Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.exe files terminated, no net access


  • This topic is locked This topic is locked
103 replies to this topic

#1 yogi942

yogi942

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 12 August 2011 - 10:51 PM

My desktop computer came down with its own version of the bird flu yesterday. First symptoms were an inability to reach most web sites - later all web access was 'Not Found'. Attempts to run Superantispyware, SpyDoctor, SpyBot, Wintasks, malwarebytes and a few other .exe files all resulted in almost immediate termination with no error message (returned to desktop). 2nd attempts to run files result in error message: 'Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.' I have repeatedly run rkill.com. Of the dozen or so times run, only once did it include a file in its log - windows/system32/grpconv.exe - as having killed it.

I do remember some Flash update that I clicked (I never do that) just before the problem started. However, I followed the converstion on BC regarding a new beast of malware that comes via a flash update and I could not find any of the files that were listed there.

The computer is an XP Media Center Edition with SP3. I am locally netted to my laptop and able to share files through the briefcases. I found a topic from McClainJa dated 31 July 11 which was responded to by Broni on 1 Aug that appears similar to my problem, but then so did so many others over the last 2 days. At any rate, I followed Broni's instructions and have txt files from SecurityCheck, Minitoolbox and GMER if those would be a starting point.

I do not really know what I am doing but being a retired engineer (hardware-not software), I follow directions well and I am great at copying what others have done. I am looking forward to actually having some leadership in chasing this monster. Thank you.

Yogi

Edited by yogi942, 12 August 2011 - 10:56 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:36 AM

Posted 13 August 2011 - 12:56 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 13 August 2011 - 04:47 PM

Thanks Orange Blossom,

I was able to run the files you specified and will attach them here. I had no problems with the defogger or the DDS. I haad run the GMR utility last night before I started this string. It would run to a point and then close with no results. I ran it 5 times trying to catch it just before it failed to capture results as close to that point as possible. I decided to go ahead and rerun it today to verify the same behavior in light of the recent DDS reports. The first time it crashed the machine to Restart at a very early stage. The 2nd time it ran about as far as last night but then froze. I waited to see if it would close like before but did not. It did generate a microsoft error asking to send a report, which of course I did not do since I cannot access the internet on that machine.

I am attaching the 3 files that were requested. I zipped the attach file with 7Z but could not upload it. It is not thatlarge so I just brought it up. Thanks for such a quick response.

Yogi

Attached Files



#4 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 15 August 2011 - 10:32 AM

Poking around, I now know how the files are modified, which I am sure is no news to you folks, the malware takes ownership of the file with an unauthorized user called 'Everyone'. I was able to retake ownership and delete the multiple copies of GMER that I generated while trying to get the best log I could. I also reclaimed 'HijackThis' (named 'Explorer.scr'). It still behaves the same - shutting down as soon as it is detected running. However, I wandered around on the main menu and was able to run the 'Startup List Generator'. I thought that I would upload that to this string as it may give added info from which to jumpstart this creeping menace. Thanks.

Yogi

Attached Files



#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 17 August 2011 - 10:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/414172 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 18 August 2011 - 09:30 AM

Glad to hear from Helpbot. I was intending to send updated info today anyway. Since my last post, I decided to go ahead and reorganize and back up my data files and photos. I also went and cleaned out several anti spyware and registry tools that I had accumulated. I also deleted all of the Java versions (I had a couple of old ones as well as 6.26). I figured I could reload the 'latest' after I get this thing cleaned up. Cleaned out cookies and Temp and Temporary Internet folders for all the various users (Administrator, Owner, All Users and Remote). I also deleted a lot of unnecessary apps from the various startup folders. I noted that in the DDS report, there are entries for both MaxSDTray and Superantispyware both of which I can no longer find any sign of in the machine as I deleted all their files. They are not in the Add/Delete list nor in the Programs folder??

I have gotten a few messages from Malwarebytes that it has blocked access to potentially malicious websites. The one that just popped up was for website 193.105.135.219, Type: Outgoing. I still cannot successfully run a scan with Malwarebytes or any of the other tools that I have now just deleted. I have repeatedly run Rkill as stated earlier but I get no logs and there is no difference in the running of tools. They still just close and "Everyone" takes ownership. HiJack this will do the same but I was able to run the tool provided that generates the list of Startup files - I am including the latest version of that as well as the DDS and GMER logs. Gmer is not running the same as before (since I 'cleaned up'). In both Normal and Safe Modes, it now is crashing the system to Restart after only 15 seconds or so of scan. I am attaching that log as it does have 2 entries. The previous logs sent earlier may have more info. Thank You for all your help. Yogi

I do have the Operating system disc, "Microsoft windows XP Media Center Edition 2005" that came with the machine. I am still able to transfer files via the briefcase from that machine to the laptop that I am using.

Attached Files



#7 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 18 August 2011 - 10:24 AM

sorry about that! I forgot that I had re-enabled the Windows Firewall. After disabling it, I was able to run GMER similar to the way it ran the other day. It did close much earlier than before, but I assume that that is due to the cleanup I did. On the second try, I got it very close to the termination. There is quite a bit more data there now. It would be nice to be able to let it run to conclusion. I guess that is down the road a bit. Thanks Yogi

Attached Files



#8 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 18 August 2011 - 01:30 PM

I keep updated my info/status here. I was able to run a tool that was first recommended, MiniToolBox. I noticed in its log that pings to google and yahoo were successful. Therefore I tried to go on line with Firefox and Behold!, it worked. Not sure at what point it started to work with all the 'cleaning that I did'and all the runs of Rkill. However, for now I think I will continue to work via the laptop as I do not know what malicious spyware is still in there. I did try running hijack this and GMER again and they both terminate with the ownership changed to 'everyone'. Just keeping you posted while I wait. Thanks, Yogi

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:36 AM

Posted 18 August 2011 - 02:44 PM

Hi,

First of all, please try not to take any other action than what is instructed here.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 18 August 2011 - 04:03 PM

First of all, thank you for your quick response today. I was able to get Combofix to my desktop with no problem. Turned off windows firewall (light is still green which some researching says that there may be another firewall. I cannot find one. I also disabled malwarebytes (which has been giving me strange reports today). I am telling you all this because when I went to run combofix, it almost immediately shut down and the file ownership has been kidnapped. Before it shut down it was running files that were extracting data. Neither of the screens in the instructions ever came up. I can try running it in safe mode but i have had the same thing happen to all the other tools i've tried in safe mode as well as in normal mode. I think we need to find out where this 'Everybody' creature is hanging out and stealing file ownerships. If we find him maybe we can send in SEAL Team Six and wipe him out!

I'll wait to see what tricks you have your sleeve. Thanks, Yogi

#11 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 18 August 2011 - 04:30 PM

I went ahead and ran combofix in safe mode and it did run much longer, I watched a bunch of deletes go by and then some extracts and did catch a couple of 'output' lines go flying by before it crashed. I did try a second time and this time I got an error message: error opening file for writing: C:\32788R22FWJFW\NirCmd.cfxxe. I chose the ignore button. It failed again and terminated with the bar across the top a little over half way. Is there a way to manually halt the program and get a partial log? Yogi

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:36 AM

Posted 18 August 2011 - 11:53 PM

Hi,

Please post fresh dds logs. Also, please see if you can find ComboFix.txt file in c:\qoobox or c:\combofix folder.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 19 August 2011 - 09:28 AM

Wow! You guys keep some late hours. Thank you for thinking of me so far into the night.

I went and searched manually for the combofix.txt file and did not find it so I ran a search. After 10 minutes of letting it run, I noticed that it was searching all drives (including my backup drive). I then constrained the search to the C drive and let 'er rip. It started to do the same thing jumping from drive to drive. when I looked into the C drive, I saw something I had never noticed before - an entry with a computer&display icon titled 32788R22FWJFW. when I opened it, it was a replication of the My Computer screen. I am assuming that because that 'folder' is in the C folder, the search routine not only searches everything twice, but may be going into an endless loop. The properties file says it was created yesterday about the same time I ran Combofix. The properties window is for a simple folder, not the multi-tab window you get for the real My Computer icon. Did Combofix generate that folder that it would have deleted if it ran to completion or is it a defense mechanism of the virus??? I just noticed that this 'folder' was part of the directory for the error that was generated the 2nd time I ran Combofix. Should I delete that 'folder' before we go running any tools as it could cause the same looping condition that the Search did?

Here are the 2 new DDS files. Thanks again. Yogi

Attached Files


Edited by yogi942, 19 August 2011 - 09:45 AM.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:36 AM

Posted 19 August 2011 - 11:53 AM

Hi,

Wow! You guys keep some late hours. Thank you for thinking of me so far into the night.

That was posted at 8am my time ;)

Should I delete that 'folder' before we go running any tools as it could cause the same looping condition that the Search did?

Let the 'folder' be there.


If you're using Firefox to download the tools please do following to ensure you'll be prompted for download location:
In Firefox click Tools-menu->Options->Main-tab->select Always ask me where to save files.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix. You must rename it before saving it (use testing.com as the name). Save it to your desktop.


Posted Image


Posted Image
--------------------------------------------------------------------

If you're able to boot into safe mode please reboot there and run testing.com & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a dds log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by Blade81, 19 August 2011 - 11:53 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 yogi942

yogi942
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 PM

Posted 19 August 2011 - 02:02 PM

I still think even without the late nights, you guys show a lot of dedication to help so many folks out.

Initially, I went the route of the Briefcase from my laptop as I have been doing. I renamed the file before putting it in the briefcase. Upon running it in safe Mode, it ran the same as before and quit with the bar between 50% and 75% across. Ownership of the file was grabbed by 'Everyone'. After reclaiming ownership, I deleted that file and decided to try downloading directly on the infected computer. I thought maybe it puts some hook into the machine during download - I'm not knowledgeable but I have an active imagination.

On running it this time, I did get the disclaimer window that I have not seen since the first time I ran it. It then started immediately running strings of reports identical to before. There were no screens describing backups or restore points as in the guide. I got the same error report I mentioned yesterday on my second run (referring to the 'folder'). I again chose 'ignore' and it started running again. It closed out at the same spot it always has. Once again, ownership was grabbed by 'Everyone'. This was all done in Safe Mode.

While hunting for the possibility of a combofix.txt file, I noticed that there are some individual files in the "C" window. Among those are 5 files that are probably left over from my deleting the MaxSecure\Spyware Detector software earlier in the week. Should I just go ahead and delete them (MaxSecurePattern.DB, MaxSecureSig.DB, MaxSignature.txt, MaxVirus.txt, and SDSignature.txt) or just let them go until later?

I continue to see references to Norton/Symantec files. I have tried many times over the last several years to get all the Symantic stuff off my machine. I cannot even install other systems due to conflicts. Everytime I try to delete it all, I get error messages saying it is missing something and then aborts. I do not know if anything could still actually be running that might be affecting Combofix. The fact that the ownership is grabbed seems to say that it is the malware doing it but I thought I would mention this.

Since I ran testing.com in Safe Mode, I am posting the DDS files from safe mode as well.

Yogi

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users