Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware removal


  • This topic is locked This topic is locked
11 replies to this topic

#1 uncle bill

uncle bill

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 21 May 2010 - 09:35 AM

I have what I believe is a trojan that prevents me from accessing Windows update and selected sites. I have followed your prep guide to the letter. I have also tried Combofix but it gives me a blue screen each time I run it. I have tried safety.live.com and while watching it scan the kernel, 2 issues were detected. After an exhaustive scan which took overnight, it said it fixed 6 of my problems but didn't. I am not yet ready to rebuild but I want to eliminate this compromise which could be using my machine as a bot.

Attached Files

  • Attached File  DDS.txt   16.43KB   8 downloads
  • Attached File  ark.txt   6.73KB   7 downloads


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:57 PM

Posted 22 May 2010 - 11:01 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



====================================


One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 uncle bill

uncle bill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 23 May 2010 - 05:09 PM

I would like to continue with your help. I have been impatient and have discovered a java based trojan. It was identified as Java/CVE-2009-3867. It's listed as a javafx.class exploit. It was in my java cache which I removed. I have been using my laptop for internet access. I disconnected my machine from the internet and did a repair from CD. After many tries and index fixes I got everything back. Windows update did all of it's malware scans and the machine is back to SP3 with all of the updates. I have attached new files with the present state but I'm still paranoid even though all is working very well. All McAfee updates have been working. I will be starting from scratch with a new hard drive and Windows 7 Pro. Until then, I would like to feel better about the machine's condition. Thanks.

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:57 PM

Posted 24 May 2010 - 10:03 AM

Hi,

Nothing suspicious on your logs.

Are you receiving or did received help at Major Geeks?



Regards,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 uncle bill

uncle bill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 24 May 2010 - 01:26 PM

No, you are the only ones I have contacted. I am not a newbee. I was one of the first CISSPs which helped write the certification exam. I have some skills but usually relied on an excellent staff to deal with rootkits before I retired from AT&T computer security. Help is always welcomed by me. If you are sure about my logs, I will reconnect my machine to the net. I still consult for non-profits so it keeps me current with technology. I appreciate your quick response but did not get an email notifying me that you responded. I thought I selected the correct options but maybe not. You guys are doing a great job helping folks with tough stuff. I have been a security professional since 1989 but each day I learn more and more.

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:57 PM

Posted 25 May 2010 - 11:30 AM

Hi,

TDL Rootkit was present on your previous log, but not in the latest.

QUOTE
2010-05-19 18:44:17 141177 ----a-w- E:\MGlogs.zip
2010-05-19 18:43:57 0 d-----w- E:\MGtools
If I'm not mistaken, Major Geeks use the above files, that's why I've asked.

Would you mind posting the contents of C:\Combofix.txt? I think you already run it.

Can you please tell me something about the following folders?
E:\f45d12a9868769536b93e94601
E:\7aeb3b92c0557abe8d1386
E:\49c05847d3488703f251



====================


I already send the following files to Virscan before, but let's send them again. The reason is that in some cases, these files are related to malware, sometimes related to valid software, or if you installed some games they can also be a part of it. There are also some cases that Combofix deletes them automatically but not in your case (if you previously run Combofix).

They are all created last "2010-05-22" so if you didn't install any legitimate software on that date (Which I think you did and it's related to Eidos Plc or some Games), you can safely delete them.

Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    e:\windows\system32\ssprs.dll
    e:\windows\system32\tmpPrst.tgz
    e:\windows\system32\tmpPrst.dll
    e:\windows\system32\lsprst7.dll
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


Regards,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 uncle bill

uncle bill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 25 May 2010 - 02:07 PM

As I said, you are the only ones I have asked for help. I tried many things before asking you including those tools but was unsuccessful. Combofix gave me a BSOD each time I used it. I didn't install any software other than tools to remove the malware on 2010-05-22. If something was installed on that date that was not a tool then I was not aware of the installation. Those folders are empty and were all created within seconds of each other on May 19th. The virscan results are attached. e:\windows\system32\lsprst7.dll has 0 bytes and was created May 22 and e:\windows\system32\tmpPrst.dll
is the same. They could not be scanned because they were empty. If you need combofix results I can try again now that changes have been made. Maybe it won't kill.

Attached Files



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:57 PM

Posted 26 May 2010 - 09:48 AM

Hi,

Thanks for the info's.

Please delete the copy of Combofix that you have and run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 uncle bill

uncle bill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 26 May 2010 - 12:04 PM

I will need some time to do this. I believe my failing C drive died. It was part of a dual boot with the E so I will need to get the E drive working by itself. Do you have any suggestions other than an XP repair?

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:57 PM

Posted 28 May 2010 - 10:05 AM

Hi,

Sorry for the late response, I've been so busy with my work outside the forum. I have no better idea on mind except doing a XP repair or reformat.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 uncle bill

uncle bill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 28 May 2010 - 12:35 PM

Don't worry about it. We all have another life. There is nothing that can be done when the primary drive of a dual boot goes bad. I am in Windows 7 Professional world now. It is not bad and it really screams! I have 8 gig and a fast processor so the 64 bit system moves. So far my only downside is that I now have a Canoscan 9900F that is a boat anchor. I guess at this point you can close this one out. I really appreciate the time you spent and if I can ever help you at all, give me a shout. I will still monitor this forum.

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:57 PM

Posted 28 May 2010 - 11:04 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users