Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware, thoughts or advise?


  • Please log in to reply
8 replies to this topic

#1 steve777

steve777

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 06 December 2009 - 01:43 AM

My PC had been fairly clean until about 4 days ago. At that point Ad-Aware free stopped running, and same with Spybot S&D (well it ran part way and then error-ed out). I have looked for obvious things, and tried a few things with little success:

A clean re-install of Spybot S&D with a rename of the exe, seems to help. At least the program will run completely now, although it does not find anything.

Can't seem to reinstall Ad-aware and get a working version. It complains that it can't find an entry point in Kernel32.dll???

My regular virus checker scans clean.

I am seeing some files corrupted (spybot reports it was changed, and chkdsk finds errors).

I suppose it could be random HW failures, but it seems very suspicious that it is two anti-spyware/malware programs that are effected, repeatedly.

I know this isn't alot to go on, but do these symptoms ring any bells? Any malware that I should investigate? next steps?

TIA

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 06 December 2009 - 10:12 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 steve777

steve777
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 07 December 2009 - 05:15 PM

I tried Malwarebytes, scan below. It did find some registry entries, and removed them. However the symptoms did not improve after this sweep.

I also tried Windows update, and found some .NET SP's that I was missing. Oddly enough, or maybe just coincidence, after the .NET updates and a reinstall, all of the symptoms seem to be better. Ad-Aware, Spybot and Malwarebytes all appear to be running normally, and no odd crashes of the system have happened (although it may be too soon to say with certainty just yet). It seems odd that just the .NET update could have fixed things. The Malwarebytes scan did find something, but removing it alone didn't seem to improve things.

Thoughts, suggestions? Is the problem cured? (Malwarebytes log below)

TIA


Malwarebytes' Anti-Malware 1.42
Database version: 3303
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/6/2009 12:14:41 AM
mbam-log-2009-12-06 (00-14-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 191667
Time elapsed: 46 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:01:04 PM

Posted 07 December 2009 - 05:19 PM

I run SUPERAntiSpyware in conjunction with MBAM as if will usually find more items after MBAM scans have been completed. Install SUPERAntiSpyware, update and run it. Clear everything it finds as well. Keep in mind that if you have more than one profile, each will need to be scanned individually with SUPERAntiSPyware.
DJ Digital Gem

I gave up on computers and now I just DJ!

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 07 December 2009 - 05:22 PM

Please use these instructions for running SAS, which I would have had you do next:

Please run ATF and SAS:

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.



Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#6 steve777

steve777
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 07 December 2009 - 11:17 PM

Thanks.

Ran Atf & Super as requested, log below.

Some new strangeness. For a while the PC appeared to be normal again. However after the first scan with super and a reboot, I have seen two BSOD about memory errors. Odd in that I have not had memory problems prior to this. Also odd in that Super found MSBlaster, yet spybotSD and Ad-aware had not found it in scans which were done just prior to this one.

Anyhow, FWIW the log is below. Any ideas?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2009 at 05:14 PM

Application Version : 4.31.1000

Core Rules Database Version : 4343
Trace Rules Database Version: 2192

Scan type : Complete Scan
Total Scan Time : 01:27:43

Memory items scanned : 512
Memory threats detected : 0
Registry items scanned : 4964
Registry threats detected : 0
File items scanned : 69477
File threats detected : 1

MSBlast Internet Worm
C:\WINDOWS\SYSTEM32\MSBLAST.EXE

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:04 PM

Posted 07 December 2009 - 11:42 PM

You have the Blaster Worm virus..

This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.

It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).

from vil.nai

•What You Should Know About the Blaster Worm

Are all your Windows updates complete?
Apply the Apply the MS03-039 patch
Open Task manager ( CTRL+SHIFT+ESC) click the Processes tab. Terminate msblast.exe if running.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Rerun SUPER also... Post back 2 logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 steve777

steve777
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 08 December 2009 - 01:39 AM

Opps. Should have mentioned that when MSBlaster was found before I removed it. And the remove seems to have worked. The infected exe is in the quarantine area, and no further signs of an MSBlaster infection are present (could not find any of the listed files it goes under, nor any of its reg entries, nor is it listed in task manager).

I did check with WindowsUpdates, and the PC is up to date with all security upgrades (and was prior to running SAS).

I did update SAS and MBAM and re-ran them, log below; they did not find anything.

FWIW, when the last BSOD came up it was while I was re-running SAS???

I suppose it is possible that the PC has some memory issues which just developed. Then again, it is suspicious that they only seem to effect spy/malware programs. Any thoughts?

TIA

Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2009 at 10:48 PM

Application Version : 4.31.1000

Core Rules Database Version : 4343
Trace Rules Database Version: 2192

Scan type : Complete Scan
Total Scan Time : 01:29:51

Memory items scanned : 474
Memory threats detected : 0
Registry items scanned : 4963
Registry threats detected : 0
File items scanned : 69557
File threats detected : 0




Malwarebytes' Anti-Malware 1.42
Database version: 3316
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/7/2009 11:24:13 PM
mbam-log-2009-12-07 (23-24-13).txt

Scan type: Quick Scan
Objects scanned: 111350
Time elapsed: 6 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 08 December 2009 - 07:37 AM

Ok, how are things running now?
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users