Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Malware kicking my butt/ Moved


  • Please log in to reply
12 replies to this topic

#1 recompute

recompute

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 03 April 2009 - 01:40 PM

Hi there,

I am not new to virus scanning and have done this a lot but am having a heck of a time with my friends PC. I have a Dell Desktop here with the latest updates and just yesterday (Thursday, April 2nd) Internet explorer began crashing randomly. I reset IE 7 back to factory defaults (Cleared add-ons etc.) however it did nothing to keep it from crashing. I downloaded combofix and attempted to run it, but after the combofix loading screen loads nothing happens, it does not run, the command prompt does not come up, no warnings, nothing. I should add that I downloaded combofix from another PC and transfered it over that way. I did this because on his Dell if you try and access the bleeping computer site it redirects you to a search site. It will do this for any helpful site you try and access such as malwarebytes, super anti-spyware, etc. So, I have downloaded many tools including malwarebytes, superanti-spyware, spybot, windows defender and ran them all with manual updates on this machine. None find anything wrong with this PC or any infected files. I downloaded and installed escan which uses the kaspersky engine to scan and it also failed to find anything. I did not see anything in the hijack this log that jumped out at me, either. I have gone as far as pulling this hard drive, slaving it up to one of my PCs with all anti-virus tools loaded, etc., and scanned it externally, and even that didn't find anything. There has to be something rogue hiding deep in there but I can't find it for the life of me. I appreciate any help you can offer. Let me know what logs and etc. I can send. Thanks.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:32 PM

Posted 03 April 2009 - 01:58 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 recompute

recompute
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 03 April 2009 - 04:16 PM

OK, thanks for the info. Hope someone comes along soon.

#4 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 03 April 2009 - 04:27 PM

I downloaded combofix and attempted to run it, but after the combofix loading screen loads nothing happens, it does not run, the command prompt does not come up, no warnings, nothing. I should add that I downloaded combofix from another PC and transfered it over that way. I did this because on his Dell if you try and access the bleeping computer site it redirects you to a search site. It will do this for any helpful site you try and access such as malwarebytes, super anti-spyware, etc.


May one ask if you are aware that

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.


Perhaps as a starting point .f you post the reports from the Malwarebytes and Superantispyware programs , someone can check them for you and point you in an appropriate direction?

#5 recompute

recompute
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 03 April 2009 - 04:27 PM

BTW, it's not that I don't know if it's infected, it is. The question is WHAT is infecting it since no scanner is able to pick it up. Driving me crazy.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:32 PM

Posted 03 April 2009 - 10:12 PM

Hi let's try this Online scan.
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 recompute

recompute
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 04 April 2009 - 11:40 AM

Will give that a go and let you know. I will also post the super anti-spyware and malware bytes logs.

#8 recompute

recompute
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 04 April 2009 - 01:56 PM

OK, here are the logs Active Scan first, Malware Bytes second, and Super Anti-Spyware Third:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-04 12:49:36
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
eScan Anti-Virus (AV) Edition for Windows 10.0.968.374 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\heather2\favorites\health
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Heather2\Cookies\heather2@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Heather2\Cookies\heather2@atdmt[1].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Heather2\Cookies\heather2@7search[2].txt
00269129 spyware/dogpile Spyware No 1 Yes No hkey_current_user\software\infospace
;===================================================================================================================================================================================
SUSPECTS
Sent Location �J
;===================================================================================================================================================================================
No C:\MCAF868.tmp\vso\en-us\com\vso.cab[mcvsshld.exe] �J
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description �J
;===================================================================================================================================================================================
;===================================================================================================================================================================================



MALWAREBYTES:


Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

4/4/2009 10:35:05 AM
mbam-log-2009-04-04 (10-34-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138510
Time elapsed: 54 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProcObsrv (Rogue.NetCom3) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SUPER ANTI-SPY:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/03/2009 at 07:16 PM

Application Version : 4.26.1000

Core Rules Database Version : 3828
Trace Rules Database Version: 1784

Scan type : Complete Scan
Total Scan Time : 01:02:30

Memory items scanned : 285
Memory threats detected : 0
Registry items scanned : 5232
Registry threats detected : 0
File items scanned : 22014
File threats detected : 0


Hope this helps.

#9 recompute

recompute
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 04 April 2009 - 04:51 PM

BTW, I attempted to go into regedit and check the key that the active scan was talking about in the results and when you type in regedit.exe into the Run command box on the start menu it crashes windows explorer and then restarts it and regedit never comes up.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:32 PM

Posted 04 April 2009 - 09:57 PM

Hello, that Netcom was a rogue application,. Please never edit your registry without backing it up first.
Next run SDFix
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 recompute

recompute
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 05 April 2009 - 05:18 PM

OK, gave it a go and got as far as running the "runthis.bat." Problem being there that whatever has infected this machine crashes it and explorer as soon as it trys to start. Basically, it won't run. I have tried it a few different ways to get it to run with no luck, including typing it from the Run dialog Box. Going directly into the C: and running it from the folder, all while in safe mode, mind you, as well as trying to start up from "safe mode with command prompt" option without luck. ANd the last option the command prompt never opens as whatever bug this is is killing the command prompt, even in safe mode. Would there be any way to load hook this drive up to a different PC and scan it that way? Obvioously it wouldn't be able to get the registry, so that would likely be a problem. I am open to suggestions. Thanks for your time. I should be able to get back to you quicker from here on out.

#12 recompute

recompute
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 06 April 2009 - 03:06 PM

Eh, anyway, I got it all sorted. I wound up able to port valid definitions for malware bytes from a good machine to the infected machine and it found the critter and removed it. All other scanners then worked fine and the bugs are gone. Thanks anyway.

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:32 PM

Posted 07 April 2009 - 10:02 AM

Update MBAM thru the program's interface and run a full scan of all drives but CD/DVD
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users