Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinRAR, b.exe/Monopod infection?


  • This topic is locked This topic is locked
8 replies to this topic

#1 JHarper

JHarper

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 01 September 2009 - 05:06 PM

Hello, I am new here and have rarely posted to any public forum. I hope I am following the proper procedures.

I have been trying to help my father with his computer, which seems to be infected. On Saturday, he downloaded and installed a program called WinRAR; shortly after he started using it, his Antivirus Program (ESET NOD32) detected a suspicious file -- possibly named a.exe or b.exe (my dad couldn't remember). I think the AV program attempted to delete it. At this point, my dad got worried and called me. I did a bit of searching and found that corrupted versions of the WinRAR program contained trojans, so I tried to uninstall WinRAR using Windows Add/Remove Programs. Then I ran another virus scan, and it said no infected files found.

I thought everything might be okay, but while the scan had been running, pop-ups appeared (for gaming sites, I think), so I looked at the log of the virus scan and it appeared that almost all the entries were "file access denied". Curious, I tried to run MalwareBytes, which shut down as soon as the scan started and thereafter gave the error message "Windows Cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This also happened when I tried to run HiJackThis.

I am by no means a computer expert, but I've found that in the past, researching and patient persistence will usually let me solve the problem. I think I am in over my head this time. These are the things I have tried: System Restore (last 2 Restore points) -- could not restore; rebooting in Safe Mode -- same problems with MalwareBuytes and HiJackThis, and Autoruns; using a program called Startup to disable Monopod>b.exe from starting -- repeatedly unsuccessful. I ran CCleaner, which didn't help, and downloaded and ran a program called Avira, which turned out to require purchase (and seemed suspect). I also tried to run some kind of spyware removal scan on the Microsoft website, but it shut down Internet Explorer during the scan, and then denied access to IE. Fortunately, Firefox seems to still work, although I noticed that many of the Google searches I tried were being redirected.

Mostly I have been searching on my own computer, which brought me here. I would be truly grateful for any assistance you can give me.

My father's computer is a Dell Inspiron 530 (about 1 year old), Intel® Pentium® Dual CPU,E2200 @ 2.20GHz, 1.18GHz 1.99 GB of RAM running Windows XP Professional Version 2002, Service Pack 2.

Please let me know if you need further information. Thanks, Julia

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 01 September 2009 - 07:05 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check only the Files box: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 JHarper

JHarper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 01 September 2009 - 08:22 PM

Thank you for your reply.

I followed the instructions you gave me, and after RootRepeal began scanning, the first 2 entries said "Locked to the API!" and then the program shut down. When I tried to run it again, I was denied access. I downloaded and tried to run RootRepeal again, and received the error message: "Could not load driver (0xc0000035)!"

If there was a log generated, I don't know how to find it. Please advise.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 01 September 2009 - 08:29 PM

If you can, run the scan again but this time do the Drivers scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 JHarper

JHarper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 01 September 2009 - 08:31 PM

Thank you, but it will not allow me to access the program at all.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 01 September 2009 - 08:33 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 JHarper

JHarper
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 02 September 2009 - 08:38 PM

I ran the Sophos Anti-Rootkit Scan as directed. There were no items marked as Removable: Yes (clean up recommended), but I restarted and ran the scan again anyway. This is the log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/2/2009 at 20:47:13 PM
User "Robert" on computer "DADSINSPIRON"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe
Hidden: file C:\Autoruns\autoruns.exe
Hidden: file C:\Documents and Settings\Robert\My Documents\Downloads\RootRepeal.exe
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\WINDOWS\system32\eventlog.dll
Stopped logging on 9/2/2009 at 20:58:29 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/2/2009 at 21:08:52 PM
User "Robert" on computer "DADSINSPIRON"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe
Hidden: file C:\Autoruns\autoruns.exe
Hidden: file C:\Documents and Settings\Robert\My Documents\Downloads\RootRepeal.exe
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\WINDOWS\system32\eventlog.dll
Stopped logging on 9/2/2009 at 21:16:28 PM

Thanks for your help. Please let me know what I should do next.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 02 September 2009 - 10:06 PM

I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Go straight to Step 6. If you cannot get DDS or RootRepeal to run just post your Sophos log (with an explaining note).

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,110 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:06 PM

Posted 03 September 2009 - 09:20 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/254969/winrarbexemonopod-possible-rootkit-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users