Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - nothing's working so far


  • This topic is locked This topic is locked
17 replies to this topic

#1 skarekroe

skarekroe

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 17 August 2011 - 08:54 AM

OK, I got the Security Protection malware on my Windows XP machine. It snuck in via a Acrobat.
I tried to run Malwarebytes, but it had the rootkit that wouldn't allow me to do so.

So I restarted in safe mode and tried downloading and running TDSSKiller.exe, first renaming it to x.com as per the instructions here on Bleepingcomputer. It installed OK, then ran for a few seconds, then crashed with no error message. It just stopped working.
I went to the Kaspersky page and tried downloading and running Kaspersky AVP and got the same result - started scanning for about 10 seconds, then the program just shut down.

I posted my problem in Kaspersky's forum. Here's the system info link they requested in case that's helpful here. http://www.getsysteminfo.com/read.php?file=95b36ea3d25001e21c0676d1bb98caab
Kaspersky also wanted me to get a log from their AVZ program, but like their other programs, it starts to run and then quits without explanation partway through.

I'm posting this here because I figure it can't hurt to have another expert to help me out, and since the Kaspersky people are in Russia there's no telling when they'll respond to my last post.

I'm tempted to go ahead and run combofix, but if that doesn't work I think I'll panic completely. So I'd like to exhaust all other options first.

Thanks in advance,
Alex

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 PM

Posted 17 August 2011 - 09:24 PM

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.

Now try Malwarebytes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 August 2011 - 07:56 AM

It didn't work. Malwarebytes crashed partway through its scan.
The Kaspersky guy got back to me and instructed me to use Combofix - I tried it, and it doesn't work either. Like all other anti-virus programs, it's starts its scan and then stops after a few seconds with no errors or explanation.
Whatever is doing this is preventing me from even scanning to find out what the problem is.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 PM

Posted 18 August 2011 - 11:56 AM

Can we do this?

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 August 2011 - 12:43 PM

Nope.
DDS.scr doesn't work. An hourglass appears like it's about to open the program, but then it doesn't open.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 PM

Posted 18 August 2011 - 12:48 PM

Is there another user acoount you can log in from and try to scan from there?

We may need to run Avira AntiVir Rescue System

Please download the Avira AntiVir Rescue System .

Place a blank CD in your burner and double-click on the rescue system package (rescuecd.exe) to burn it to a CD/DVD which you can then use to boot your computer and run a scan. For detailed instructions, refer to the Tutorial for Avira Rescue CD. If you encounter problems running Avira AntiVir Rescue System, you can get further assistance at the Avira Tools Support Forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 August 2011 - 03:21 PM

Here's the log from the Avira Rescue CD that I had to use because all other scanners were getting shut down.
Posted here for boopme, who's been helping me out.

Trying again...

Merged topics. ~ OB

Attached Files


Edited by Orange Blossom, 19 August 2011 - 01:32 PM.
Merged to AII topic for continuity. ~ OB


#8 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 August 2011 - 03:24 PM

OK, I ran Avira rescue and got the log. [See above] The last step of the Avira instructions is
9) Boot on Windows normally. Run a full system scan with AntiVir to quarantine all the renamed files (.XXX extension). , but since I don't have AntiVir I just uploaded the log and shut the machine down until I get further instructions.

Thanks!

Edited by Orange Blossom, 19 August 2011 - 01:32 PM.
Edited to make sense since log merged here. ~ OB


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 PM

Posted 18 August 2011 - 04:03 PM

Can you run MBAM now??

First run RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Now without rebooting run MBAM.. Reboot after that.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 August 2011 - 04:51 PM

OK, done. I got a weird error with rkill - "rkill.bat - Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Also, I had to re-install MBAM because the infection made it so I couldn't open the old one.
Security Protection is no longer mucking up the works, but there is still a shortcut on the desktop. I'm kind of afraid to touch it.

Here's the report - I assume you wanted me to post it here and not in the other thread. Apologies if I'm wrong. Also, if I should have run a full scan let me know.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7502

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

8/18/2011 5:40:14 PM
mbam-log-2011-08-18 (17-40-14).txt

Scan type: Quick scan
Objects scanned: 180121
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Security Protection (Rogue.Spypro) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\alex buckellew\local settings\Temp\222.tmp.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\alex buckellew\local settings\Temp\ms0cfg32.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\alex buckellew\local settings\temporary internet files\Content.IE5\SQEJV9NM\ibpauuyf[1].exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 PM

Posted 18 August 2011 - 07:56 PM

Use Inherit.exe to fix inappropriate permissions.
Use this fix, when you see a box that states “Windows cannot not access the specified device, path, or file. You may have inappropriate permissions to access the item”.

Download This File
Save it next to rkill.exe Once done, drag and drop RKill.exe into Inherit.exe. Click OK and attempt to run it once again.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 August 2011 - 07:34 AM

I got a permissions error for inherit.bat, too.

I re-ran Malwarebytes anyway, and here's the log.
I'll now reboot and run the Eset scan.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7506

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/19/2011 8:31:14 AM
mbam-log-2011-08-19 (08-31-14).txt

Scan type: Quick scan
Objects scanned: 181328
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\alex buckellew\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#13 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 August 2011 - 09:34 AM

Here's the Eset log.

C:\Documents and Settings\All Users\Application Data\defender.exe.vir a variant of Win32/Kryptik.RQF trojan cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Bredolabfb1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\system32\bccdd.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\system32\bccdd.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\system32\eqctjhdx.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\system32\ihxbbpnd.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\system32\qwqqppxf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\system32\ybctwfvd.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\system32\ycbbsesp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\cdrom.sys.vir a variant of Win32/Sirefef.CO trojan cleaned by deleting - quarantined

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 PM

Posted 19 August 2011 - 10:01 AM

I think now at this point as we have a reasonable PC we should move to the Malware Forum and see what else is in here.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 skarekroe

skarekroe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 August 2011 - 10:36 AM

DDS.scr still doesn't work. Hourglass, then nothing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users