Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal help / assorted malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 shorinsamurai

shorinsamurai

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 12 March 2011 - 11:26 PM

Dell insperon mini model pp19s

I did remove some Corrupt AVG entries and a few entries from the registry to get it running to this point

Trend RuBotted keeps reporting HTTPS.malicious.certificate cant be removed


DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/3/2010 1:44:40 PM
System Uptime: 3/12/2011 11:16:00 PM (-1 hours ago)
.
Motherboard: Dell Inc. | | 0P374N
Processor: Intel® Atom™ CPU Z530 @ 1.60GHz | U3E1 | 1596/mhz

Thanks All

I have also been able to run a TCP watcher and the machine calls out to many addresses and fires programs on its own.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 14 March 2011 - 08:27 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 AM

Posted 15 March 2011 - 03:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 shorinsamurai

shorinsamurai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 15 March 2011 - 08:19 PM

This problem is not resolved.
The orginal windows disk is not available, I am trying to obtain one.

Machine opens random windows and connects to random ip addresser (ran ip monitor and process monitor and watched for a while), one of the connections was in china and stockholm.... When I tracert to them it disconnected once it landed on thier site..

I was not sure if I should include the Attach file zipped up as I thought DDR said to...

Thanks
RayAttached File  ark.txt   14.72KB   1 downloads
Attached File  Attach.zip   3.73KB   8 downloads
Attached File  DDS.txt   11.84KB   7 downloads

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 AM

Posted 17 March 2011 - 07:04 AM

Hello shorinsamurai ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit TDL4. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



STEP 1


Please disable Rubotted as it could interfere with the fix.
So please click the icon in the system tray and then click "Quit RUBotted".
Extra note: :exclame: Sometimes RUBotted can't be disabled/uninstalled correctly, so if that happens please proceed with the steps below.




STEP 2


Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an malicious object is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



STEP 3



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Documents and Settings\cyndi\Local Settings\temp\INIENL.exe

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/


Please repeat these steps for the following file as well:

c:\windows\000001_.tmp



Regards,
Georgi

cXfZ4wS.png


#5 shorinsamurai

shorinsamurai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 17 March 2011 - 05:38 PM

Hi Georgi,

The results are below, from Virustotal... So far very smooth...

Thanks for the help so far, I am waiting on your reply...

Cheers
Ray

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: INIENL.exe
Submission date: 2011-03-17 22:21:22 (UTC)
VT CommunityCompact Print results AntivirusVersionLast UpdateResultAhnLab-V32011.03.18.002011.03.17-AntiVir7.11.4.2482011.03.17-Antiy-AVL2.0.3.72011.03.17-Avast4.8.1351.02011.03.17-Avast55.0.677.02011.03.17-AVG10.0.0.11902011.03.17-BitDefender7.22011.03.17-CAT-QuickHeal11.002011.03.17-ClamAV0.96.4.02011.03.17-Commtouch5.2.11.52011.03.17-Comodo80152011.03.17-DrWeb5.0.2.033002011.03.17-Emsisoft5.1.0.22011.03.17-eSafe7.0.17.02011.03.17-eTrust-Vet36.1.82212011.03.17-F-Prot4.6.2.1172011.03.17-F-Secure9.0.16440.02011.03.17-Fortinet4.2.254.02011.03.17-GData212011.03.17-IkarusT3.1.1.97.02011.03.17-Jiangmin13.0.9002011.03.17-K7AntiVirus9.93.41362011.03.17-Kaspersky7.0.0.1252011.03.17-McAfee5.400.0.11582011.03.17-McAfee-GW-Edition2010.1C2011.03.17-Microsoft1.66032011.03.17-NOD3259642011.03.17-Norman6.07.032011.03.17-nProtect2011-02-10.012011.02.15-Panda10.0.3.52011.03.17-PCTools7.0.3.52011.03.17-Prevx3.02011.03.17-Rising23.49.02.062011.03.16-Sophos4.63.02011.03.17-SUPERAntiSpyware4.40.0.10062011.03.17-TheHacker6.7.0.1.1512011.03.17-TrendMicro9.200.0.10122011.03.17-TrendMicro-HouseCall9.200.0.10122011.03.17-VBA323.12.14.32011.03.16-VIPRE87362011.03.17-ViRobot2011.3.17.43622011.03.17-VirusBuster13.6.254.02011.03.17-Additional informationShow all MD5 : e080c7a8c8647367c954946c0abcf408SHA1 : 890a598aa70be2384778acb2105b781ab6c229aeSHA256: 7a82cf3f640000a0200ba3c8067ae403cdfeb81bc3bef401dca8929e6ddbdf77ssdeep: 3072:aOkaEXsA35Zxjmj6MrgXtrw/lFrnfc1dsxnqEo4Ilgz9tG8LlgbRvhdvK4ZH/fl:aJVzxj
zM8XJwXiCTzot7K4ZnlFile size : 531328 bytesFirst seen: 2008-09-22 11:32:15Last seen : 2011-03-17 22:21:22TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)sigcheck:
publisher....: Sysinternals - www.sysinternals.com
copyright....: Copyright © 2005-2006 Bryce Cogswell and Mark Russinovich
product......: Sysinternals Rootkitrevealer
description..: Rootkit detection utility
original name:
internal name:
file version.: 1.70
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: Armadillo v1.71PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x45F33
timedatestamp....: 0x44E255AA (Tue Aug 15 23:15:54 2006)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x31000, 0x22965, 0x23000, 6.56, 80c664c2ff378b9d7336e347d2315cdc
.rdata, 0x54000, 0x3C24, 0x4000, 5.06, 766488bc87061baddbe8dc5f7c50a891
.data, 0x58000, 0x23150, 0x1E000, 5.33, 3822ecab50ff5582db957cfaba5c1e8b
.rsrc, 0x7C000, 0x69D0, 0x7000, 4.66, 0ece1bf00a371a13a8bf2248b0442522
.reloc, 0x83000, 0x281A, 0x3000, 5.82, 0022e755c35d72fca6373310de6b9615

[[ 11 import(s) ]]
VERSION.dll: GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
KERNEL32.dll: SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, TerminateProcess, CreateProcessW, GetDriveTypeW, GetLogicalDrives, CreateThread, ResetEvent, OpenEventW, SetEvent, LoadLibraryW, CreateEventW, InitializeCriticalSection, GetFullPathNameW, GetSystemDirectoryW, WaitForMultipleObjects, GetTempPathW, GetCommandLineW, GetVersion, GetModuleFileNameW, FlushFileBuffers, LocalAlloc, SetConsoleCtrlHandler, SetEndOfFile, IsBadCodePtr, SetUnhandledExceptionFilter, SetStdHandle, GetStringTypeW, GetStringTypeA, GetVersionExA, GetUserDefaultLCID, EnumSystemLocalesA, GetLocaleInfoA, IsValidCodePage, IsValidLocale, GetCPInfo, GetModuleFileNameA, ReadFile, GetFileType, GetStdHandle, SetHandleCount, GetCommandLineA, GetEnvironmentStrings, GetEnvironmentStringsW, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, SystemTimeToFileTime, GetCurrentThread, TlsGetValue, TlsFree, TlsAlloc, TlsSetValue, GetCurrentThreadId, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, LCMapStringW, LCMapStringA, FatalAppExitA, DeleteCriticalSection, ExitProcess, GetStartupInfoW, GetModuleHandleA, WideCharToMultiByte, RtlUnwind, HeapFree, HeapAlloc, HeapReAlloc, LoadLibraryA, FindFirstFileW, FindNextFileW, FindClose, CompareFileTime, FileTimeToLocalFileTime, SetEnvironmentVariableA, lstrlenW, CreateFileMappingW, MapViewOfFile, GetFileSize, UnmapViewOfFile, GetTickCount, VirtualProtect, IsBadReadPtr, GetCurrentDirectoryW, GetOEMCP, DeviceIoControl, SetFileAttributesW, DeleteFileW, CopyFileW, InterlockedIncrement, InterlockedDecrement, WaitForSingleObject, EnterCriticalSection, LeaveCriticalSection, WriteFile, MultiByteToWideChar, DosDateTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, GlobalAlloc, GlobalLock, GlobalUnlock, GetFileAttributesW, LocalFree, FormatMessageW, Sleep, HeapSize, DebugBreak, GetModuleHandleW, GetProcAddress, InterlockedExchange, SetLastError, CreateFileW, FindResourceW, LoadResource, SizeofResource, LockResource, GetCurrentProcess, CloseHandle, GetVersionExW, CreateFileA, SetFilePointer, GetLastError, CompareStringA, CompareStringW, GetACP, GetStartupInfoA, RaiseException
USER32.dll: EndPaint, BeginPaint, PtInRect, IsZoomed, CallWindowProcW, DrawFrameControl, CreateDialogParamW, UnionRect, OffsetRect, GetSystemMetrics, EndDeferWindowPos, EnumChildWindows, BeginDeferWindowPos, GetPropW, DeferWindowPos, GetClassNameW, SetWindowPlacement, UpdateWindow, LoadAcceleratorsW, GetMessageW, TranslateAcceleratorW, ScreenToClient, DrawTextW, GetWindowTextW, wsprintfW, IsDialogMessageW, TranslateMessage, DispatchMessageW, DialogBoxIndirectParamW, GetWindowLongW, SetWindowLongW, SetFocus, GetMenu, CheckMenuItem, GetWindowPlacement, GetDlgItemTextW, SetTimer, EnableWindow, DialogBoxParamW, KillTimer, DefWindowProcW, MsgWaitForMultipleObjects, LoadIconW, SetWindowTextW, DestroyIcon, PostQuitMessage, SetDlgItemTextW, IsWindowEnabled, CheckDlgButton, IsDlgButtonChecked, RegisterClassExW, ShowWindow, MapWindowPoints, CreateWindowExW, SetCapture, ReleaseCapture, EndDialog, GetParent, GetWindowRect, MoveWindow, GetDlgItem, LoadCursorW, GetSysColorBrush, GetSysColor, ChildWindowFromPoint, InvalidateRect, SetCursor, OpenClipboard, EmptyClipboard, SendMessageW, SetClipboardData, CloseClipboard, LoadStringW, PostMessageW, MessageBoxW, InflateRect, SetPropW, GetClientRect
GDI32.dll: EndDoc, GetStockObject, GetObjectW, EndPage, SetBkMode, SetTextColor, SelectObject, StartPage, StartDocW, SetMapMode, CreateFontIndirectW, GetDeviceCaps
comdlg32.dll: GetSaveFileNameW, PrintDlgW
ADVAPI32.dll: RegQueryInfoKeyW, GetSecurityDescriptorLength, MakeAbsoluteSD, MakeSelfRelativeSD, RegOpenKeyExW, RegQueryValueW, RegConnectRegistryW, RegEnumKeyExW, RegCreateKeyExW, RegCreateKeyW, RegSetValueExW, RegCloseKey, RegDeleteKeyW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegQueryValueExA, RegOpenKeyExA, RegQueryValueExW, RegGetKeySecurity, IsValidSecurityDescriptor, CloseServiceHandle, DeleteService, QueryServiceStatus, ControlService, OpenServiceW, OpenSCManagerW, StartServiceW, CreateServiceW, SetServiceStatus, RegEnumKeyW, RegDeleteValueW, FreeSid, EqualSid, GetTokenInformation, AllocateAndInitializeSid, RegisterServiceCtrlHandlerW, StartServiceCtrlDispatcherW, RegEnumValueW
SHELL32.dll: CommandLineToArgvW, ShellExecuteW, ExtractIconExW
ole32.dll: CreateBindCtx
OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -
COMCTL32.dll: ImageList_Create, ImageList_ReplaceIcon, PropertySheetW, -
MPR.dll: WNetEnumResourceW, WNetOpenEnumW, WNetCloseEnum


VT Community

0
C:\windows\000001_.tmp

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: 000001_.tmp
Submission date: 2011-03-17 22:26:07 (UTC)
Current status: queued queued analysing finished
Posted ImageResult: 0/ 43 (0.0%)
VT CommunityPosted Image
not reviewed
Safety score: -
Compact Print results AntivirusVersionLast UpdateResultAhnLab-V32011.03.18.002011.03.17-AntiVir7.11.4.2482011.03.17-Antiy-AVL2.0.3.72011.03.17-Avast4.8.1351.02011.03.17-Avast55.0.677.02011.03.17-AVG10.0.0.11902011.03.17-BitDefender7.22011.03.17-CAT-QuickHeal11.002011.03.17-ClamAV0.96.4.02011.03.17-Commtouch5.2.11.52011.03.17-Comodo80172011.03.17-DrWeb5.0.2.033002011.03.17-Emsisoft5.1.0.22011.03.17-eSafe7.0.17.02011.03.17-eTrust-Vet36.1.82212011.03.17-F-Prot4.6.2.1172011.03.17-F-Secure9.0.16440.02011.03.17-Fortinet4.2.254.02011.03.17-GData212011.03.17-IkarusT3.1.1.97.02011.03.17-Jiangmin13.0.9002011.03.17-K7AntiVirus9.93.41362011.03.17-Kaspersky7.0.0.1252011.03.17-McAfee5.400.0.11582011.03.17-McAfee-GW-Edition2010.1C2011.03.17-Microsoft1.66032011.03.17-NOD3259642011.03.17-Norman6.07.032011.03.17-nProtect2011-02-10.012011.02.15-Panda10.0.3.52011.03.17-PCTools7.0.3.52011.03.17-Prevx3.02011.03.17-Rising23.49.02.062011.03.16-Sophos4.63.02011.03.17-SUPERAntiSpyware4.40.0.10062011.03.17-Symantec20101.3.0.1032011.03.17-TheHacker6.7.0.1.1512011.03.17-TrendMicro9.200.0.10122011.03.17-TrendMicro-HouseCall9.200.0.10122011.03.17-VBA323.12.14.32011.03.16-VIPRE87362011.03.17-ViRobot2011.3.17.43622011.03.17-VirusBuster13.6.254.02011.03.17-Additional informationShow all MD5 : 8737f6f4c8ec1e2a9ea5516f1b3ae1adSHA1 : dc4a321cfa7f5f269134932e6bda90badd8974baSHA256: 831e2030a051703f571ef7fa7f663dc322cd99e2c431d77f6eabc738e34742f0ssdeep: 96:svxnoEQS2YzaW1WibYQN/VtVCV5VeVyDFgkT8Et0qXOilF1TPj6l+NmhR8Ya/XPi:svhfII1
cMxnXRwxl/9WVFile size : 19569 bytesFirst seen: 2009-01-30 21:58:47Last seen : 2011-03-17 22:26:07TrID:
Unknown!sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


VT Community



#6 shorinsamurai

shorinsamurai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 17 March 2011 - 05:40 PM

Sorry I almost forgot to include this file as well.... The results for Virustotal are above (last quick post)

Again thanks
Ray

Attached File  TDSSKiller.2.4.21.0_17.03.2011_18.06.23_log.txt   49.43KB   1 downloads

#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 AM

Posted 18 March 2011 - 07:41 AM

Hi shorinsamurai,



Good work. :thumbup2: Seems TDSSKiller did the job but we still have some work to do.
Please stay with me to the end of the cleaning process.



STEP 1



Backup Your Registry with ERUNT


  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe





STEP 2



We need to run an OTL Fix


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start.
  • Copy and Paste the following code into the Posted Image textbox.
    :files
    c:\windows\system32\drivers\SBREDrv.sys
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
    :commands
    [Reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.





STEP 3



We need to run an OTL Custom Scan


  • Please reopen Posted Image on your desktop.
  • OTL should now start.
  • Click on Scan All Users checkbox given at the top.Posted Image
  • Copy and Paste the following code into the Posted Image textbox.
    C:\663f3da7b2b36d51c1dbfe7cf0d387
    C:\05a7b4cfb4693d32f480d7e504d8
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized





STEP 4



Run Scan with Malwarebytes


I see you have Malwarebytes' Anti-Malware installed on your computer.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.





STEP 5



Updating tasks


Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 9.2 via Start => Control Panel > Add/Remove Programs
* Install the new downloaded updated software.


Note: Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
Posted Image


Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 4 x instead.

Foxit Reader 4x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.



How are the things now ?



Regards,
Georgi

cXfZ4wS.png


#8 shorinsamurai

shorinsamurai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 18 March 2011 - 05:30 PM

Hi,

The machine seems to be perfect at this time, When I ran OTL the first time the machine never produced a report at all.

I have attached the two from the second run as well as malwarebytes quick scan. Abobe reader is updated to 10.

Registery back up is all set.

Should I preform microsoft os updates?

I did monitor the TCP traffic for an hour or so and all the nasty connections are gone...


Again Thank You for your help so far

Attached File  mbam-log-2011-03-18 (18-09-28).txt   900bytes   1 downloads
Attached File  OTL.Txt   91.36KB   5 downloads
Attached File  Extras.Txt   32.77KB   3 downloads

#9 shorinsamurai

shorinsamurai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 18 March 2011 - 06:04 PM

I did notice a directory named _OTL and a log was present so I attached it...

I was not sure if this was the file that you refered to that I never saw.

Other info is above

Attached File  03182011_171610.log   1.4KB   1 downloads

Sorry if this is an error.

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 AM

Posted 19 March 2011 - 06:42 AM

Hi shorinsamurai,



Could you please check if System Restore is turned on?



  • Click Start, right-click My Computer, and then click Properties.
  • In the System Properties dialog box, click the System Restore tab.
  • Make sure the Turn off System Restore or the Turn off System Restore on all drives check box is unchecked.
  • Click Apply and close the windows.



Should I preform microsoft os updates?




No! I'll tell you when you can install all MS updates...now please proceed with the steps below. :)



STEP 1:



We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61273
    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61273
    O15 - HKU\S-1-5-21-2618725451-1222521356-4173565949-1009\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites)
    [2011/03/12 01:20:57 | [b]000,000,000[/b] | ---- | M] () -- C:\Documents and Settings\Cyndi\Application Data\wklnhst.dat
    [2011/03/12 00:38:02 | 000,000,082 | ---- | M] () -- C:\WINDOWS\System32\-1
    [2011/03/06 22:11:38 | 000,018,020 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3742538791
    [2011/03/06 22:04:15 | 000,018,032 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.))S](VL)0[(+
    [2011/03/12 01:44:07 | 003,684,680 | ---- | C] () -- C:\Documents and Settings\Cyndi\My Documents\family-feud-online-party-setup.exe
    @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:79CBD5FF
    :files
    C:\663f3da7b2b36d51c1dbfe7cf0d387
    C:\05a7b4cfb4693d32f480d7e504d8
    :Commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.



STEP 2:



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



Regards,
Georgi

cXfZ4wS.png


#11 shorinsamurai

shorinsamurai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 19 March 2011 - 08:39 PM

Hello Georgi,

I got to say I have always bee successful at cleaning viruses, you are truely schooling me...

System restor has been turned off the whole time and I did reverify its still off.

Both scan results are attached, and still more jave stuff was found... Uggg

Thanks

Ray

Attached File  eset_found.txt   948bytes   1 downloads
Attached File  03192011_200719.log   22.66KB   2 downloads

#12 shorinsamurai

shorinsamurai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthEast
  • Local time:01:53 AM

Posted 19 March 2011 - 08:45 PM

Also a side note...

I did this before contacting you...

When i started working with the machine it had Java build 6 of the current version...

Once I got the machine to a point I could use it at all, I updated jave to build 24...

Thanks
Ray

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:53 AM

Posted 20 March 2011 - 08:58 AM

Hi shorinsamurai,



I think you didn't understood me properly. I want you to enable the System Restore since there are no more active malware on your computer.



I have some final words for you.


All Clean :thumbsup:


Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean :)


Cleanup


=> To remove all of the tools we used and the files and folders they created, please do the following:


Please reopen Posted Image on your desktop.
In the upper right click CleanUp
Posted Image
This will delete OTL and will clean up after it.


Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

A little hint for you - go ahead and delete the following tools/files => DDS, GMER, tdsskiller, Erunt etc if they still exist after the procedure above.



Clean the java cache


To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.



Uninstall RUBotted


RUBotted works by regularly checking with an online service to identify behavior associated with Bots.

Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.

It has been reported that RUBotted is very difficult to remove as there is no separate program uninstall and are no specific removal instructions available from Trend that I can find.

Further, the program's effectiveness is questionable so I don't recommend using it

For more information about how to uninstall RUbotted please check the lonk below:

http://esupport.trendmicro.com/Pages/I-cannot-install-my-2009-Home-and-Home-Office-program-because-the-RUBo.aspx



Keep your antivirus software updated


  • Make sure that your antivirus is turned on and keep it updated.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from
    malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your
    overall protection as well as impairing the performance of your PC.



Visit Microsoft's Windows Update Site Frequently


It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security

updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no

more critical updates.


It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.



Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to

properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most

crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be

clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list

of simple precautions to take to keep your computer clean and running securely:

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method

    for viruses or worms to infect your computer.

  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it

    is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that

    is trying to infect everyone in their address book.

  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to

    scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:

    Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit

    this link: Rogue/Suspect Anti-Spyware Products & Web Sites

  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead

    bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button.

    Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a

    fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all

    adult sites do this, but a lot do.

  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the

    infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is

    legit before you click on it.

  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.

  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and

    Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use

    McAfee Siteadvisor to look up info on the site.

  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their

    software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance

    you can spot this and not install the software.



Install an AntiSpyware Program


An effective scanner that you already have is Malwarebytes Anti-Malware.

Other highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home

Version or the Pro version for a 15 day trial period. Note: If you decide to download the Pro version, be sure to disable Windows Defender.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware

program on a regular basis just as you would an antivirus software. Be sure to check for and download any definition updates prior to performing a scan.



Install SpywareBlaster


SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware



Don't use pirated sotware !!!


Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!



Create an image of your system


It is always a good idea to do a backup of all important files just in case something happens it.

Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.

The download link is here => http://www.macrium.com/reflectfree.asp

The tutorials can be found here => http://www.macrium.com/tutorial.asp

Be sure to read the tutorial first. :thumbup2:



Follow this list and your potential for being infected again will reduce dramatically.



Safe Surfing ! :wink:



Regards,
Georgi

cXfZ4wS.png


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:53 AM

Posted 26 March 2011 - 06:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users