Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virut infection - lots of tools tried


  • Please log in to reply
11 replies to this topic

#1 madasalorry

madasalorry

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 30 November 2009 - 03:39 PM

Hi

i got infected about 10 days ago.

i have followed numerous threads on here and other places to try and find a solution, no avail.

I have a Dell Latitude D630 running XP SP2

I have run AVG which detected initial infections, then got infected itself and stopped detecting. (I have a log)

I have run ad-aware and found infections but couldnt remove.
Ran GMER - found "MODULE (noname)(***hidden***)"
Have run Dr Web Cure.IT

Ran GMER - I have a log below - one thing it found was:
Ran smitfraud
Ran combofix and have the log if you need it.

My machine now flashs up a warning message on start up that the drive may contain an infection.

I am stuck and really dont know what to do - i know it is creating lots of files.

I am on my spare machine (mac) for this so i ca follow responses. I have physically disconnected my infected machine from the net.

I also have a desktop which has the same issue and is disconnected - will post separate thread for this if same cure doesnt solve it.

Thanks in advance for the help guys - this seems to be best place to get this fixed from what i have seen.

MAAL

GMER log from 30 Nov 09

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 21:50:08
Windows 5.1.2600 Service Pack 2
Running: humbug.exe; Driver: C:\DOCUME~1\Howard\LOCALS~1\Temp\uwtyipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

Edited by madasalorry, 30 November 2009 - 05:00 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:01 PM

Posted 30 November 2009 - 04:49 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 madasalorry

madasalorry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 01 December 2009 - 12:47 PM

Can ANYONE help with this?

It appears to be a growing issue.

I have since tried more combofix.exe -killall (othing changed)
Tried mmbr.exe showed "copy of MBR in sector 62"
Tried mbr.exe -f nd same showed
Tried FixMeBroot.exe - nothing found

But i still have this sector 62 infection.


Please help
(All logs available on request)

Thanks
HB

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 06 December 2009 - 08:45 PM

Hello.

Please don't post the Combofix log.

I want to see a new GMER scan.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

You don't have a MBR r/k infection from that previous log. I'll talk more about this after I see the new GMER log.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 madasalorry

madasalorry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 07 December 2009 - 02:16 PM

Hi

thanks for your reply.

here is my gmer log file (renamed GMER to prevent detection).



GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-07 19:08:53
Windows 5.1.2600 Service Pack 3
Running: gmhber.exe; Driver: C:\DOCUME~1\Howard\LOCALS~1\Temp\uwtyipow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA84CF0B0]

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----


So, looks like the only thing is the rootkit detected

I also have an undeletable file in my C:\Recycler folder which keeps renaming itself, despite cleaning with Cyberscrub etc.
It often names itself something like "S-1-5-25-XXXXXXXX" or something similar, which relates to a hive issue that was highlighted during previous attempt to solve this


Appreciate your help. This is my third week tackling this problem and looking online. I have found no sensible solutions yet- just people suggesting same old scans to no avail. I hope this works out different :thumbsup:

MAAL

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 07 December 2009 - 04:18 PM

Hello.

Are you talking about a hidden folder that looks like this:
C:\RECYCLER\S-1-5-21-682003330-839522115-1343024091-1003

I also have an undeletable file in my C:\Recycler folder which keeps renaming itself, despite cleaning with Cyberscrub etc.
It often names itself something like "S-1-5-25-XXXXXXXX" or something similar, which relates to a hive issue that was highlighted during previous attempt to solve this

I'm not quite understanding what you mean by this "hive" issue you are referring to. Please let me know to have a better understanding.

The RECYCLER folder itself is hidden and is normal on XP machines. I have it too, it's basically the Recycling Bin. The folder within the RECYCLER folder ( "S-1-5-25-XXXXXXXX") you're referring is not suppose to be removed and had permission and protection on it which is why you can't delete it. I can't delete it either just through Windows Explorer unless certain things are modified however, what I want to know is why do you want to delete it? Is it causing you problems? Are there files within the "S-1-5-25-XXXXXXXX" that are malicious and you can't delete? Please let me know.

---
That GMER log of the disk sector is fine and you don't need to worry about it at all. You don't have a rootkit infection.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 madasalorry

madasalorry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 07 December 2009 - 05:22 PM

>I'm not quite understanding what you mean by this "hive" issue you are referring to. Please let me know to have a better understanding.

ok, when i ran inital scans and had to try a re-install, I got an error on the set-up console witha reference to a corrupted hive at the address given.

After a successful reinstall this issue didnt appear, but i did have a warning at startup that the disc maybe infected. I finally have it working and at the state you see it now. But it was weird to see the same address ref'd by this file in C:\Recycler...

thanks for your help dude, once again, appreciated.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 07 December 2009 - 06:20 PM

You're welcome.

Just from those logs I can't confirm that you are clean though. Do you want to run a few scans to see if they detect or find anything?

Glad your original problem is resolved now.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 madasalorry

madasalorry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 07 December 2009 - 07:07 PM

Ill run a cpl of scans and post tomorrow, just to be sure. Was such a pain to remove.

thanks.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 07 December 2009 - 08:49 PM

Okay. I suggest you run a scan with Malwarebytes and see if it detects anything followed by an online scan. The online scan may take a while.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 madasalorry

madasalorry
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 09 December 2009 - 12:48 PM

Hi

here is MBRAM log file

Malwarebytes' Anti-Malware 1.42
Database version: 3331
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

09/12/2009 17:48:19
mbam-log-2009-12-09 (17-48-19).txt

Scan type: Quick Scan
Objects scanned: 112271
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 09 December 2009 - 04:51 PM

Post the ESET scan upon completion.

Thanks.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users