 minutes)

 

[kuttus]

STEP 1: Download and Run Windows Repair (all in one)

Download Windows Repair (all in one)

• Install the program then run it.
• Go to step 2 and allow it to run Disc check by clicking Do It
• Go to step 3 and allow it to run SFC
• Go to start repairs tab select advanced mode and click start.
•  Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks
  1. Reset File Permissions
  2. Register System Files
  3. Repair WMI
  4. Remove Policies Set By Infections
  5. Remove Temp Files
•   Then click Start.
  

 

[Vitesse]

STEP 1: Download and Run Windows Repair (all in one)

Download Windows Repair (all in one)

OK followed link, clicked on download and it went to another screen with another download button and clicked again.
Long and short of it was that it was a different program which I ran - ReImageRepair - which I was not aware was different.
Didn't see a Do It button so thought it would appear later.
Looked quite impressive and found a lot of problems / issues - probably not all genuine but of note it did highlight that the hard drive was running at 3 something when the average was 28ish and there was issues with programs failing / hanging - and on reflection that was very correct as a lot of things stop responding and then it takes ages to close and reopen (get messages saying not responding do you want to abort program - click ok/yes and nothing happens - ctl/delete for task manager to do same and doesn't want to appear and when it does not help to close program...
Couldnt get a log and wanted payment to fix so realised it was not the correct program so went back to link above and on first page downloaded from another option on screen and got correct program....
Did AntiMalware scan just incase above was bad and it showed clear result.

• Install the program then run it.
• Go to step 2 and allow it to run Disc check by clicking Do It

• 
  
  ran it to this stage, computer had to restart to run and after while it came back to screen and ran the disc check.......
  Couple of hours later it was close to finishing and screen saver came on (not for first time) so got login back and the program had dissappeared from screen. Assumed it had finished and would shortly display again but waited and waited and eventually had to shut down and go to bed.
  
  Rebooted up tonight and got pale blue windows screen saying it had to do check on one of the drives as it may be (can't remember the word but began with a c or d and meant it might be unstable). Could abort but decided to let it run and it got clean result and started up.
  
  Reopened Repair all in one and it opened up after a while. There was a log which has two lines only about restarting so clicked on Do It again.
  It then displayed another screen with a load of options of what was needed with option to start fix but was unable to do anything as was preparing to reboot.
  Went through reboot and got the above mentioned blue screen again. Cancelled process and eventually got account login screen and had to put in password to open. When open the program was not open ready to run. Waited quite a while and them restarted it. Waited and nothing happened. No sign of this second screen. Waited more before clicking on Do It again and then the second screen displayed again...as it went into reboot mode again......
  
  I think it has run this check but won't display?
  
  I am assuming that I go to step 3 now.
  
  edit: Tried going to step 3 and started SFC but did not get very far as it needed the Windows XP Home Edition CD to be put in CD drive.
  Got out my Dell Windows XP Home Edition CD and inserted but it kept requesting. This is the disc that came with the PC. It is service pack 1a. Microsoft updates have been since done to service pack 3 so I presume it no longer recognises this disc. There is nothing wrong with CD and it is genuine. It was used about 4 years ago when I replaced the hard drive after blue screen of death.
  edit: Put in other CD drive and seems to be working.

 

[Vitesse]

Hi again
Assume it ran ok, although not too sure re comments in above posts. PC is still very slow - especially in start up. Blue screen re drive consistency has not come up last couple of start ups (but had done so for about 4 consec boot ups).
I assume this is the log generated.
(won't allow me to add as an attachment).

reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
old REG_MULTI_SZ =
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{1651FBF2-E9BB-43B7-B914-617B3735EC9C}\NetbiosOptions
reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{5C7C40C3-01A3-48DB-B971-BF269A7C6EFD}\NameServerList
old REG_MULTI_SZ =
<empty>

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{5C7C40C3-01A3-48DB-B971-BF269A7C6EFD}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableProxy
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22731313-FC79-472F-940F-2E4DF4BCE071}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22731313-FC79-472F-940F-2E4DF4BCE071}\DisableDynamicUpdate
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22731313-FC79-472F-940F-2E4DF4BCE071}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22731313-FC79-472F-940F-2E4DF4BCE071}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{22731313-FC79-472F-940F-2E4DF4BCE071}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5C7C40C3-01A3-48DB-B971-BF269A7C6EFD}\NameServer
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8103A190-13D0-41D1-B2D4-2933F1C927B4}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8103A190-13D0-41D1-B2D4-2933F1C927B4}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8103A190-13D0-41D1-B2D4-2933F1C927B4}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8103A190-13D0-41D1-B2D4-2933F1C927B4}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8103A190-13D0-41D1-B2D4-2933F1C927B4}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8103A190-13D0-41D1-B2D4-2933F1C927B4}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8103A190-13D0-41D1-B2D4-2933F1C927B4}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D57B620A-64A8-4ED4-9D01-7D17130F446E}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D57B620A-64A8-4ED4-9D01-7D17130F446E}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D57B620A-64A8-4ED4-9D01-7D17130F446E}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D57B620A-64A8-4ED4-9D01-7D17130F446E}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D57B620A-64A8-4ED4-9D01-7D17130F446E}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D57B620A-64A8-4ED4-9D01-7D17130F446E}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D57B620A-64A8-4ED4-9D01-7D17130F446E}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCB4F701-CF08-4320-88C6-AC4002BD2E80}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCB4F701-CF08-4320-88C6-AC4002BD2E80}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCB4F701-CF08-4320-88C6-AC4002BD2E80}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCB4F701-CF08-4320-88C6-AC4002BD2E80}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCB4F701-CF08-4320-88C6-AC4002BD2E80}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCB4F701-CF08-4320-88C6-AC4002BD2E80}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCB4F701-CF08-4320-88C6-AC4002BD2E80}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset Linkage\UpperBind for USB\VID_0846&PID_6A00\00184D02E3F0. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_8086&DEV_1050&SUBSYS_01571028&REV_02\4&1C660DD6&0&40F0. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for USB\VID_0846&PID_6A00\00184D457DD9. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
REG_MULTI_SZ =
PSched

<completed>

 

[kuttus]

Hi Vitesse,

Please take a back up of all your Important files on the computer. This issue may be related with some issues with your computer hard drive also..........

How's it is working in safe mode?

 

[Vitesse]

Hi Kuttus
Sorry but not been able to spend much time on this at present.

Still have most of the back-up from start of this on USBs but can copy alot over to the second hard drive.

This got noticably worse at post 35 when we un-checked items on those two pages, and when I ran the wrong program in the download mentioned just recently the scan said the hard drive was very slow, gave figure and stated an expected average which was way higher. I don't really want to run that scan again to get figures.

Is there a solution?

I will check safe mode when I start up next time as have run out of time today (internet was painfully slow - not sure if PC related or general service at moment.

Regards
Graham

 

[kuttus]

There may be a issue with your computer Hard Drive...

 

[Vitesse]

OK started up in safe mode and was quicker (not fast but I would say possibly faster that pre infection).
Started up again as normal and again slow, Firewall warning (clicked on balloon to fix problem and by time it opened the firewall was showing as on). Quite a long period before internet opened and was slow to connect to homepage and very slow to open MalwareTips and go from page to page...but opens up other sites pretty quickly - so seems to be working OK depending on websites.

 

[kuttus]

What are the Antivirus Programs installed on the computer? Remove all those and check how it is working..

 

[Vitesse]

The only one I had prior to this is AVG. All others have been installed from this thread. Which are termed as Anti-Virus

Can these be disabled rather than removed?

 

[kuttus]

Remove all Antivirus program installed on the computer.....

Lets try this one also....

Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.


To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay