Combofix stalls

2oG -

Just tried that, running combofix from the command line, with the /killall switch.
ComboFix still stalls at the same point, after a burst of HD activity and showing
"... However, scan times for badly infected machines may easily double"

 

JRT failed to delete a Firefox plugin with the name "avg_igeared.xml". So I opened it in notepad to take a look, to my newbie eyes it looks like a very long cookie, normal for AVG plugin?

?xml version="1.0"?>
-<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/"><ShortName>AVG Secure Search</ShortName><Description>AVG Secure Search</Description><InputEncoding>UTF-8</InputEncoding><Image height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9kCFwY2B10eo2UAAAQbSURBVDgRARAE7/sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAACYnqP/5ejpAPT09QAMDAsAGxgXAGhiXQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAh46U/xIREgAlKyoAChgcAOji4QDf1tYA9/TxAHpybAEAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAJieo//9/wEAZmBaANvr9QDp8/kABQYCAAoJAwDBsLAACQQCAGhiXQEAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAA5ejpACQtKwDU6PMA7/j7ABQTBgAUEQYACgkDACcvLgDl6OkAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAD09PUAExsdAO30+gAMDQMAEQkFABMHBQAPBQQAIyYhAPT09QAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAwMCwDm3t8ACgoDAAUEAgAHAgIADgQEABEFBQDl3N8ADAwLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAGxgXAN/X1gAHBAEAAgIBAPv//wD8//8AAf3+ANbR0wAbGBcAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAABoYl0B9vXzAMW0swDg09cA+vr5AMrO0gCco6cA5uPhADAP3QAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAmJ6j/+Xo6QD09PUADAwLABsYFwD72cwABwD9AD9AFAAnSYABAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACad2z/AAAAAD9AFAAnSYABAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACad2z/AAAAAD9AFAAnSYABAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGaJlAEAAAAAwcDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI39fWviSyynAAAAAElFTkSuQmCC</Image><Url template="http://search.avg.com/route/?d=4bbcd9ad&v=7.005.030.004&i=23&tp=chrome&q={searchTerms}&lng=en-GB&iy=&ychte=ca" method="GET" type="text/html"/><Url template="http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&hl={moz:locale}&q={searchTerms}" method="GET" type="application/x-suggestions+json"/><SearchForm>http://search.avg.com/route/?d=4bbcd9ad&v=7.005.030.004&i=23&tp=chrome&lng=en-GB&iy=&ychte=ca</SearchForm></SearchPlugin>

 

Paynor,
After looking over the Logs and not being able to find the Bot that is responsible for this.
I must advise you to PM Gringo at Malwarebytes and allow him to attempt a cleaning of your computer, He is very good and has more knowledge of the newer tools that will be required to remove this nasty sucker… I could remove a lot of this stuff that is showing in the logs but it would not remove the hidden part which is the real problem and might cause problems for Gringo.


Your Trusted Zone is being used by the bot to setup your computer as a server…
They have loaded your Trusted Zone with Digital Certificates from Denmark. I don't think that you are there.

Trusted certificates are typically used to make secure connections to a server over the Internet. A certificate is required in order to avoid the case that a malicious party which happens to be on the path to the target server pretends to be the target. Such a scenario is commonly referred to as a man-in-the-middle attack. They are probably being used for a different purpose in this instance. I really don’t know.


192.168.2.1 is your LAN address that’s being used as the server.
From the OTL Log:
O15 - HKLM\..Trusted Domains: certifikat.dk ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: certifikat.dk ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: danid.dk ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: danid.dk ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: nets-danid.dk ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: nets-danid.dk ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1118010790-1470065544-1912479761-1000\..Trusted Domains: certifikat.dk ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1118010790-1470065544-1912479761-1000\..Trusted Domains: certifikat.dk ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1118010790-1470065544-1912479761-1000\..Trusted Domains: danid.dk ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1118010790-1470065544-1912479761-1000\..Trusted Domains: danid.dk ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1118010790-1470065544-1912479761-1000\..Trusted Domains: nets-danid.dk ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1118010790-1470065544-1912479761-1000\..Trusted Domains: nets-danid.dk ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1118010790-1470065544-1912479761-1000\..Trusted Domains: virk.dk ([]https in Trusted sites)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0444CCCA-83EA-439C-A9C9-F2F5D0A3DFAB}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{07D255C3-A699-413A-88A5-9EEF785E4DB3}: DhcpNameServer = 192.168.2.1



Please let me know how this turns out.
2oG

 

2oG

Thanks for your suggestions so far. Yes, in most parts of the world, having trusted domains in Denmark would be unusual on a computer. But in fact, the computer does have a few legit digital certificates and trusted sites from Denmark.
Re. the DHCP server on 192.168.2.1, I had another PC on the network on which I was using a DNS proxy (and dhcp server), and this was the assigned address of the proxy. I probably set in manually on this computer. But I am unsure if the registry key you quoted indicates that there is a dchp server installed on the computer in question, or whether it just manually points the computer, on that network interface, to an external lan address on which a dhcp server is running?

Will now follow your advice with the PM to reopen the MWB forum topic. All the best.

 

Not being there and having no prior knowledge of how and what this computer is used for I could probably screw up it's functionality in a heart beat...


I do hope everything works out and wish you luck.

2oG

 

Glad to see that Gringo reopened the thread. I'll be watching in the background to get some tips..

I'm pulling for you

2oG

 

@ddp you around tonight?