Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

There is no doubt. I AM infected


  • Please log in to reply
10 replies to this topic

#1 NSF

NSF

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 07 March 2009 - 05:07 PM

I've also posted on the MalWareBytes.com forum. I'm here specifically because I'm unable to get ComboFix or MaleWareBytes to execute. When I click on the executable file the XP hourglass flashes briefly and that's all that happens.

I watch "task manager" during execution but don't discern any change except for a brief blip that could be a program starting and ending but I can't tell for sure.

Also, I am unable to go to many antivirus web sites. For example I CAN get to www.bleepingcomputers.com. Notice that is plural. I am, however, unable to get to www.bleepingcomputer.com. I see the browser message, "The page cannot be displayed."

I tried using FireFox browser but it only opens a new empty tab.

I've executed successfully the following Antivirus Software:

Microsoft Defender
AVG Free
Ad-Aware
Avira AntiVir Personal

Initially I even had trouble executing the installer for MalwareBytes and HiJackThis to execute. I renamed then installers and was able to get them installed. I renamed Hijackthis and got it to execute but the same trick doesn't work for ComboFix or MalWareBytes.

I'll be checking the other posts and trying anything/everything that appears applicable. I read on another forum to remove JAVA so I've done that and now think I've reduced my ability to access certain other websites, like support.microsoft.com.

Whackin and hackin

NSF

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 07 March 2009 - 05:27 PM

Hello.

Try renaming it BEFORE saving Malwarebytes anti-malware and installing it. Afterwards try renaming the MBAM executable file itself and see if it will run. Try running GMER as you had posted in the other topic.

We may need to move you to the Malware Removal forum afterwards.

*need to run now.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 NSF

NSF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 07 March 2009 - 06:58 PM

I renamed MBAM all sorts of ways, even in safe mode. It did no good. When I click on the desktop icons or go directly to the file and double click them I just get the brief hour glass and nothing runs. GMER behaves the same way. It's almost like these applications are attempting to allocate some system resource (memory) and there's not enough or too much is being asked for.

From another thread I ran SuperAntispyware and it actually gave an error report. I can post it here or send a PM message.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 07 March 2009 - 07:18 PM

Hello.

I think we should move you to the HJT-Malware Removal forum now as this seems to be a nasty infection.

Preparation Guide: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
What to do when you have no reply for 5 days: http://www.bleepingcomputer.com/forums/t/176012/post-in-this-thread-when-you-havent-received-an-answer-in-five-days/

Let me know if DDS works. Post back telling me and also when you started a topic in that forum so a MOD can close this topic.

If DDS doesn't run try the following tool instead.

Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both
    log.txt (< info.txt (<
The RSIT logs can also be found in the folder, C:\RSIT

[note]Rename them if they don't work or do it before you EVEN download it yet.[/note]

Good Luck!

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 NSF

NSF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 07 March 2009 - 08:56 PM

This topic was previously posted under the forum "I am infected. What do I do?" I was asked to move it over to this forum when some of the early suggestions failed to resolve the problem. You can see the rest of the story under the topic: "There is no doubt; I am infected" In particular, ComboFix and MalWareBytes and other antivirus tools fail to launch, even in safe mode.

---------------------------------------------------------------

The following is from the original post:




I've also posted on the MalWareBytes.com forum. I'm here specifically because I'm unable to get ComboFix or MaleWareBytes to execute. When I click on the executable file the XP hourglass flashes briefly and that's all that happens.

I watch "task manager" during execution but don't discern any change except for a brief blip that could be a program starting and ending but I can't tell for sure.

Also, I am unable to go to many antivirus web sites. For example I CAN get to www.bleepingcomputers.com. Notice that is plural. I am, however, unable to get to www.bleepingcomputer.com. I see the browser message, "The page cannot be displayed."

I tried using FireFox browser but it only opens a new empty tab.

I've executed successfully the following Antivirus Software:

Microsoft Defender
AVG Free
Ad-Aware
Avira AntiVir Personal

Initially I even had trouble executing the installer for MalwareBytes and HiJackThis to execute. I renamed then installers and was able to get them installed. I renamed Hijackthis and got it to execute but the same trick doesn't work for ComboFix or MalWareBytes.

I'll be checking the other posts and trying anything/everything that appears applicable. I read on another forum to remove JAVA so I've done that and now think I've reduced my ability to access certain other websites, like support.microsoft.com.

Whackin and hackin

NSF


-----------------------------------------------------------------------------------------------------------

I've been attempting to resolve this problem for the last 18 hours. I'll be taking a break right after I send EXTREMEBOY from the previous thread a message that this post/thread has been logged. When I get back to fixing this problem I'll be following the last advice I had from Extremeboy.

#6 NSF

NSF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 07 March 2009 - 09:00 PM

I've opened a new thread/post as directed above. The topic is: Serious Malware at work HERE, Redirected from another forum on this site.

This topic/post/thread can be closed.

I've been working on this fix for 18 hours and will take a break. When I return, I'll continue the work by completing the latest recommendations.

Many thanks for the inputs.

NSF

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 07 March 2009 - 09:21 PM

Hello.

You're welcome. I'll let a MOD know and close the topic. Good luck in the HJT-malware removal forum. Please note that it may take a while before you get a respond though. We have over 600 logs waiting for response.

Take a rest now. :thumbsup:

EDIT: You did not post a DDS log or Hijackthis log... Please do so now and edit your topic to add those logs in or else you will be moved back to this forum...

With Regards,
Extremeboy

Edited by extremeboy, 07 March 2009 - 09:22 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:27 PM

Posted 07 March 2009 - 09:27 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:27 PM

Posted 08 March 2009 - 12:26 AM

Hello NSF,

I have merged the topic you created in the HiJack This forum to your previously existing topic here in the Am I Infected forum, and it now appears as post number 5.

Please create the logs requested in the Preparation Guide Extremeboy linked you to, then create the new topic in the HiJack This forum.

If you are unable to produce the DDS logs, post back in this thread and we will provide further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 NSF

NSF
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 09 March 2009 - 02:39 PM

Hello Orangeblossom,

I think I have fixed the problem. I sort of stumbled into the fix, just as I stumbled into the virus. I did the following things. I was getting ready to do all that other folks had recommended. From Malwarbytes forum there was also a request to boot the system in the recovery console and one of the steps recommended here was to load and boot the recovery console.

Here's what happened next:

I already had a "Recovery Console" boot option but it wanted to log on as "Administrator" I was unable to find the correct password but that led me to discover I had an administrator called STadmin.

I booted normally and logged in as Stadmin. With that login I discoverd I could run Malwarebytes Anti-Malware (MBAM). However I was unable to "update" MBAM with that user. I'll have to figure out why STadmin didn't have network functionality. However, MBAM did remove 8 things it found. When that was done I rebooted everything normally and as my normal user who is also and administrator (the one that was broken and caused this post) I was able run MBAM again and this time update MBAM. I was still unable to run ComboFix.

Once again, I ran a complete MBAM after update and this time if found two more keys that were corrupt. I let MBAM remove them and now I could run ComboFix.

At this point everything seems to be running normally. At least I can now get to webpages that errored before and my browser "appears" to be normal again. I'll post more if other problems are detected or returned.

Many thanks for the forum. It was nice to discover I'm not the only one getting hit with this &**()*&^ stuff. Thanks also from the "experts" who provide the inputs.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 09 March 2009 - 02:59 PM

Hello.

Thanks for letting us know :trumpet:

Glad everything is working now. You should now purge a system restore point. Below are also some prevention tips.

Happy surfing and good luck! :thumbsup:

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :flowers:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users