Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Too bad...C.exe problems and others


  • This topic is locked This topic is locked
16 replies to this topic

#1 eamondonovan

eamondonovan

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 13 December 2009 - 04:39 PM

I don't think I am too bad off, I think I got a bad torrent, and crashed pretty bad. Upon a restart, I couldn't even get back to Windows. Borrowed a Vista boot disk...repaired issues that wouldn't allow me to get to windows. Running in safe mode now and found C.exe in startup issues through Windows Defender. Now, running in normal mode...when in IE if I click a link it redirects me, to an array of different thing...shopping, and others!! Oh, and I tried running RootRepel and as I try to run a scan it stops, goes to a blue screen that says a bunch of things are wrong and counts down a dump and then restarts, (to the screen where I choose in what mode). So, unfortunatly all I have for you right now is the DDS and Attach text files, if there is an alternative to RootRepel I'll run that and pass that along.

Thank You for all that you do!!!
Eamon Donovan

Attached Files



BC AdBot (Login to Remove)

 


#2 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 16 December 2009 - 09:07 AM

Update!! For those that have read my post....thank you!....I begining to need more help!!... I saw a message this morning about Vuendo virus. I think my problem is getting worse and could use some help...Thank You!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 AM

Posted 26 December 2009 - 07:37 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#4 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 December 2009 - 09:02 AM

I'm here.... Thank you so much!! Just another note I noticed the other day.... I cannot get to my task manager and when I was in control panel and tried to get there through another way, it said that task manager was disabled by administrator!??! Again thank you so much!! I look forward to hearing from you!

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 AM

Posted 26 December 2009 - 10:18 AM

C,exe is a file from a new strain of rogue antivirus which, as you now now, also often brings along a rootkit which messes around with your settings. We could waste time trying to run a rootkit scanner but as we have an ID on the likely culprit we can go straight in here.


Let's run two programs which should calm down the grip on the PC

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Next please run Combofix.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Let me know if you have any problems with any step.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#6 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 December 2009 - 10:37 AM

exeHelper by Raktor
Build 20091220
Run at 10:35:03 on 12/26/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Windows\system32\critical_warning.html
Deleting file C:\Users\Eamon\Local Settings\Temp\JDStart.exe
Deleting file C:\Users\Eamon\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Users\Eamon\Start Menu\Programs\Startup\scandisk.lnk
Deleting file C:\Users\Eamon\Start Menu\Programs\Startup\Windows Updater.lnk
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


I am moving on to Rkill now!

#7 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 December 2009 - 10:48 AM

ok, just ran Rkill, seemed to be running fine in little black box, then everything starting popping up saying that it has encounered a problem and needs to shut down, and wanted to send information for solutions.( IE, NTI back up, windows defender tray, iTunes helper, Etc. etc. ) After coming back to IE i noticed Windows Defender was doing a scan, so I stopped it and it had already found this. Should I just have Defender Remove it? I'll pause here in your steps and wait for reply. Thanks a lot!!

Trojan:Win32/Agent.FY


Category:
Trojan

Description:
This program is dangerous and exploits the computer on which it is run.

Advice:
Remove this software immediately.

Resources:
file:
C:\$RECYCLE.BIN\S-1-5-21-3914298812-2466529392-314928824-1000\$RSD3VHE.rar->Intuit.QuickBooks.2009.Premier with activator\Setup.exe->(nsis-5-$(ENVVAR)\EULA.exe)->(RarSfx)->svcchst32.exe->(nsis-instdata)

containerfile:
C:\$RECYCLE.BIN\S-1-5-21-3914298812-2466529392-314928824-1000\$RSD3VHE.rar

View more information about this item online

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 AM

Posted 26 December 2009 - 11:06 AM

Ignore it at the moment and run Combofix, it should remove Agent that Windows Defender has found. Make sure you disable Windows Defender and any other realtime protector first.
Posted Image
m0le is a proud member of UNITE

#9 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 December 2009 - 11:53 AM

Here is the ComboFix log.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 AM

Posted 26 December 2009 - 05:48 PM

Good start there, there's still some Vundo present so we are going to run Combofix again but slightly differently.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\crt.dat

Folder::
c:\programdata\runekemo
c:\programdata\nalizive
c:\programdata\rekiwipe
c:\programdata\rajijuve
c:\programdata\mejowufe
c:\programdata\gadolaye


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How is the PC running now?
Posted Image
m0le is a proud member of UNITE

#11 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 December 2009 - 06:21 PM

Here is new log and so far PC is running better, I have not done a reboot, should I?? I noticed prior to second Combofix run that when I would click on links while surfing, I would be redirected elsewhere. If I close IE, re-open then I usually can get where I want to go. Thank you again for everything.

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 AM

Posted 26 December 2009 - 06:56 PM

Please reboot and then run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Let me know if the redirects have gone for good. :(
Posted Image
m0le is a proud member of UNITE

#13 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 December 2009 - 10:14 PM

So far so good with the redirects. here is the log report. I did have a message upon reboot saying Catalyst Control stopped working and needed to shut down, not sure what that goes to, but nothing bad as far as performace to PC.

Malwarebytes' Anti-Malware 1.42
Database version: 3436
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18828

12/26/2009 10:05:46 PM
mbam-log-2009-12-26 (22-05-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 240584
Time elapsed: 47 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Videocan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\bvnidya.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\kvkrmea.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\rinl.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\gadolaye\gadolaye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\mejowufe\mejowufe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\rajijuve\rajijuve.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\rekiwipe\rekiwipe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\ProgramData\runekemo\runekemo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Eamon\ntload.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Eamon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\kbdatat4.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\kbupdate.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\notepad.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\zv2i5nu2.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 AM

Posted 27 December 2009 - 07:31 AM

MBAM has picked off the last of the FakeAlert and also deleted all the quarantined items in Combofix. Redirections shouldn't be returning now but we still have some things to do.

We need to look for infected files

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks. :(
Posted Image
m0le is a proud member of UNITE

#15 eamondonovan

eamondonovan
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 27 December 2009 - 09:32 AM

here you go!

C:\Qoobox\Quarantine\C\Windows\System32\crt4.dll.vir Win32/Delf.OWG trojan cleaned by deleting - quarantined


yes... that is correct it only found one infected file. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users