Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM won't update, questionable processes


  • Please log in to reply
6 replies to this topic

#1 g.o.b.II

g.o.b.II

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 April 2010 - 03:57 PM

Ok Malwarebytes won't update, I get this 732 error. I checked the work offline and proxy settings on IE, they seem to be fine.

The Malwarebytes domain is inaccessible and when I google for info on malware and click on a result, I end up getting redirected or 404

On start up a bunch of suspect processes run, and if I can't close most of them on time, I would get a pop up saying something like this:
Explorer.EXE
The instruction at "0x7c902128" referenced memory at "0xf3f15c9c". The memory could not be "read"
Click ok to terminate.

and then a bunch of icons which are IE shortcuts leading to porn sites appear.

Some of the processes include 4387.exe, 3504099.exe, peresvc.exe
w.exe ,opear.exe, VTR2.exe etc...

What should I try next?

BC AdBot (Login to Remove)

 


#2 g.o.b.II

g.o.b.II
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 05 April 2010 - 09:27 PM

Ok so I used Superantispyware, deleted a bunch of trojans, most processes disappeared and the icons aren't there anymore on startup.

However SAS also detected oreans32.sys, and I looked it up on the internet and I wasn't sure if I should have removed it as well.

And peresvc.exe still appears on startup and then it disappears. And also on startup, I get thsi error message that a .dll file couldn't be specified or something like that.

here's the SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/05/2010 at 09:47 PM

Application Version : 4.29.1004

Core Rules Database Version : 4772
Trace Rules Database Version: 2584

Scan type : Complete Scan
Total Scan Time : 03:12:59

Memory items scanned : 390
Memory threats detected : 4
Registry items scanned : 6002
Registry threats detected : 60
File items scanned : 81708
File threats detected : 46

Trojan.Agent/Gen-FakeAV
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\WINDOWS SERVER\RCRZSA.DLL
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\WINDOWS SERVER\RCRZSA.DLL
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\APPLICATION DATA\WINDOWS SERVER\RCRZSA.DLL
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\APPLICATION DATA\WINDOWS SERVER\RCRZSA.DLL
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\WINDOWS SERVER\RCRZSA.DLL
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\WINDOWS SERVER\RCRZSA.DLL
C:\DOCUMENTS AND SETTINGS\ASDF\LOCAL SETTINGS\APPLICATION DATA\WINDOWS SERVER\RCRZSA.DLL

Adware.Vundo/Variant-MSE
C:\WINDOWS\SYSTEM32\MSYBLKYA.DLL
C:\WINDOWS\SYSTEM32\MSYBLKYA.DLL
[rmosnq] C:\WINDOWS\SYSTEM32\MSYBLKYA.DLL
C:\WINDOWS\SYSTEM32\MSSAPSMR.DLL

Adware.Vundo Variant
HKLM\System\ControlSet001\Services\BtwSvc
C:\WINDOWS\SYSTEM32\BTWSVC.DLL
HKLM\System\ControlSet001\Enum\Root\LEGACY_BtwSvc
HKLM\System\ControlSet002\Services\BtwSvc
HKLM\System\ControlSet002\Enum\Root\LEGACY_BtwSvc
HKLM\System\CurrentControlSet\Services\BtwSvc
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_BtwSvc

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet002\Services\oreans32
HKLM\System\ControlSet002\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\asdf\Cookies\asdf@atdmt[2].txt
C:\Documents and Settings\asdf\Local Settings\temp\Cookies\asdf@atdmt[2].txt

Rogue.ProtectionSystem
C:\Program Files\Protection System

Trojan.Agent/Gen-RefPron
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BTWSVC\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#Type
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#Start
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Parameters#ServiceDll
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Security
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\BtwSvc\Enum#NextInstance

Trojan.Agent/Gen-Clicker
C:\DOCUMENTS AND SETTINGS\ASDF\LOCAL SETTINGS\TEMP\ENXRWCMSOA.TMP
C:\DOCUMENTS AND SETTINGS\ASDF\LOCAL SETTINGS\TEMP\XNWASEORCM.TMP
C:\WINDOWS\SYSTEM32\SRV.NET

Trojan.Agent/Gen
C:\DOCUMENTS AND SETTINGS\ASDF\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\019SEQIG\GMVSJKH[1].HTM
C:\WINDOWS\SYSTEM32\1979181.EXE
C:\WINDOWS\SYSTEM32\299206.EXE
C:\WINDOWS\SYSTEM32\5939447.EXE
C:\WINDOWS\SYSTEM32\7134646.EXE
C:\WINDOWS\TEMP\VRT1.TMP
C:\WINDOWS\TEMP\VRT2.TMP
C:\WINDOWS\TEMP\VRT5.TMP
C:\WINDOWS\TEMP\VRT6.TMP
C:\WINDOWS\TEMP\VRT91.TMP
C:\WINDOWS\Prefetch\VRT6.TMP-0C9D5FAF.pf
C:\WINDOWS\Prefetch\VRT91.TMP-1EED609C.pf

Trojan.Dropper/Gen-PHP
C:\DOCUMENTS AND SETTINGS\ASDF\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPC1HA6I\TFLLIJWXGU[1].PHP
C:\DOCUMENTS AND SETTINGS\ASDF\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPC1HA6I\TJGCDNNAK[1].PHP

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\ASDF\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ZPMQUY1T\TJGCDNNAK[1].HTM

Trojan.Agent/Gen-OnlineGames
C:\WINDOWS\SYSTEM32\1583979.EXE
C:\WINDOWS\SYSTEM32\3472864.EXE
C:\WINDOWS\SYSTEM32\3841211.EXE
C:\WINDOWS\SYSTEM32\4937403.EXE
C:\WINDOWS\SYSTEM32\7687014.EXE
C:\WINDOWS\Prefetch\3472864.EXE-359329CB.pf
C:\WINDOWS\Prefetch\3841211.EXE-29BDCA30.pf
C:\WINDOWS\Prefetch\4937403.EXE-07E991BC.pf
C:\WINDOWS\Prefetch\7687014.EXE-225618B5.pf

Trojan.Agent/Gen-Virut[WinLogo]
C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGON\WINLOGO.EXE
C:\WINDOWS\Prefetch\WINLOGO.EXE-184FCAAF.pf

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\KBDSOCK.DLL
C:\WINDOWS\SYSTEM32\MSHLPS.DLL

Trojan.Agent/Gen-WOW
C:\WINDOWS\TEMP\VRT3.TMP
C:\WINDOWS\TEMP\VRT4.TMP
C:\WINDOWS\TEMP\VRT93.TMP
C:\WINDOWS\Prefetch\VRT93.TMP-09BA112A.pf

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 PM

Posted 05 April 2010 - 11:34 PM

Hello, OK leave the Oreans for now remove the rest. and reboot.

This one can be real bad..
Trojan.Agent/Gen-Virut

So we need to run Drweb-cureit this can be very long. But we need to confirm.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 g.o.b.II

g.o.b.II
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 06 April 2010 - 06:49 PM

yeah I'm just wondering if this is normal but, yeah dr.webcureit detected around 600 infections and scanned around 6000 files already during the express scan. Now it's scanning .sys files in the system32/drivers folder but it's taking like around 1-3 minutes per file. My computer is actually pretty old, but i never thought it could take this long and I'm not even doing the complete scan yet.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 PM

Posted 06 April 2010 - 07:05 PM

Hi , remember this

So we need to run Drweb-cureit this can be very long.

I suspect with the age and probably a good amount of files the scan may go 6 + hours. But let it go.. Turn the monitor off and go to sleep if needed.
The unfortunate sisde is if we confirm Virut we WILL have to reformat. S o an option is if you would rather just format.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 g.o.b.II

g.o.b.II
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 06 April 2010 - 07:39 PM

aye plenty of files infected has the win32.virut.56 status. At least it says dr.webcureit cured a bunch of files...

edit: oh man maybe i'm underestimating this virut thing

Edited by g.o.b.II, 06 April 2010 - 07:49 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 PM

Posted 06 April 2010 - 08:42 PM

Underestimate it not.. Even if you think you've run enough tools to be rid of it . You can never trust this pC at least as far as sending or keeping Financial info and passwords.

Read on...
Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutVirut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Edited by boopme, 06 April 2010 - 08:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users