Solved LaSuperba or some malware has taken over my computer!

[TwinHeadedEagle]

Let's try this:

• Press the
  
  + R on your keyboard at the same time. Type regedit and click OK.
• Navigate to HKEY_LOCAL_MACHINE --> SYSTEM --> CurrentControlSet --> services
• Now you need to find TCPIP service
• Right click on it, choose Permissions and select NETWORK SERVICE
• Check Full Control and confirm with OK.
• Restart your PC.

Then for both TCPIP and DHCP services do this:

• Navigate to both services one by one.
• Right click on it, choose Permissions, then Advanced and then tick Replace all child object permissions with inheritable permissions from this object.
• Click OK.
• After doing this for both services, restart your PC.

Then try to start DHCP service.

 

[Halls]

Still won't let me start DHCP. I'm not positive I did the permissions correctly...after checking the "replace all child object permissions..." box I hit apply and it prompted me with a do you wish to continue box, I hit Yes and then the check mark disappears...does that for both DHCP and TCPIP.

 

[TwinHeadedEagle]

Let's try this:

Check Disk

• Press the
  
  + R on your keyboard at the same time. Type cmd and click OK.
• Copy/Enter the command below and press Enter:

• chkdsk C: /r

• You should get a message to schedule Check Disk at next system restart. Please type Y and press Enter.
• All you should do now is to restart your PC and let the Check Disk process finish uninterrupted.

Check Disk report:

• Press the
  
  + R on your keyboard at the same time. Type eventvwr and click OK.
• In the left panel, expand Windows Logs and then click on Application.
• Now, on the right side, click on Filter Current Log.
• Under Event Sources, check only Wininit and click OK.
• Now you'll be presented with one or multiple Wininit logs.
• Click on an entry corresponding to the date and time of the disk check.
• On the top main menu, click Action > Copy > Copy Details as Text.
• Paste the contents into your next reply.

 

[Halls]

Here it is.

 

[TwinHeadedEagle]

Good. How is the situation now?

 

[Halls]

No longer getting the "unauthorized Windows" message! But, still not able to connect to my wireless...

 

[TwinHeadedEagle]

Please scan with FRST again and post both fresh reports. Can you try to connect using wired connection?

 

[Halls]

Here are both reports.

I'll have to see if I can connect that way, not sure.

 

[TwinHeadedEagle]

Try and let me know.

Scan with Farbar Service Scanner

Download Farbar Service Scanner by Farbar and save it to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Make sure all of the options are checked!
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool is run.

Please include that log in your next reply.

Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
• Your machine may appear very slow and unusable after that - it's normal.
• TDSSKiller will run automaticaly. Click on Change parameters and click OK.
• Click the Start Scan button and wait patiently.

If anything will be found follow this guidelines:

• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  If Cure is not available, please choose Skip instead.
• Do not choose Delete unless instructed!

A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

 

[Halls]

I've never actually tried to connect to a wired connection before but just tried and keep getting error 651; not sure if I'm doing something incorrectly or what.


Attached are the FSS log. The TDSS scan didn't detect anything but it created 3 reports.

 

[TwinHeadedEagle]

Let's try this:

• Go to this link and install SubInACL --> Download SubInACL (SubInACL.exe) from Official Microsoft Download Center
• When you finish installing, go to this folder: C:\Program Files (x86)\Windows Resource Kits\Tools
• Press Shift and Right click at the same time.
• Click Open command window here
• Copy and execute these commands one by one:

subinacl.exe /subkeyreg "HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\dhcp" /grant="Local Service"

subinacl.exe /subkeyreg "HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\tcpip" /grant="Local Service"

subinacl.exe /subkeyreg "HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\dhcp" /grant="Network Service"

subinacl.exe /subkeyreg "HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\dhcp" /grant="Network Service"

Restart your PC.

 

[Halls]

Ok, executed those commands and restarted. No change in connectivity.

 

[TwinHeadedEagle]

What happens when you try to start DHCP service now?

 

[Halls]

I get the same error.

 

[TwinHeadedEagle]

Let's import this file into registry:

Please download Dhcp.reg --> http://download.bleepingcomputer.com/win-services/7/Dhcp.reg

Right click and select Merge. Confirm with Yes. Restart your PC.

 

[Halls]

Still no connectivity.

 

[TwinHeadedEagle]

Let's try to do something from recovery environment:


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

• Plug the flashdrive into the infected PC.
• Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
• Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
• In the Choose Recovery Tool menu select Command Prompt.
• You will see a big black window with a blinking cursor (command prompt).
  
  
  
  
  
  Access the notepad and identify your USB drive
  
  In the Command Prompt please type in:
  

  notepad

  and press Enter.
• When the notepad opens, go to File menu.
• Select Open.
• Go to Computer and search there for your USB drive letter.
• Note down the letter and close the notepad.
  
  
  
  
  
  Scan with Farbar Recovery Scan Tool
  
  Once back in the command prompt window, please do the following:
• Type in e:\frst64.exe and press Enter.
  You need to replace e with the letter of your USB drive taken from notepad!
• FRST will start to run. Give him a minute or so to load itself.
• Click Yes to Disclaimer.
• In the main console, please click Scan and wait.
• When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.
  
  Transfer it to your clean machine and include it in your next reply.

 

[Halls]

Here it is.

 

[TwinHeadedEagle]

Okay, let's search from recovery environment too:

FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64:

• Copy dnsapi.dll into the Search: field in FRST then click the Search Files button.
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
• Please attach it to your reply.

 

[Halls]

Here's the Search log.