Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MAJOR Infection. Multiple Fake AntiVirus Programs, Task Manager Disabled, Unable To Run Scans Or Open Most Programs.


  • This topic is locked This topic is locked
113 replies to this topic

#1 Goomba

Goomba

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 17 August 2009 - 03:57 PM

Please read every bit of this, as I try to be as detailed as possible.

This started about three days ago.

First, the fake programs:

  • Windows Antivirus Pro
  • Advanced Virus Remover
  • Some red X in the system tray that displays "Your computer is infected! Windows has detected spyware infection!It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you." (Don't know if this is part of one of the above fake anti-spyware programs or its own).

I've had one or two of them before. (Gotta love the obvious misspellings and grammatical errors).

Secondly, the Task Manager is disabled.

So I go ahead and try some virus programs. None of them can get a few seconds into the scan without terminating such as MBAM and SpyNoMore (from what SpyNoMore showed while scanning, I saw the file that disabled the task manager and "Advanced Virus Remover", so if I could somehow get that to do a complete scan, I'm pretty sure it could work.)

I came across a program that did, however, do a complete scan. It was called A-Squared. When I began to quarantine the files, though, the window where it says there has been a fatal error and Windows must terminate with the countdown from 1:00 occurs. After that, If I boot up my computer again, explorer.exe is gone AND the task manager is disabled. So I had to boot it up in Safe Mode with Command Prompt. I then took Browse function in the "Select program to open this with" window to my advantage by navigating over to my flash drive, running Task Manager Fix, and copying explorer.exe (which was copied from the computer in the living room) to my Windows folder (it was missing, but there was a fake "explorer.scf" that I deleted). I then ran explorer.exe through the Task Manager. However, unfortunately explorer.exe also enables the fake programs, disabling Task Manager again. If I were to run Task Manager Fix with explorer.exe enabled, I would be able to open Task Manager for about half a second and then says "This file is infected! Please activate your antivirus software."

I then tried A-Squared again, this time on "Deep Scan" mode, but ended up with the same unfortunate result as I had to do the Command Prompt thing once more.

And lastly, the next day (today), "Windows Antivirus Pro" joined the ever-growing epitome of annoyance (It wasn't there at the beginning). This fake program had me rendered unable to open almost any application I wish with a pop-up system tray message saying something along the lines of "Opening this file impossible. It is infected. Please run your antivirus software."

And yes, I tried to run DDS.scr. That would not open as well, so I cannot give you a HJT log at the moment.

I have, however, run GMER a couple days ago (I read about it on another site) and have the log for that if you require it. Sorry for the inconvenience.

This infection I give much applause to as it has been the first in all of my years of dealing with them to actually post on a forum for help. Bravo.

Your assistance would be much appreciated.

Thanks,
Goomba.

EDIT: I forgot to add, on startup there's always programs such as "838.exe" and other odd numbers crashing with the "This program has encountered a problem" and the error reporting system. They don't seem to have an effect on anything, though.

EDIT 2: Another thing I forgot to add. I have tried to reinstall Windows XP with the original disc. It however just freezes on the screen where you select if you want to install, repair, or quit.

Edited by Orange Blossom, 17 August 2009 - 10:33 PM.
Moved out of HJTLogs Forum - AA Moved back since it's picked up. ~ OB


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:10 AM

Posted 17 August 2009 - 05:52 PM

Hi, Goomba :thumbup2:

Welcome.

Please open a command prompt (Start -> Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\ntelogon.dll >Log.txt
Net Start >> Log.txt & START notepad Log.txt


Post the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Goomba

Goomba
  • Topic Starter

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 17 August 2009 - 06:56 PM

Thank you for the quick and convenient reply. :thumbup2:



Volume in drive C has no label.
Volume Serial Number is 74FD-6799

Directory of C:\WINDOWS\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\backup

08/04/2004 12:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\backup

08/04/2004 12:56 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Directory of C:\WINDOWS\system32

08/04/2004 12:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

08/04/2004 12:56 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 12:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 12:56 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Directory of C:\WINDOWS\system32\dllcache\cache

08/04/2004 12:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache\cache

08/04/2004 12:56 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Total Files Listed:
8 File(s) 2,349,056 bytes
0 Dir(s) 49,841,876,992 bytes free
These Windows services are started:

CryptSvc
DCOM Server Process Launcher
Event Log
Help and Support
Logical Disk Manager
Plug and Play
Remote Procedure Call (RPC)
System Restore Service
Windows Management Instrumentation

The command completed successfully.

Edited by Goomba, 17 August 2009 - 08:56 PM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:10 AM

Posted 17 August 2009 - 11:07 PM

Hi, Goomba :thumbup2:

There is only a limited amount of Services running. Have you done this?

Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Goomba

Goomba
  • Topic Starter

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 18 August 2009 - 02:22 PM

Well, as I expected, ComboFix is unable to run as well. The green loading bar fills up, but then nothing happens at all. The process isn't even in Task Manager.

I, however, actually ran ComboFix the day I got infected and everything seemed fine the rest of the day, which was a mistake on my part.

I do have the log for that Combofix run (which was three days ago). Hopefully this helps.

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:10 AM

Posted 18 August 2009 - 03:24 PM

Run this command:

DIR /a/s %windir%\beep.sys %windir%\proquota.exe >Log.txt & START notepad Log.txt

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3
  • Double click Posted Image to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Posted Image button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, click the Posted Image button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Goomba

Goomba
  • Topic Starter

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 18 August 2009 - 05:23 PM

When I put in the command, it said it couldn't be completed and gave me a very short log:

Volume in drive C has no label.
Volume Serial Number is 74FD-6799


But... the RootRepeal scan completed and I have that log for ya:

Attached File  RootRepeal.txt   22.14KB   42 downloads

Edited by Goomba, 18 August 2009 - 06:50 PM.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:10 AM

Posted 18 August 2009 - 05:49 PM

Hi, Goomba :thumbup2:

Open RootRepeal and scan as instructed. Once the scan is done:

Click the Drivers tab. Right click and select Wipe File on:

C:\WINDOWS\system32\drivers\kbiwkmevypadta.sys

Click the Files tab. Right click and select Wipe File on:

C:\WINDOWS\system32\kbiwkmclbukhtm.dat
C:\WINDOWS\system32\kbiwkmexmxtitu.dll
C:\WINDOWS\system32\kbiwkmicxftimj.dat
C:\WINDOWS\system32\kbiwkmiurnldeq.dll
C:\WINDOWS\system32\kbiwkmnsmcolre.dat
C:\WINDOWS\system32\kbiwkmpqxtmbft.dat
C:\WINDOWS\system32\kbiwkmqjxvnixv.dll
C:\WINDOWS\system32\kbiwkmqxuschon.dll
C:\WINDOWS\system32\kbiwkmtbplnron.dll
C:\WINDOWS\system32\kbiwkmxexyycyl.dll
C:\WINDOWS\Temp\kbiwkmyuscscoure.tmp
C:\WINDOWS\system32\drivers\kbiwkmevypadta.sys


Click theHidden Services tab. Right click and select Wipe File on:

kbiwkmhkqkfyqu

Reboot your machine

Attempt to run Combo-fix.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Goomba

Goomba
  • Topic Starter

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 18 August 2009 - 07:49 PM

Alright, I scanned with RootRepeal, and wiped:
  • C:\WINDOWS\system32\kbiwkmclbukhtm.dat
  • C:\WINDOWS\system32\kbiwkmexmxtitu.dll
  • C:\WINDOWS\system32\kbiwkmicxftimj.dat
  • C:\WINDOWS\system32\kbiwkmiurnldeq.dll
  • C:\WINDOWS\system32\kbiwkmnsmcolre.dat
  • C:\WINDOWS\system32\kbiwkmpqxtmbft.dat
  • C:\WINDOWS\system32\kbiwkmqjxvnixv.dll
  • C:\WINDOWS\system32\kbiwkmqxuschon.dll
  • C:\WINDOWS\system32\kbiwkmtbplnron.dll
  • C:\WINDOWS\system32\kbiwkmxexyycyl.dll
  • C:\WINDOWS\Temp\kbiwkmyuscscoure.tmp
  • C:\WINDOWS\system32\drivers\kbiwkmevypadta.sys
under the Files tab.

However, C:\WINDOWS\system32\drivers\kbiwkmevypadta.sys wasn't present under the Drivers tab, and when I selected Wipe File on kbiwkmhkqkfyqu under the Hidden Services tab, it said it was removed successfully, but it remained there.

When I attempted to run ComboFix, it failed yet again (and I realized the loading bar is gray and not green, don't know where I got that from). When I attempt to run ComboFix, I do notice some mysterious processes appearing and then disappearing while ComboFix.exe appeared and then, also, disappeared.

The processes were:
  • swreg.exe (sometimes two or three.)
  • lsm.exe
  • n.pif (constantly disappears and reappears until ComboFix.exe is gone. I was thinking this was to prevent me from terminating it.)
Thanks for your continuing support. :thumbup2:

Edited by Goomba, 18 August 2009 - 07:51 PM.


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:10 AM

Posted 18 August 2009 - 09:24 PM

Please run RootRepeal once again and post its report.

Download Win32kDiag.exe. Run it, it will create a file "Win32kDiag.txt" on the desktop. Post the contents of that report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Goomba

Goomba
  • Topic Starter

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 18 August 2009 - 10:28 PM

Wind32kDiag Log:

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\dumprep.exe


...And the RootRepeal log, as you requested, sir.

Attached File  RootRepeal.txt   20.2KB   33 downloads

Edited by Goomba, 18 August 2009 - 10:28 PM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:10 AM

Posted 19 August 2009 - 12:18 AM

Hi, Goomba :thumbup2:

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat. The computer will restart.

After the restart, please post a fresh RootRepeal report and attempt to run Combofix

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Goomba

Goomba
  • Topic Starter

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 19 August 2009 - 12:50 PM

Ran Win32Fix successfully.

Scanned with RootRepeal again, it seems that those programs are back along with new ones that are similar.

ComboFix still unfortunately is unable to run.

(By the way, this whole time I've been running in Safe Mode as the virus pop-ups don't happen there, in case you needed to know.)

Attached File  RootRepeal.txt   23.73KB   32 downloads

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:10 AM

Posted 19 August 2009 - 01:34 PM

Hi, tom fordo :thumbup2:

Please download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -f


The program will attempt to fix the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

Run RooRepeal as instructed earlier, attempt to locate the following file and wipe it:

C:\WINDOWS\system32\drivers\kbiwkmpardlloo.sys

If successful, run Combo-Fix.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Goomba

Goomba
  • Topic Starter

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 19 August 2009 - 02:12 PM

Successfully ran MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !


I then scanned with RootRepeal again, and wiped the file C:\WINDOWS\system32\drivers\kbiwkmpardlloo.sys as advised.

Attempted to run ComboFix again, but to no avail. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users