Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware disabled HJT, Malwarebytes, and AV


  • This topic is locked This topic is locked
4 replies to this topic

#1 Mike303

Mike303

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 08 October 2011 - 10:12 AM

Hi there, first off thanks for having a forum like this.
System: WinXP home edition SP3. Main browser FF 3.16. AV: Avast! AntiVirus 6.0.1203; Others: MalwareBytes, SpyBot S&D latest version, definitions updated a week ago.

I'm not sure what I got infected with but the behavior I have been seeing is:
redirects from Google searches, after a few times browser (FF 3.16 IIRC) hangs entirely.
Tried launching chrome instead, will not start. Rebooted system, came up with BSOD: System error code 1000 008e, parameters C000 0005, 805ce 1cc7, f7b0 2c74, 0000 0000

HJT will not run, error msg: Windows cannot access the specified device, path, or file. you may not have appropriate permissions to access the item. Same message when attempting to run Malware Bytes. When attempting to rename file, result is error that it is unable to rename the file, make sure device is not write protected or the file is not already in use. Same behavior when logged in as admin or user account in safe mode.

However, from USB in safe mode, I am able to run HJT. parsed log through www.hijackthis.de and hjt.networktechs.com with no suspect entries found.

Have DDS logs, can upload if requested. I am using a laptop as infected PC is very unresponsive right now, screenshots will be difficult if not impossible to achieve.

GMER found nothing suspect.

Attempted system restore, after reboot got failure message stating that nothing was changed.

Avast! antivirus is disabled, attempts to start services fail with a message about not being able to reach endpoint. Haven't captured the exact text, but can try again in a while. Currently Avast will run a scan in safe mode, and I running that now. It has already found one infected file. In quick scan, it has already run for over 30 minutes and shows 99% complete but is in C:\program files\ right now so will not be done for some time.

While running DDS I got some messages from my firewall (PC Tools Firewall Plus) about something trying to access the MBR. I thought it was part of DDS scanning but I was concerned about the MBR part so I enabled the first alert but the second one raised my suspicions so I blocked subsequent attempts. I couldn't find a log file in the firewall program folder, but next time I reboot I will go into the firewall GUI and see if I can pull a log from there.

I can normally fix these by myself but I get stumped when they disable my tools. I got avast in part because it pops a warning you try to change it, which made me think no rogue process or service could disable it w/o my knowledge. I'd really like to know what this is just so I can learn about it.

Thanks for any assistance

Edited by Mike303, 08 October 2011 - 10:18 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:42 AM

Posted 08 October 2011 - 11:26 AM

Hello,

Please post the DDS and GMER logs in a reply to this topic.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Mike303

Mike303
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 08 October 2011 - 11:54 AM

Here are the logfiles requested. Thanks for any insight.

Update: I think I got it out. I'm listing what I did here so that the kind experts here may tell me if there's anything I did that was monumentally dumb, or even unwise. TDSSKiller found a service named "1805321505:3740951700" (probably random combo of numbers) which I thought I had blocked with WinPatrol, but had found its way into the registry and c:\Windows folder. Unfortunately it got into my Afd driver registry entries, so TDSSKiller simply deleted the keys leaving me unable to connect to the internet after reboot.

Reinstalled Afd.sys from latest windows update to drivers folder, and copied an Afd registry key from another forum into a .reg file. I know this is risky but I was about to give in and reformat anyway. Luckily it worked and I was back online. I still didn't have access to the tools though, making me think the malware was still active. Uninstalled and reinstalled Avast and MBAM, but eventually found out I could change the file permissions in Safe Mode (Right click -> Security).

DOS has an analogue of chmod called cacls, in hindsight that probably would have saved me a few reboots.

MBAM came back clean on the second scan after reinstall but Avast kept finding more trojan/worm variants in the system restore folder. Restore wasn't working anyway so I turned it off and ran Avast again. Clean. Updated MBAM and ran again just for good measure and it came back clean too. So far no further symptoms. I'm attaching before and after logs in zip format. Remaining questions:
1 - Does it look clean now?
2 - Anything else I should do to prevent reinfection?
3 - Could there have been an easier way than scanning multiple times with various tools to remove this infection?

Attached Files


Edited by Mike303, 09 October 2011 - 10:56 AM.


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 13 October 2011 - 10:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/422472 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 15 October 2011 - 09:02 AM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users