Homeland Virus User "A/B" issue

[fisher_girl]

I saw a post on this site from "Kuttus" about a post an aftermath of the FBI virus and wondered if that would help with this virus as well.. it stated after going to the blank screen in "user A":

"Now press on Ctrl + Alt + Delete key on Your Keyboard.... Now it will show you one Task manager. In the task manager Click on File -- > New Task. Inside the New Task Window Type c:\WINDOWS\explorer.exe and press on Ok." then...

step 2
"1.Download the WinlogOnFix.reg file to fix the malicious registry changes from This infection.
REGISTRYFIX.REG DOWNLOAD LINK (This link will automatically download the registry fix called WinlogonFix.reg)
2.Double-click on WinlogonFix.reg file to run it. Click “Yes” for Registry Editor prompt window,then click OK"

Thank you for any and all help. I've had my computer for ten years and this is my first really bad "owie". -fisher_girl (catch and release).

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Which Operating system are you using?

 

[fisher_girl]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Which Operating system are you using?

 

[fisher_girl]

I'm using MS Vista

 

[fisher_girl]

Sorry, new to this. I'm using MS Vista

 

[kuttus]

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

 

[fisher_girl]

I don't have access to a flash drive...any alternatives? If not, how expensive is a flash drive? ALSO

I CAN reboot the computer and get a screen and access "user B" but not "user A" if that helps.. Can I run Farbar Recovery from user B?

 

[kuttus]

Okay. Please login to User B and run the following from User B.

STEP 1: Run a scan with OTL by OldTimer
<ol><li>Download the OTL utility using the below link :
<><a title="External link" href="http://oldtimer.geekstogo.com/OTL.exe" rel="nofollow external">OTL DOWNLOAD LINK</a> <em>(This link will automatically download OTL on your computer)</em></></li>
<li>Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL-logo.png" alt="" title="OTL-logo" width="106" height="118" class="alignnone size-full wp-image-3946" /></li>
<li>When the window appears, <>underneath Output</> at the top change it to <>Minimal Output</>.</li>
<li>Check the boxes beside <>LOP Check</> and <>Purity Check</>.</li>
<li>Click the<> Run Scan</> button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL.png" alt="" title="OTL" width="658" height="584" class="alignnone size-full wp-image-3945" /></li>
<li>When the scan completes, it will open two notepad windows. <>OTL.Txt</> and <>Extras.Txt</>. These are saved in the same location as OTL.
<>Please post this 2 logs in your first reply.</>.</li></ol>

Settings You need to Select in OTL

1. Click the Scan All Users checkbox.
2. Change Standard Registry to All.
3. Check the boxes beside LOP Check and Purity Check.

<em>Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: <a title="External link" href="http://www.itxassociates.com/OT-Tools/OTL.scr" rel="nofollow external">OTL.scr</a>, or <a title="External link" href="http://oldtimer.geekstogo.com/OTL.com" rel="nofollow external">OTL.com</a>.</em>

<hr />

 

[fisher_girl]

I was able to run OTL just fine. I checked the "minimal" box. I don't know if that referred to the OTL and Extras notepad documents but them seem quite long. I've attached them.

 

[fisher_girl]

I was able to run OTL just fine. I checked the "minimal" box. I don't know if that referred to the OTL and Extras notepad documents but them seem quite long. I've attached them.

I should note that "od" is user A in the above referenced issue and that I had a typo in the original post. The issue did not happen on 3/30... it happened on 5/30. Thanks again for help.

 

[kuttus]

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL
[2009/01/31 01:24:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\od\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2013/02/25 03:19:23 | 000,021,487 | ---- | M] () (No name found) -- C:\Users\od\AppData\Roaming\mozilla\firefox\profiles\3n51itv5.default\extensions\plugin@yontoo.com.xpi
[2013/02/10 05:10:55 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\od\AppData\Roaming\mozilla\firefox\profiles\3n51itv5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2011/10/29 00:32:31 | 000,001,945 | ---- | M] () -- C:\Users\od\AppData\Roaming\mozilla\firefox\profiles\3n51itv5.default\searchplugins\bing-zugo.xml
O3 - HKU\S-1-5-21-4064688261-3020506512-3484179790-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-4064688261-3020506512-3484179790-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.113.32.29 24.113.32.30 24.113.0.30
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7CE36365-C172-44CC-B6BF-306BFD008961}: DhcpNameServer = 24.113.32.29 24.113.32.30 24.113.0.30
[2010/12/25 23:11:06 | 000,000,004 | ---- | C] () -- C:\Users\od\AppData\Roaming\2CC495
[2010/12/25 23:11:05 | 000,870,128 | ---- | C] () -- C:\Users\od\AppData\Roaming\mcs.rma
[2010/05/11 23:22:37 | 000,000,972 | ---- | C] () -- C:\Users\od\AppData\Roaming\wklnhst.dat
[2009/04/23 16:59:45 | 000,422,947 | ---- | C] () -- C:\Users\od\OfficeAsst3ExtENTIRE.pdf
[2009/03/25 04:04:31 | 000,002,516 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2009/03/25 04:04:31 | 000,000,088 | RHS- | C] () -- C:\ProgramData\DEE3F54F59.sys
[2008/12/15 13:40:10 | 000,022,528 | ---- | C] () -- C:\Users\od\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/12 15:47:10 | 000,000,680 | ---- | C] () -- C:\Users\od\AppData\Local\d3d9caps.dat
[2013/01/29 05:21:49 | 000,000,000 | ---D | M] -- C:\Users\od\AppData\Roaming\0T1F0D1F2W1G1I1F1T1Q


:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

 

[fisher_girl]

Have copied it an will run the script. I'll cross my fingers that it works and can start up after the reboot. I will send you the log. Am doing it now.

 

[kuttus]

Okay...... No issues... I am here only...

 

[fisher_girl]

I ran the script and rebooted. I thought I saved the log in notepad but now cannot find it. It was under OTL/Cleanup. Can I retrieve the log on OTL? Sorry for being so much trouble.

 

[fisher_girl]

Okay...... No issues... I am here only...

I tried to log into the user "A" page and am still getting the "c:users/od/documents/5929c3ae (dot) exe is not recognized as an internal or external command, operable program or batch file" This is the same file name as a dll that Malwarebyte quarantined but did not remove.

Would it help if you saw the log from when i ran the Malwarebyte program that removed the virus? Should I run the script again.. I feel like such an idiot that I didn't check the file path on saving the OTL script I ran..

 

[fisher_girl]

It is very late here. I need to leave. Will check back in later today. Thank you again for your help. I'm sorry I lost that log on OTL. I'm attaching the Malwarebyte log incase it will help. - f_g

 

[kuttus]

Are you able to see the Desktop Icons of User account A?

If No.

Press on Ctrl + Alt + Delete key on Your Keyboard.... Now it will show you one Task manager. In the task manager Click on File -- > New Task. Inside the New Task Window Type c:\WINDOWS\explorer.exe and press on Ok.

If you are able to see the Desktop Icons of User Account A run the OTL from that one once more.....

 

[fisher_girl]

I was able to find the icons and download OTL from the user "A" page which I am using currently. I ran it several times and did not find a "extra" file. I'm attaching the OTL log file. I did not run the script you provided because I was not sure if something in this log file from this user file would do damage.
One thing I did not note in previous posts was that I did disconnect my camera once I "contracted" the virus. I don't know if I should reconnect it make a fix work. And, this probably doesn't matter but I did notice while OTL was running it went very quickly until it got to "c:\drivers\AVGIDSHX..." after passing the driver section with AVG it sped up again.
Thanks again for all your help. I'm using the "A" side now hoping the fixes will work better, but not using it for anything more than the fixes.

 

[kuttus]

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL
[2013/05/02 22:56:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\od\AppData\Roaming\mozilla\Firefox\Profiles\3n51itv5.default\extensions\staged
[2013/02/25 03:19:23 | 000,021,487 | ---- | M] () (No name found) -- C:\Users\od\AppData\Roaming\mozilla\firefox\profiles\3n51itv5.default\extensions\plugin@yontoo.com.xpi
[2013/02/10 05:10:55 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\od\AppData\Roaming\mozilla\firefox\profiles\3n51itv5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2011/10/29 00:32:31 | 000,001,945 | ---- | M] () -- C:\Users\od\AppData\Roaming\mozilla\firefox\profiles\3n51itv5.default\searchplugins\bing-zugo.xml
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.


:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />


Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.


To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay

 

[fisher_girl]

I ran the script in "fix". After the reboot I did need to use the ctrl+alt+del to access task manager.. and open the explorer file. I did manage to save the file that was there. I've attached it.