Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.Agent.bb and more. Can't access internet or execute many files.


  • This topic is locked This topic is locked
17 replies to this topic

#1 samizdat

samizdat

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 19 August 2011 - 03:02 PM

Hello. I have been referred from this thread: http://www.bleepingcomputer.com/forums/topic414763.html
Screenshots are included in that thread. The only thing I forgot to mention is that after becoming frustrated with Kaspersky due to the infection and failure to detect it I downloaded Outpost Security Suite Pro to see if it could detect and fix it. Also, when running Combofix, I went to get something for my 3 yr old and he closed out of it....(I think) so I re-ran it. The log is not very detailed. The DDS logs are very detailed.

I have since run Defogger as instructed.

Attacted are the logs I was requested to submit.

I can also provide my Norman log if you wish.

As stated in the original thread, my main symptoms now are the inability to connect to the internet and execute many files. While trying to execute most files I get this error:

Posted Image

Any help will be greatly appreciated. I will check this post frequently to see if there is any additional information you need from me.

Thanks again in advance for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 24 August 2011 - 03:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415193 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 25 August 2011 - 07:59 PM

Hello. Yes, I still need help badly. My problems are detailed here: http://www.bleepingcomputer.com/forums/topic414763.html
I have not resolved my issue nor have I tried per the instructions not to until further instructed.

The only thing I have done since the last DDS log is run Defogger as instructed.
Currently, I get this error when trying to execute DDS.scr:
Posted Image
This is my main problem (This error message occurs when executing most applications.)

-The logs are very current and there is nothing I have done to change the computer so the logs should be accurate.

-Although I purchased my computer new, it did not come with an OS CD/DVD. (When asked about that I was told that is the new trend in computer sales)

-It is an HP Pavilion P6000 series with Windows 7 x64 Premium.

I am actually pretty good with computers (relative to your average computer user) but this has me stumped. I do not do 'risky' thing on the computer so I am not sure how I got infected.

I think there is a critical file missing (like a .dll file)

Any help would be greatly appreciated. I really need it up and running again. Thanks!!


PS - I check this thread about 10 times a day so I will quckly reply to any question and/or instructions.

#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:08:04 PM

Posted 27 August 2011 - 10:59 AM

Hi samizdat, and welcome to Bleeping Computer.

You do have many advanced tools installed (with sandbox and/or behavioural analysis features), and this may cause some of our tools malfunction... I recommend that you disable them until the malware removal process is finished; you can of course keep your antivirus and firewall enabled (unless I tell you otherwise)...

Please run this scan:
Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    version.dll /md5

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 27 August 2011 - 07:09 PM

Like most .exe files I get this error:
Posted Image

I can run some things like notepad, Paint and some other Microsoft files but not this one.

I think I have a missing .dll or something.

#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:08:04 PM

Posted 28 August 2011 - 08:59 AM

Hi again samizdat!!.. :)

I see... Please follow this article: How to Repair Windows 7 System Files with System File Checker, and run the sfc /scannow command; remember about using an elevated command prompt (right click -> Run as administrator)...

If necessary, reboot... Let me know if that error still appears...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 29 August 2011 - 02:59 AM

I was able to create a repair disc and run the sfc /scannow 3 times and each time I got this message:
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log

The sfcdetails.txt on my desktop was blank and in my Windows log folder I just found these old ones:

Posted Image

The See and Read Only the "SFC" Scan Results from the CBS.LOG command never worked.

Some things were fixed. I do not get that error anymore in my previous post.

I ran OTL and will attach the two logs.

When running dds, a window flashes and nothing else happens. When I hold my mouse over it my computer calls it a screensaver.

Thanks for you help so far. Things are looking better!

Attached Files


Edited by samizdat, 29 August 2011 - 03:00 AM.


#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:08:04 PM

Posted 29 August 2011 - 04:17 PM

Hi again samizdat!!.. :)

I'm glad to see that this error does not appear anymore!!..

When running dds, a window flashes and nothing else happens. When I hold my mouse over it my computer calls it a screensaver.

My guess would be that either it doesn't run because some protection tool on your computer blocks it or because of your system configuration (there may be problems running DDS on some systems - it's rare, but it happens)...

Some things were fixed. I do not get that error anymore in my previous post.

Good!.. I need to know what problems remain - please describe...

Looking over the Extras.txt logfile, you can see many Event Viewer errors like this one:
Error - 8/29/2011 2:52:48 AM | Computer Name = Home | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable.  Please
 run the chkdsk utility on the volume OS.

I'm not sure if it may indicate a problem with a falling hard drive (maybe backing up all the important data would be a wise idea!), but I'd recommend running a check disk - to do so, please follow this article: How to Run Disk Check in Windows 7 ...
In your previous thread you mentioned this:
every time I reboot it says I need a scan disk but fails to perform one

I did not see an indication in the OTL logfile that such a disk check is scheduled on boot-up; let's see if it will succeed in running it...

Also, to your next post please attach all previous ComboFix logs, you should find them in this folder: C:\Qoobox\
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 29 August 2011 - 07:07 PM

Every time I reboot it says I need a scan disc but always fails with unspecified error 766f6c756d6c756

When I try running scan disc with the command prompt I get these errors:
Posted Image
Posted Image
Maybe I am doing it wrong? I have tried many combinations.

Because the virus(es) disabled my AV and firewall I tried installing Avira which failed during installation[edit] today it installed correctly, then I tried Avast and it seemed to install but at reboot it fails to load and when clicking on details I get this:

Problem signature:
Problem Event Name: APPCRASH
Application Name: AvastUI.exe
Application Version: 6.0.1203.0
Application Timestamp: 4e11a6b0
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7601.17514
Fault Module Timestamp: 4ce7ba58
Exception Code: c0000005
Exception Offset: 00038da9
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e7


I installed Sygate Firewall with no problems but have not rebooted since.

Nothing seems to uninstall correctly.

Every time I reboot it is as though my computer has forgotten any changes I have made like changes with msconfig. It keeps re-associating files that I have changed, i.e notepad, .rar files, .zip, .mid, .mp3, etc.
Also, everyime I reboot all file extensions get hidden and hidden files and folders are re-hidden.

My IDM says it expires in 3 days yet I just got it 2 or 3 months ago.

I can't think of anything else right now.

I am able to get online now. In fact I am posting this from my computer which I bought new last Black Friday.
I wish there was something that could scan my computer for missing critical files.

I forgot to mention that on 8-9-11 I used RemoveIT (log included) I had heard the false positives had been fixed. Maybe not.
I feel dumb for using that tool as I thought it had a quarantine.

I would hate to have to restore my computer to it's original state because I have valuable pro software on it and things important to me that I created.

Attached Files


Edited by samizdat, 29 August 2011 - 07:54 PM.


#10 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:08:04 PM

Posted 30 August 2011 - 01:47 PM

Hi again samizdat and thank you for the information!!.. :)

When it comes to the RemoveIT program - as far as I can see, it states it removes the files only in the PRO version, for which you're probably supposed to pay, I guess...

I would hate to have to restore my computer to it's original state because I have valuable pro software on it and things important to me that I created.

I saw you've got many programs installed, but as far as I can remember, you have at least one backup program installed as well, so I guess that you have a good backup of files... If not, I recommend you make a backup of all your important files!!..

The check disk did not run - it gave an error stating the file system is RAW (What is this Raw File System) - that means something got corrupted (something more than just some files)... That is probably the source of most of the problems you mention...

Please stay with me - I've not encountered such an error before, and I need to ask my colleagues about it - they will say if a re-format and re-install is really needed here or there is a chance to repair it...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#11 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 31 August 2011 - 03:03 AM

Okay. I have a G-Parted disc I made a while back and I think I have an Oscter Back-up Pro somewhere on an external HD. I may have some Windows 7 back-ups too. I think my system restore boot has the option to restore to factory state but I hope to avoid that. I'm looking forward to learn what your colleagues recommend. I wonder what caused all of this.

Thanks again for your help.

#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:08:04 PM

Posted 31 August 2011 - 04:25 AM

Hi again samizdat!!.. :)

I think my system restore boot has the option to restore to factory state but I hope to avoid that.

Yes, that usually erases all the data and puts the system back to the default factory settings...

When did it start happening??..
Here, in this article: How to prevent a drive turning to RAW file system, you'll find a few possibilities regarding the "RAW file system" problem... Generally, RAW file systems reflect damaged partition structures/file systems... They say there are reported cases when malware was involved - that's a possibility here, but you would have to think if there were some oddities with your computer prior to getting infected...

The problem is that it may be a hardware problem as well, and it's very hard to try to remove malware (or make sure the malware is gone) until hardware related issues are resolved...
More information regarding the issue:
- CHKDSK: "RAW filesystem" message
- RAW Volume by Quietman

A re-format and re-install is probably the best idea here... They say: You should back up all the data, delete the partition, then recreate it, reformat the partition, and restore data using the backup copy. Source: Data recovery software and RAW file system. You do have an access to your data so, thankfully, you do not have to use any file recovery software (unless some data is already unreadable)...

My colleagues highly recommend running some kind of a Hard Drive Diagnostic Test before attempting a format/re-install - if it's a falling hard drive, you'll not waste time trying to re-install an OS on it...

Could you tell me what the manufacturer of your hard drive is??.. Usually, every manufacturer has their own diagnostic tool...
And, to be on a safe side, please check your file backups, and if needed - please backup all your important data...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#13 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 31 August 2011 - 07:01 AM

I will read through those links, meanwhile, here is the info I got from Belarc Adviser:

Drives drive encryption

750.05 Gigabytes Usable Hard Drive Capacity
87.02 Gigabytes Hard Drive Free Space

ELBY CLONEDRIVE SCSI CdRom Device [Optical drive]
hp DVD-RAM GH60L SATA CdRom Device [Optical drive]

Generic- Compact Flash USB Device [Hard drive] -- drive 2
Generic- MS/MS-Pro USB Device [Hard drive] -- drive 4
Generic- SD/MMC USB Device [Hard drive] -- drive 1
Generic- SM/xD-Picture USB Device [Hard drive] -- drive 3
ST3750528AS [Hard drive] (750.16 GB) -- drive 0, s/n 6VP54VB2, rev HP35, SMART Status: Healthy


Local Drive Volumes volume encryption


c: (NTFS on drive 0) * 737.09 GB 86.38 GB free
d: (NTFS on drive 0) 12.96 GB 647 MB free

* Operating System is installed on c:

#14 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:08:04 PM

Posted 31 August 2011 - 07:21 AM

That would be this hard drive: Barracuda 7200.12 SATA 3Gb/s 750GB Hard Drive from Seagate...

They have a pretty good diagnostic tool for their drives: SeaTools - you can use either an installable version for Windows or a bootable DOS version...

If you click on "Learn more", a quick guide in PDF will open; there is also a tutorial on the use of the tool available... Perform the hardware diagnostic test, if you need help with running it - ask... :)
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#15 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:12:04 PM

Posted 01 September 2011 - 12:23 AM

It was a nightmare to install because of all of my problems but I ran every test and it passed all of them, even the longest test:

Posted Image

It passed all of these:


Posted Image

Now I have the option to do advanced tests but I get this scary message:

Posted Image

Should I proceed?

PS - I will be out of town tomorrow evening until Friday and after Sunday I will only be home on the weekends because of a new job.

Also, I wanted to ask a question. Since I will be gone I had to get a laptop w/ Windows 7. Should I use it under the administrative account? Also, what is the best back-up method and software in case this laptop experiences problems? Or should I ask these questions in another forum?

Thanks again for your help!

Oh, I almost forgot. I was able to run CBS finally. I tried for 30 minutes to divide it up into equal sizes and kept failing so I created a media fire account with the log attached.

http://www.mediafire.com/?2vlwh5k61inmdd1

Edited by samizdat, 01 September 2011 - 12:30 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users