Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious Malware Issues!


  • Please log in to reply
94 replies to this topic

#1 thezonemontana

thezonemontana

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 08 April 2010 - 05:26 PM

I'm having some serious Malware issues. It all started with some re-direct on google search. Then went to pop-ups with some fake anti-virus stuff. Now there are a ton of security warnings on my screen as well as a black dos screen. I just did an update with Malwarebytes and ran another scan. It's been scanning for over 7 hours and I think it is almost 1/2 way done. So far it has found 5 infected objects. Also, getting a voice saying "Congratulations, you won" through the speakers. Thanks for any help you can give me.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 08 April 2010 - 05:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's run some programs to kill the malicious processes and then try Combofix

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Finally

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 08 April 2010 - 05:35 PM

Do you want me to do all of this while MalwareBytes is running? Cancel the scan?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 08 April 2010 - 07:35 PM

No, post the MBAM log when it's run but then move on to the next part. smile.gif
Posted Image
m0le is a proud member of UNITE

#5 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 08 April 2010 - 09:38 PM

Okay, I'm back. I'm totally bummed because the scan was over 1/2 way done and then we had a power outage. I've got to start the scan over. With the speed that it was scanning, I'm assuming I won't be able to post the log until tomorrow. Sorry. Spring weather.

#6 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 08 April 2010 - 09:44 PM

Okay, scratch that last post. Now this stupid thing won't even let me run the MAMB. Not sure what to do next. Will await your direction. I got a pop-up that says AntiVirus Suite and it runs a fake scan and tries to tell me I'm infected. I could tell it was not real and did not click on it. It's still on my screen. Also getting several pop-ups that look like windows security warnings and alerts.

#7 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 April 2010 - 08:56 AM

Here is the exehelper log....

exeHelper by Raktor
exeHelper by Raktor
exeHelper by Raktor
Build 20100329
Run at 07:53:26 on 04/09/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

"Note: to get any of this to work, I had to go into safe mode with networking and then run MBAM to get rid of 8 things. I will post that log next."

#8 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 April 2010 - 09:00 AM

Nevermind. I know I saved the log to my desktop, but I was in safe mode and now I'm back in regular mode and can't find it. If you need it, I'll log back in under safe mode and try to find it.

#9 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 April 2010 - 09:01 AM

Here is the RKill log...

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Real Estate on 04/09/2010 at 8:01:12.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\All Users\Application Data\1DMhp7tq.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\Real Estate\Desktop\rkill.pif


Rkill completed on 04/09/2010 at 8:01:22.


#10 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 April 2010 - 07:29 PM

MBAM log....

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3972

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/9/2010 6:09:45 PM
mbam-log-2010-04-09 (18-09-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 294047
Time elapsed: 8 hour(s), 35 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bhaehplf (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1275\A0373679.exe (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1275\A0373680.exe (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 09 April 2010 - 07:32 PM

Did that run of MBAM deal with any of the symptoms?
Posted Image
m0le is a proud member of UNITE

#12 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 April 2010 - 07:35 PM

Well, the pop-ups are gone. I'm trying IE right now. It won't connect even though I can get online via Firefox. That seems to be the only lasting issue. Also, in Outlook, all of my e-mails won't display the photos in them. Not sure if that is connected or not.

#13 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 April 2010 - 07:39 PM

I seem to have fixed IE with a setting change. I think I will stick to Firefox from now on. Seems to be safer. Is there anything else I should do to make sure my computer is clean? Also, I was wondering if you could give some advice on cleaning up my computer so it will run faster. It seems to be pretty slow. Maybe I need a better computer, but if I can make this one work for another year or so, that would be great.

#14 thezonemontana

thezonemontana
  • Topic Starter

  • Banned Spammer
  • 62 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:35 PM

Posted 09 April 2010 - 07:41 PM

Photos are back on Outlook as well. Everything seems to be working. Besides my above questions, do you have any suggestions for preventative measures that I should be taking to keep this junk from happening again. As much as I enjoy your company..... the blue screen of death doesn't give me warm and fuzzy feelings.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:35 AM

Posted 09 April 2010 - 07:48 PM

Yes, I can give you some advice. First, let's run an online scanner to make sure we're clear.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.

If that's good then we'll wrap things up and I'll give you some useful links. thumbup2.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users