Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Spyware, Virus? I don't know


  • This topic is locked This topic is locked
11 replies to this topic

#1 Chefdon

Chefdon

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 06 March 2010 - 02:07 PM

I am running XP home with Mcafee.


Last week I Got the redirect spyware in my comp, that was redirecting my searches to Asklots.

I looked it up here, and dl'ed ATF and SuperAntiSpyware.

They found 4 infected files and removed them.

Yesterday, I started getting a window popping up saying Generic host process for win32 has performed an illegal function and must close.

Also got a DEP message.

I looked those up, Dl'd Malwarebytes and found 2 infected files.

Now Mcafee is popping up every 5 minutes with found trojans.

Artemis!45D5D8D52216 (Trojan), Artemis!45D5D8D52216 (Trojan)
Location: C:\WINDOWS\TEMP\khfp.tmp

I've emptied all my cookies and TIF's but it's still happening.


what's next?

BC AdBot (Login to Remove)

 


#2 Chefdon

Chefdon
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 06 March 2010 - 02:20 PM

Also, Here is a screencap of my temp folder.

Posted Image

#3 Chefdon

Chefdon
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 07 March 2010 - 08:32 PM

So, I was telling my friend about my pc issues and they told me to turn off system restore and run combofix. Does this sound about right?

also, now Mcafee is detecting:
Detected: Generic.dx!owz (Trojan)
Location: C:\WINDOWS\TEMP\bcoo.tmp\svchost.exe

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 07 March 2010 - 09:04 PM

Hello there.

Please DO NOT run Combofix. ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Further, ComboFix logs are not permitted outside the Malware Removal forum forums and then only when requested by a Malware Reponse Team member.

Additional information here: http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

---
Let's see what we can do here. ATFCleaner removes temp files etc.. but this won't necessairly remove that file since it's active probably and protected, so additional steps are required.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Chefdon

Chefdon
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 07 March 2010 - 09:59 PM

I ran ATF and MBAM the other day.

Malwarebytes' Anti-Malware 1.44
Database version: 3827
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/5/2010 11:00:53 PM
mbam-log-2010-03-05 (23-00-53).txt

Scan type: Quick Scan
Objects scanned: 129923
Time elapsed: 22 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Don\Local Settings\Temporary Internet Files\Content.IE5\QPUQFXWJ\packupdate_build6_258[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.




When I tried to run Gmer, it got about halfway through and my pc crashed. twice

Posted Image

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 08 March 2010 - 07:57 PM

Hello again.

Can you run RootRepeal for me instead...

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Chefdon

Chefdon
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 14 March 2010 - 07:38 AM

Sorry about the delay.

Crazy busy week.

here is my Root Repel log


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/14 08:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8D0C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_4oajd8kqslmrszo
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_7noczmufsb3mfss
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_o15pbbdpiwtoflc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\don\local settings\temp\~df522b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\don\local settings\temp\~df66ec.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xaa333320

==EOF==

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 15 March 2010 - 08:26 PM

Hello.

Something appears missing, I suspect something here.

Please do the following...

Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your C:\ directory.
  • Go to Start >> C:\mbr.exe -t
  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.
Let me know if there were any problems

Edited by extremeboy, 15 March 2010 - 08:26 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Chefdon

Chefdon
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 17 March 2010 - 04:52 AM

I DL'ed the MBR and ran it last night around 8pm. I saw the black box pop up and disappear. I left my pc on all night and I still do not have anything that say MBR.log.

I ran a search and this was all that came up. I suspect it was probably what was in the black window

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82E9ACA1]<<
kernel: MBR read successfully
user & kernel MBR OK

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 17 March 2010 - 02:28 PM

Hello.

Yes, that's what I was looking for.

There is probably more needs to be done. We are going to deal with this in the Malware Removal forum. Please do the following...

1st Step: Preparation Guide Before Starting a Topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ <- You can skip the GMER step.
2nd Step: Starting a Topic in the HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Once you have started a new topic there, please post back here with the link to your new topic so I can continue to help you over there and close this topic.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Chefdon

Chefdon
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 17 March 2010 - 08:21 PM

http://www.bleepingcomputer.com/forums/t/303242/possible-rootkittrojan/

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:24 PM

Posted 17 March 2010 - 10:23 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/303242/possible-rootkittrojan/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users