Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware issue


  • Please log in to reply
13 replies to this topic

#1 mbtrk

mbtrk

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 13 July 2009 - 07:20 AM

Good morning,
I have had this ongoing issue since I let my kids use my laptop. It seems that they tried to update the flashplayer from a "not so reputable" site and ended up with a trojan. When I ran AVG free for the first time it picked up Trojan Horse SHeur2.APUC. It quaranteened the files. I have run malwarebyes software and it has cleaned a bunch of stuff off the system, but there still seems to be a file on board that won't go away (c:\windows\system32\MSIVXcount trojan.agent) Since this issue, firefox has refused to load and Internet explorer just shows up blank. I can get online by using AOL which doesn't seem to be affected by this mess. I'd appreciate any help you might be able to give.
The most recent malwarebyte log is below. I have also disabled system restore to wipe out any bad restore points, but have not enabled again yet. I am running Vista home.

Thanks for your time!

Malwarebytes' Anti-Malware 1.38

Database version: 2413

Windows 6.0.6001 Service Pack 1



7/13/2009 7:45:17 AM

mbam-log-2009-07-13 (07-45-17).txt



Scan type: Full Scan (C:\|)

Objects scanned: 310567

Time elapsed: 1 hour(s), 14 minute(s), 10 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 13 July 2009 - 11:40 AM

Hi do a ROOTREPEAL scan and see if it shows this rootkit.

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mbtrk

mbtrk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 13 July 2009 - 12:53 PM

I have tried to run rootrepeal, and it gets part way done and then I get a the infamous blue screen. I have tried it in both normal and in safe mode. Both act the same. I could get to the point however where I can see that it has found what I think is the problematic sys file...

Edited by mbtrk, 13 July 2009 - 12:54 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 13 July 2009 - 01:22 PM

OK let's try to get it anyway then.. use RootRepeal hidden file scan only and locate the .sys file with MSIVX prefix.

Select wipe file and immediately reboot.


Now the next step...

Rerun Rootrepeal. (hidden file scan only)After the scan completes, go to the files tab and find these files:


C:\WINDOWS\system32\drivers\MSIV************.sys



Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mbtrk

mbtrk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 13 July 2009 - 02:44 PM

This looks like it might have worked! You guys Rock! I tried my firefox and I'm back up. I'm not sure if there are any residual effects of this crap but AVG and Malwarebyte both can update normally now! I was starting to think that I was going to have to reformat and start from scratch. My heartrate as gone back to somewhat normal...hahahahahah. What do you think?


Malwarebytes' Anti-Malware 1.38

Database version: 2413

Windows 6.0.6001 Service Pack 1



7/13/2009 3:26:11 PM

mbam-log-2009-07-13 (15-26-11).txt



Scan type: Quick Scan

Objects scanned: 82873

Time elapsed: 8 minute(s), 36 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\System32\MSIVXvbeksqmflwmksjwroedhjovwgwmivcai.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\System32\MSIVXwqnolwrpivinjxfmcdtmpbxufqeunsmh.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\System32\drivers\MSIVXricpnmtrqpsuippwvrbdtxdiypcptbcw.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 13 July 2009 - 02:53 PM

WoooHooo!! :thumbsup:
But being criminally insane and a sucker for punishment i would like to see if there is anything left.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mbtrk

mbtrk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 13 July 2009 - 04:37 PM

HAHAHAHA...not being one to celebrate too soon and being somewhat paranoid of this trojan after a significant number of hours trying to rid the PC of the beast...I am cracking a beer, doing the happy dance....and feeling somewhat relieved. I owe you one. I probably should buy you one! hahahaha Hear is the log from SAS...it found one item and eliminated it...am I free...free at last???? :-D

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2009 at 05:26 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 00:53:01

Memory items scanned : 270
Memory threats detected : 0
Registry items scanned : 7942
Registry threats detected : 1
File items scanned : 32723
File threats detected : 0

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1386276621-1752036697-3618266808-1000\Software\uninstall

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 13 July 2009 - 08:17 PM

This looks really good . Now to be sure DNS changer is dead let's do this...Also MBAM Upgraded the engine just now so we'll update and run it.. Then i can dance too :thumbsup:
Open MBAM in normal mode and click Update tab, select Check for Updates,now the
DNS changer,,,,
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you donít know the router's default password, you can look it up HERE.

Run Malwarebytes' Anti-Malware on the infected system,now you can reconnect to the internet, and router. Post the new log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mbtrk

mbtrk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 14 July 2009 - 06:38 AM

Good morning,
I assume we are talking about the wireless router and not the DSL box? And...could any other computers on the wireless network get infected from this mess just by being connected?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 14 July 2009 - 12:29 PM

Yes and yes it is possible.. Run MBAM 's quick scan on all first.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mbtrk

mbtrk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 14 July 2009 - 01:28 PM

If I have a secure router, and it is WEP protected...do I need to reset it? Why does this need to be done? I am interested in the process. Also the new MBAM scan turned up nothing on any of my attached computers. You have been awesome through this...thanks!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 14 July 2009 - 03:30 PM

Ok, up to you.. I ask so that the scanner can run and clear any infection and the DNS changer if still present does not det the new address when it resets.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 mbtrk

mbtrk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 16 July 2009 - 09:37 AM

Hey Boopme!
After some further research about my router, I am 99% sure that it wasn't compromised...but that 1% makes me a wee bit nervous. I decided to take your advice and I restored the router to it's original state, then gave it a new SSID and a password that will make the hackers very old before they can get to it. HA! MBAM still comes up empty. Thank you so much for your help! Have a great day!

Edited by mbtrk, 16 July 2009 - 09:37 AM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 16 July 2009 - 11:31 AM

That's always a great choice.. A bit of work but fulll peace of mind.

You're most welcome, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users