Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sysinternals antivirus and other malware trouble


  • This topic is locked This topic is locked
43 replies to this topic

#1 ssthomps

ssthomps

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 04 December 2010 - 11:44 AM

Hello,

One of my computers has become infected with a virus that does not allow it to start up completely. I know that before it started doing this it was infected with the Sysinternals Antivirus Malware.

Previous Symptoms:

Unable to run programs,
Random shut-downs,
computer freezing,
unable to connect to internet,
very slow boot,
Random pup-ups

Current Symptoms:

No longer able to fully boot computer, It boots to the desktop but no icons or taskbars show

Thanks for any help you can lend me,

Attached are copies of gmer and DDS logs

Attached Files

  • Attached File  DDS.txt   9.85KB   2 downloads
  • Attached File  gmer.log   209.09KB   2 downloads


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:05 AM

Posted 11 December 2010 - 05:23 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 16 December 2010 - 10:48 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 21 December 2010 - 06:06 PM

Hello, ssthomps.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!


Please follow Casey_boy's instructions above and post updated logs. I'll look them over once you reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 21 December 2010 - 06:30 PM

Thanks for reopening the thread.

I've attempted to get the logs that Casey_boy asked for but a NEW problem with the malware Security Shield has infected the computer and I am unable to open any programs. I tried to perform the fix that is listen in the malware section of the site but I can never get the program killed so I can run MBAM and finish the fix. I've tried to bypass the alerts and have done every thing suggested in the Security Shield thread and have not been able to kill the program long enough to fix the problem. Also, followed is a list of the symptoms that I am experiencing.

Unable to run programs,
Random shut-downs,
computer freezing,
unable to connect to internet,
very slow boot,
Random pup-ups

I have instructed the members in my household not to touch the computer until it gets fixed because I'm sure they had something to do with the arrival of the new malware. Hopefully that will help speed up things. Thanks for your help.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 22 December 2010 - 07:03 PM

Hello, ssthomps.


Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares

Edited by etavares, 22 December 2010 - 07:04 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 23 December 2010 - 08:42 AM

I have completed the combofix. I am posting this reply from the computer that was infected and my the Security Shield and Sysinternals seems to be gone for now. I am also able to connect to the internet and run programs, something I wasn't able to do before.

Symptoms

The computer seems to be running a little slow, the mouse takes multiple clicks before it responds but I don't know if that is a result of malware or the mouse that I'm using

After the combofix file popped up the computer went to a blue screen that stated a problem with the system occured. It did this 3 or 4 times after I rebooted it before it finally stopped.
After it stopped giving me the blue screen I had to restart the computer about 5 times before it would completely boot up, even when I tried to boot in safe mode it would get stuck like half way.

As I said I am posting form the computer that was infected and now the boot problem seems to be gone.

Attached Files



#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 23 December 2010 - 06:33 PM

Hello, ssthomps.

Ok, that's good news. Well, that you were able to use it a bit after Combofix. Any more blue screens or has it been stable?

There is some bad news...it did find a backdoor rootkit. Looks like the TDL3/TidServ/TDSS rootkit. There also a Bubnix rootkit infection we'll take care of this step.


Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.
P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.





Step



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

File::
c:\windows\login.exe
c:\documents and settings\Felicia Thompson\Application Data\Microsoft\gb_1206093.bat
c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk
c:\documents and settings\All Users\Application Data\WSTB\localeX86.exe
c:\windows\Tasks\VersionCheck.job
DirLook::
c:\windows\system32\3059
Folder::
c:\program files\WhiteSmoke Translator\
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
Driver::
XDva219
ywvfnhecp
Rootkit::
c:\windows\system32\XDva219.sys
c:\windows\system32\drivers\ywvfnhecp.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:58505
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 24 December 2010 - 12:26 PM

When trying to apply the CFScript.txt, Combofix is giving me this error message:

"!! ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus (Virut)"

I've read up on it and saw this can be a very unfavorable sign. How should I proceed?

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 25 December 2010 - 10:03 AM

Hello, ssthomps.

It could be bad or just a false positive. Let's scan with Kapersky.

Please go to the Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 26 December 2010 - 08:14 PM

Hi, I've tried to run the online scan and it downloaded and updated but gave me this message shortly after.

[ERROR: License has expired]

Is there a way to work around it?

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 27 December 2010 - 09:27 AM

Hello, ssthomps.

I was hoping Kapersky was back up. I do not want it to delete or quarantine any files. So, please run ESET below, but make sure to UNcheck "remove found threats".

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 30 December 2010 - 04:34 PM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 31 December 2010 - 01:58 AM

Yeah, I'm still here. Sorry for the delay, me holiday has been crazy. My comp is still stable and I am able to use it as previously posted. No more warnings and no more threat pop-ups. Attached is a copy of the ESET Scan log as per your request.

Attached Files



#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 AM

Posted 31 December 2010 - 09:06 AM

Hello, ssthomps.

You are still infected by a backdoor rootkit. Since Combofix won't run, we will have to try a few other things. It may take a few approaches before we find one that works.

  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users