Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware infection - Cannot run rkill


  • Please log in to reply
8 replies to this topic

#1 marco_f

marco_f

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 13 March 2011 - 07:49 AM

Hello everyone, my name is Marco and as you will have guessed I do have a problem with my computer...
I run a Win XP OS and routinely use Firefox as a browser.
I had recently several messages that led me to think I was attacked by the System Defragmenter malware. I have searched for information and many topics suggest I use rkill to stop the processes and then Malwarebytes' Anti-malware to remove it.
However, the system will not allow me to download any rkill executable. As I have access to a laptop (Mac Os...) I have downloaded several different names of executables for rkill and saved them to a USB drive. And here the funny things start: when I connect the USB drive, the rkill files automatically vanish!
I have then tried to save them on the desktop by running the safe mode but when I log back in and try to run the exe a I get an error message and when I close the message the file has vanished from the desktop.
I have now tried to run rkill from the safe mode. It works but, not surprisingly, it would not detect anything.
I am currently running a full scan with Malwarebytes again starting from the safe mode. No infections detected up to now.
I'd really appreciate your help here guys... I am not a computer expert though and I might ask stupid question, please forgive me in advance for that!
Thanks a lot in advance for you help!

M

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:51 AM

Posted 13 March 2011 - 09:08 AM

Hi Marco,

When the MBAM scan is complete:

Start Malwarebytes AntiMalware.
Click on the logs tab.
The logs are date stamped ... double click on the last dated log.

Posted Image

It'll open in notepad.

Please copy/paste the report in your next reply.

Thanks

BBPP6nz.png


#3 marco_f

marco_f
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 14 March 2011 - 01:42 PM

Thanks for the reply, Starbuck.
Please see below the log, as requested. I am now posting by the attacked computer and so far no strange behaviour. I had almost all files set to "hidden" though and I had to reset the properties to actually be able to even see office programs from the Start menu.
Cheers

Marco

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5038

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

13/03/2011 12:49:41
mbam-log-2011-03-13 (12-49-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 843877
Time elapsed: 51 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Simo\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:51 AM

Posted 14 March 2011 - 03:20 PM

Hi Marco,

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5038

You are over 1000 updates out of date.

Please update MBAM and run another scan:
Start MBAM
Click on the Update tab

Posted Image

Click Check for Updates

The latest Database Version is: 6056

If it says that MBAM needs to close to update it... let it close and then restart.

Click Check for Updates again to make sure the database is updated after the program update.

Then click the Scan button.

Don't forget:

  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Let me have the updated MBAM report.

Thanks

BBPP6nz.png


#5 marco_f

marco_f
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 15 March 2011 - 08:45 AM

Hi Starbuck, here is the log of the updated scan. It looks like it picked up something else.
Thanks

Marco

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6058

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

15/03/2011 06:47:25
mbam-log-2011-03-15 (06-47-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 953799
Time elapsed: 1 hour(s), 36 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:51 AM

Posted 15 March 2011 - 11:30 AM

Hi Marco

System Defragmenter also adds a lot of temp files, let's make sure they have been removed:

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

I had almost all files set to "hidden" though and I had to reset the properties to actually be able to even see office programs from the Start menu.

Is everything back to normal now?
If not......

Download RogueKiller and save it to your desktop.
  • Close all running processes
  • Double click RogueKiller icon to run the program
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • When prompted, type 1 (SCAN) and then press Enter
  • A report will open, please copy and paste this report in your next reply.
A copy of the RKreport.txt can be found on your desktop.

Edited by Starbuck, 15 March 2011 - 12:01 PM.

BBPP6nz.png


#7 marco_f

marco_f
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 16 March 2011 - 03:01 AM

Hi Starbuck,
I have run TFC, as suggested. I was prompted for re-start, which I did.
Everything looks alright now, as far as I can tell and the desktop and all the programs in the start menu are visible as normal so I haven't run RogueKiller.
Thanks a lot for your help, do you think I should be clean now?

Marco

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:11:51 AM

Posted 16 March 2011 - 07:16 AM

Hi Marco,

Everything looks alright now, as far as I can tell and the desktop and all the programs in the start menu are visible as normal so I haven't run RogueKiller.

That's fine.
RogueKiller has just had an added option to sort out this hiding of files/programs.
But as everything seems fine it doesn't need running.
As you have removed malware i'd suggest completing these steps.

Step 1
Restart MBAM.
Click on the Quarantine tab
Make sure everything is selected and then click Delete All.
Close MBAM.


Step 2
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Select the drive for cleaning then click OK (usually 'C' drive)
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Give the system a day or two and if any problems occur come back and let us know.

Safe surfing. Posted Image

BBPP6nz.png


#9 marco_f

marco_f
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 16 March 2011 - 07:59 AM

Ok Starbuck, many thanks again for your help, that was really appreciated!
Have a nice day,

M

:busy:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users