Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUP.CrossFire.SA problem


  • This topic is locked This topic is locked
9 replies to this topic

#1 pavmsk

pavmsk

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 27 July 2012 - 03:29 PM

Ive been following this forum and searching the internet on how to remove viruses and can do it pretty well, but there are these two viruses that only Malware Bytes is able to catch and they are two PUP.CrossFire registry keys. There is an option remove them and i check this option but when i restart and scan again they come back.

Norton
ESET scan
SuperAntiProfessional
TDSS Killer

Ive ran all of these and they removed most things but dont catch these last two.

Please Help,

Thanks


*Moderator Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Queen-Evie*

Edited by Queen-Evie, 28 July 2012 - 07:31 AM.


BC AdBot (Login to Remove)

 


#2 ReallyOldDude

ReallyOldDude

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 29 July 2012 - 02:00 PM

I just removed these with Malawarebytes.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 29 July 2012 - 04:03 PM

Hello,please post your MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.

Next run these.


Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



BOOTKIT REMOVER

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#4 pavmsk

pavmsk
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 31 July 2012 - 07:12 PM

Hey thanks alot for helping me.

Here is the Malware Log

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.31.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Programmer :: PETERJR-PC [limited]

Protection: Enabled

7/30/2012 10:12:48 PM
mbam-log-2012-07-30 (22-12-48).txt

Scan type: Full scan (C:\|D:\|E:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 325049
Time elapsed: 1 hour(s), 2 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011461139} (PUP.CrossFire.SA) -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011461139} (PUP.CrossFire.SA) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Programmer\Downloads\DllHost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)


Here is the first log
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-31 18:01:30
-----------------------------
18:01:30.176 OS Version: Windows x64 6.1.7601 Service Pack 1
18:01:30.176 Number of processors: 4 586 0x2A07
18:01:30.177 ComputerName: PETERJR-PC UserName: Peter Jr
18:01:35.780 Initialize success
18:01:52.735 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:01:52.740 Disk 0 Vendor: ST500LM0 2AR1 Size: 476940MB BusType: 3
18:01:52.781 Disk 0 MBR read successfully
18:01:52.786 Disk 0 MBR scan
18:01:52.792 Disk 0 unknown MBR code
18:01:52.823 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:01:52.853 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 183296 MB offset 206848
18:01:52.861 Disk 0 Partition - 00 0F Extended LBA 273468 MB offset 375597056
18:01:52.893 Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 20075 MB offset 935659520
18:01:52.963 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 273467 MB offset 375599104
18:01:53.053 Disk 0 scanning C:\windows\system32\drivers
18:02:00.819 Service scanning
18:02:42.656 Modules scanning
18:02:42.678 Disk 0 trace - called modules:
18:02:42.713 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
18:02:42.726 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006927060]
18:02:42.740 3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8006628050]
18:02:42.751 Scan finished successfully
18:03:43.797 Disk 0 MBR has been saved successfully to "C:\Users\Peter Jr\Desktop\MBR.dat"
18:03:43.830 The log file has been saved successfully to "C:\Users\Peter Jr\Desktop\Needed1.txt"
18:04:17.794 Disk 0 MBR has been saved successfully to "C:\Users\Programmer\Desktop\MBR.dat"
18:04:17.810 The log file has been saved successfully to "C:\Users\Programmer\Desktop\needed1.txt"

But with the second log it said this


main(): CreateFile() ERROR 5
ERROR: Can't open volume device \\.\C:


Done;
Press any key to quit

#5 pavmsk

pavmsk
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 01 August 2012 - 12:12 AM

Bad news, i wondered why that thing from before didnt work and heres why.
I ran it again and it said MBR status is controlled by a rootkit and that the boot code on some of your physical disks is hidden by a rootkit.

Please respond soon.

Thanks

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 01 August 2012 - 01:58 PM

Sorry, about the delay. I had ball game tickets yesterday. Yes there is a rootkit on here that needs to be dug out.

Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 20075 MB offset 935659520



We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip GMER,instead repost the aswMBR log.

Let me know if that went well.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 pavmsk

pavmsk
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 02 August 2012 - 11:46 AM

My DDL tool download just wont work, should i just post without it?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 02 August 2012 - 10:44 PM

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open.
  • Double click on the Posted Image icon on your desktop.

    Vista/Windows 7 users right-click and select Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Under Output, ensure that Minimal Output is selected.
  • Click the "Scan All Users" checkbox.
    Leave the remaining selections to the default settings.
  • Click the Posted Image button.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTListIt.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
    If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#9 pavmsk

pavmsk
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 04 August 2012 - 02:25 PM

I tried it again after rebooting several times and it was able to work.
I already posted a new topic where you told me too. Thanks for the help so far!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 AM

Posted 05 August 2012 - 01:36 PM

You're welcome!

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 5 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users