Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple infections cannot run combofix hijack this nothing


  • This topic is locked This topic is locked
7 replies to this topic

#1 miwitte

miwitte

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 26 June 2011 - 12:57 PM

A friends computer is severly infected. He had the XP antivirus 2012 on it and I was able to remove that with malewarebytes. I wanted to run hijack this to see if he has anything else, and it says I do not have admin priveledges. I tried running combofix, sophos antiroot and for that matter any exe it comes back and says "program too big to fit memory" The browser does a redirect to random websites if I try and go to bleeping computer but if I go to a banking site it works fine, Malewarebytes and AVG come back clean but I cannot run anything with a exe as I get the memory error.

This is a good one...

BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:06 PM

Posted 26 June 2011 - 02:38 PM

Hi miwitte,

Please disable any anti-malware software ( you can refer to this page if you aren't sure how to do it ) and your CD emulation software ( you can refer to this page, point 6 ) you have installed.

Now download RKill by Grinler from one of the 4 links below and save into your desktop:

Link 1
Link 2
Link 3
Link 4


  • Double-click on Rkill on your desktop to run it.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let us know in your next reply
then, if you can, scan your pc with ESET Online Scanner, following this steps:

  • Hold down Control and click on the above link to open ESET Online Scanner in a new window
  • Click the Posted Image button
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer and Save it to your desktop
    • Double click on the Posted Image icon on your desktop
  • Check Posted Image
  • Click Posted Image
  • Accept any security warnings from your browser
  • Under scan settings, check Posted Image and Uncheck Remove found threats
  • Click Advanced settings and select:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will download updates and install itself, then begin the scan. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan
  • Click Posted Image
  • Click Posted Image
and next scan the pc with GMER following the point 8 of this guide.

Finally, rember to re enable the protections that you have disabled and include the contents of the reports in your reply.


Edited by Clairvoyant, 26 June 2011 - 02:41 PM.


#3 miwitte

miwitte
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 26 June 2011 - 05:31 PM

The problem I am having is that anything that is a exe will pop up the cmd prompt then close. If you look fast enough the error is "program too big to fit in memory" I get this with combofix, gmer, any of these that are a exe. anything with a .scr or .com extension is says its not a valid widows application. I tried to install hijack this msi and it says i dont have sufficient permission. Pretty locked down.

I was able to get malewarebytes to run before I posted this and it seemed to clean out the XP 2012 pop ups that start. I then tried superantispyware and connected to the internet for a update. During the scan it appears that it got re-infected with the XP 2012 again.

Bottom line is I cannot run a .exe,.scr,.com or a .msi on this device. Luckily malewarebytes and superantispyware is installed, i fear that I would not be able to run the .msi pkg. Also if I try and go to any antimaleware site i get redirected to some random site.

This also happens in safe mode or regulare mode

#4 miwitte

miwitte
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 26 June 2011 - 06:07 PM

I was able to run malewarebytes again in safemode. even after a reboot into safe mode or regular mode I still cannot run a .exe, a .msi or a .scr extension to check for any more infections

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6949

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/26/2011 6:52:33 PM
mbam-log-2011-06-26 (18-52-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 271541
Time elapsed: 1 hour(s), 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\gsv.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\gsv.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\gsv.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 miwitte

miwitte
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 27 June 2011 - 04:22 PM

So when I tried to run ESET,it appears to have gotten reinfected again, it had all the popups and I couldnt even work with it. Rebooting into safe mode and running malewarebytes seems to fix this issue, but evidently there is something else going on. I even tried avira rescue cd. GMER wont run either get the stupid memory error.

The biggest problem I have now is that I cannot even run any type of msi(I get a XP software restriction I cant figure out how to allow msi to run in local security policy there appears to be no policy applied). Anything with .exe will open quick and show the error "program too big to fit in memory", a .com or .scr file will say "not a valid win32 program". Any of the common tools will not install and run, and if I connect to internet it gets reinfected. I have the computer hanging off a DMZ on my ASA firewall so the rest of my crap is safe. I fear it may be time for a re-install thankfully its not mine.

So I cannot run hijack this, DDS, TDDSkiller etc to figure out whats going on. Really in a pickle here the have really messed with the registry I am afraid.

#6 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:06 PM

Posted 27 June 2011 - 05:16 PM

Hi miwitte,

please read this, then open a new topic here including the link to this topic and a description of your computer issues and what you have done to resolve them.
Explain that you have tried to follow the Preparation Guide but you are unable to create the required logs, and describe what happens when you try to create them.

Once you have created the new topic, please reply back here with a link to it.



#7 miwitte

miwitte
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 27 June 2011 - 07:40 PM

Started new thread as per request.

http://www.bleepingcomputer.com/forums/topic406443.html

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:06 PM

Posted 29 June 2011 - 01:34 AM

Hello,

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to a week, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users