TrojanDownloader:win32/Unruy.H - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

TrojanDownloader:win32/Unruy.H

#76 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 14 March 2012 - 10:46 PM

We could make the bat file loop:


cls
:start
net start dhcp
%errorlevel%
goto start



Hate to leave it running tho. Need to figure out how to detect that dhcp is running. Go ahead and try this one tho just to see if it will work. You can call it "test.bat" and put it on your desktop. To stop it just hit Ctrl + C then Y. When I run it on my Win 7 it tells me the errorlevel is 2. I would think you would get a 0 when it finally works for the first time then a 2 after that. The question is do you get a 1 or some other number when it fails to start.

#77 Steven Gottlieb

  • Group: Member
  • Posts: 59
  • Joined: 02-March 12

Posted 14 March 2012 - 10:48 PM

Ron,
Where do I put cls :start net start dhcp %errorlevel% goto start??
Steven

#78 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 14 March 2012 - 10:54 PM

Just like we did the dhcp.bat

Copy

cls
:start
net start dhcp
%errorlevel%
goto start


Open notepad and paste it in (make sure there is an Enter after the last line and then file save as "test.bat"

Then reboot boot and when you see the desktop, double click test.bat and it should start running.

Does the internet start working without you having to do anything? Hit Ctrl + C to stop the test.bat or just X it to kill the whole thing.

#79 Steven Gottlieb

  • Group: Member
  • Posts: 59
  • Joined: 02-March 12

Posted 14 March 2012 - 11:11 PM

Ron,
You are certainly getting closer to putting this puzzle together. OK, here goes--clicking on the test.bat files just bring up the command prompt with net start dhcp and nothing else UNLESS you wait the infamous 2 minutes and then if I click on it it runs.
Thank you,
Steven

#80 Steven Gottlieb

  • Group: Member
  • Posts: 59
  • Joined: 02-March 12

Posted 19 March 2012 - 07:18 AM

Ron,
It's been a few days since I've heard from you.
Thanks,
Steven

#81 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 19 March 2012 - 07:19 AM

What errorlevel are you getting when you run the bat command?

I am going on a trip today for four days. Expect delays.

#82 Steven Gottlieb

  • Group: Member
  • Posts: 59
  • Joined: 02-March 12

Posted 19 March 2012 - 07:39 AM

Ron,
Error 2
Steven

#83 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 26 March 2012 - 12:28 PM

Download Process Monitor http://live.sysinter...com/Procmon.exe

Save it to your desktop. Run Process Monitor.


Click on Options,

check Enable Boot Logging. Click on Generate profiling events (every second). OK. Then close Process Monitor and restart. As soon as the desktop returns, start up Process Monitor again. It should tell you that there was a boot time log and ask if you want to process it. Say yes. Then once it finishes, save the log (call it: boot)

This is going to be huge. Mine is 232 MB. We will need to compress this. WinRAR is the best but you have to buy it or jump through too many hoops so get 7-zip
http://downloads.sou...enzip/7z920.msi

Once you install it you right click on boot.pml and hover over 7Zip and then click on Add to boot.7z. This will take a minute or two. The file will be in the same folder as boot.pml. Send it to me via Email as an attachment.

I will send you a PM with my email address in case I haven't done so already.

Ron

#84 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 29 March 2012 - 06:46 PM

Disable the network then start Process Explorer and enable the network. Once the network icon appears click on File, uncheck Capture Events. Save the file as before, 7zip it and send it to me.

#85 Steven Gottlieb

  • Group: Member
  • Posts: 59
  • Joined: 02-March 12

Posted 29 March 2012 - 07:45 PM

Ron,
I really do not understand these steps. If my computer is online, yes I can disable the internet. I do not know however how to start Process Explorer--unless I restart my computer. Now if I need to restart my computer I don't understand why you ask me to disable my network (network=internet??) since you know that it is off when I start my computer up. So I am assuming that I can run Process Explorer without restarting my computer. I looked at the option on Process Explorer and do not see a way to get it to run. Can you please explain in a different way what it is that you are asking me to do?
Thank you,
Steven

#86 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 29 March 2012 - 09:27 PM

I meant Process Monitor. Sorry.

First disable the network:

http://compnetworkin...nndisenable.htm

Then Start Process Monitor

Then go back in and enable the network.

When you see the network icon pop up.

File, uncheck Capture Events. Save the file as before, 7zip it and send it to me.

#87 Steven Gottlieb

  • Group: Member
  • Posts: 59
  • Joined: 02-March 12

Posted 29 March 2012 - 10:25 PM

Ron,
I sent the file to your email address.
Thank you

#88 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 30 March 2012 - 06:56 PM

Do post #83 again but this time wait until after you do
net start dhcp

before starting Process Explorer.

#89 Steven Gottlieb

  • Group: Member
  • Posts: 59
  • Joined: 02-March 12

Posted 30 March 2012 - 09:10 PM

net start dhcp on the command prompt starts automatically. Do you mean to wait until dhcp actually starts???
Steven

#90 RKinner

  • Group: Expert
  • Posts: 10,637
  • Joined: 19-April 05

Posted 30 March 2012 - 10:59 PM

I thought you were having to redo it after afd came up so I want to see everything that happens until it starts working.

Share this topic:


  • 8 Pages +
  • « First
  • 4
  • 5
  • 6
  • 7
  • 8