Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 Norastus

Norastus

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 29 May 2010 - 09:22 PM

My wife's computer got infected a few days ago... she claims to just have been looking at real estate websites (I suspect other activity by my 17 yr old daughter). She reported pop up infection warnings, Viagra ads and some random porn. When I booted the system up (Win 7, IE) the OS booted, but the desktop didn't come up. I rebooted in safe mode and got HJT and Security Task Manager logs (attached). After seeing all the "file missing" entries in the HJT log, I was reluctant to proceed without advice. I'm not sure I believe everything I see. For example, there is an lsass.exe process running as "system" in safe mode.

Grateful for any insights. Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:02:02 AM

Posted 01 June 2010 - 01:12 PM

Hi Norastus, and welcome to Bleeping Computer.

File missing entries in your HijackThis log?.. HJT hasn't been updated for a long time - it's not compatible with 64bit systems (not to mention the fact it's useless with most malware nowadays)...

Please do the following (can be in Safe Mode with Networking if Normal Mode cannot load properly; alternatively you may transfer the tools from other computer)...

Firstly,
Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Secondly,
Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:02:02 AM

Posted 18 June 2010 - 10:17 AM

Due to the lack of feedback this Topic is closed.

Re-opened at the request of the topic starter...

Edited by snemelk, 01 July 2010 - 02:47 PM.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#4 Norastus

Norastus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 02 July 2010 - 12:06 AM

As requested, I am uploading MBAM and OTL logs. As I had related in the restart PM, Malwarebytes had already been run and, as you can see now runs clean. The original run flagged 4 items (2 flagged as trojans) which were removed.

I am providing two copies of the OTL logs. I originally ran OTL with default settings and realized that my original post was over 30 days old. The first run was done for 30 day old files, the second for 60 days. I'm sending them both because there may be value in comparing the two.

Thanks again for the help.

Attached Files



#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:02:02 AM

Posted 02 July 2010 - 05:39 AM

Hi again Norastus!!.. smile.gif

QUOTE
As I had related in the restart PM, Malwarebytes had already been run and, as you can see now runs clean.

Well, it was run with the database outdated, so no surprise it didn't find anything...
Anyway, log looks ok - just a few leftovers to remove...

Please do the following:

Firstly,
Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    [2010/05/26 22:13:24 | 000,000,000 | ---D | C] -- C:\Users\Kathy\AppData\Local\icglnwhut
    [2010/05/26 22:15:38 | 000,059,648 | ---- | M] () -- C:\Users\Kathy\AppData\Local\syssvc.exe
    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Secondly,
  • Please launch Malwarebytes' Anti-Malware, click the Update tab, and then Check for Updates.
  • Then choose the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Thirdly,
I do not see an antivirus program running on your computer... Without an AV, you have no protection and risk being quickly re-infected... Please install an antivirus program of your choice, run a full system scan with it, and post a log (if possible)... You may want to install one of the antivirus applications I recommend on my site: link
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:02:02 AM

Posted 19 July 2010 - 02:38 PM

Still with us Norastus??.. smile.gif
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:02:02 AM

Posted 27 July 2010 - 12:10 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users