Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

w32 worm


  • Please log in to reply
7 replies to this topic

#1 cns

cns

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 26 November 2011 - 09:36 PM

11/25/11. While researching data for a project, a pop up window from Protection Privacy appeared and began to list different threats. This is the second time my computer has been hit by scareware, the first instance I had to reinstall windows. I was able to get into safemode, '1 time', and transferred all my files to an external. I should have done a system restore then, instead I downloaded Kaspersky which did not download properly because of the w32, then restarted my computer. Since then, I have not been able to access safemode or even remove programs from my computer to essentially uninstall everything and start over. In effect, my computer has been rendered useless from taking any action against w32. I could use a little help beyond what I know.

Chris

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:01 AM

Posted 26 November 2011 - 11:07 PM

Hi, and welcome to the forums!! :thumbsup:

Can you boot your computer normally at all? Will it run in safe mode?

If your computer boots normally, we could take some other routes to clean this infection.

bloopie

Edited by bloopie reborn, 26 November 2011 - 11:23 PM.


#3 cns

cns
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 26 November 2011 - 11:34 PM

My computer will boot under normal, and I can even F12 boot features and F2 system details. I just can't get F8 to boot safemode options, I get a keyboard failure note. Computer ran fine under safe mode when I was able to access it the first time.

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:01 AM

Posted 27 November 2011 - 01:35 PM

Hi again,

You posted "Protection Privacy", are you sure you don't mean Privacy Protection?

See if you are able to follow the instructions from the link I provided. Does your system infection match the one from the link?

Let me know if you have any problems trying that method.:)
(You may need to try to boot into safemode more than once)


bloopie

Edited by bloopie reborn, 27 November 2011 - 01:36 PM.


#5 cns

cns
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 28 November 2011 - 11:18 PM

It is the same "Privacy Protection" Pop Up. I've tried on multiple times to access safemode, I get a keyboard failure response, or a normal boot without the message. I do have a second boot screen that comes on after the dell bios. I'm not sure why I get this, but I've been getting this prompt for a while, before the worm.

-----------------------------------------------------------
Phoenix- Award WorkstattionBIOS v6.00PG.
Copyright © 1984-2003, Phoenix Technologies, LTD


Diskette drive 0 seek failure
Keyboard Failure



Press F1 to continue, F2 to enter SETUP.
-----------------------------------------------------------

I downloaded RKill the first time I was in SafeMode. The icon sits on my desktop, under normal operation it will not commence. When I click the icon, I get a balloon message from the Privacy Protection Icon in the lower right that says "Reimage repair.exe can not start." That balloon disappears and the constant message "DLACTRLW.EXE can not start" appears.

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:01 AM

Posted 29 November 2011 - 02:23 PM

Hi again,

Do you have a flash drive or portable USB device?

Let's try again to download Rkill with a different name from a clean computer to your flash drive:

Please delete the old Rkill you've already downloaded.

Please download Rkill by Grinler and save it to your flashdrive. But this time right click one of following links, and make sure that your flash drive is selected in the left pane of the screen, then choose "save link as".
Rename the file to privacy.exe...make sure that the Save As Type box is set to "All Files".

Link 2
Link 3
Link 4
Now insert the same flash drive into your sick computer, and copy the file to the desktop. Try this in normal mode as safe mode is not working.
  • Double-click on the Rkill desktop icon (it should look like a small black box) to run the tool.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and rename the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Note: the tool may take several minutes to finish, and you will see a text file displayed on your screen if it does finish.
Do not reboot the computer or you will need to run the application again.

After running Rkill, then please download Malwarebytes' Anti-Malwareand save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

How is your computer running now?


bloopie

Edited by bloopie reborn, 29 November 2011 - 02:26 PM.


#7 cns

cns
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 30 November 2011 - 12:26 AM

I opened and ran privacy.exe (RKill) several times with no avail before giving task manager a quick hello. I was not able to open the task manager window with the worm in place, and the window still closed in this instance, but it was control-alt-delete that finally allowed RKill to run. Imediately afterwards I regained use of my desktop and proceeded to install Malwarebytes Anti-Malware. I had 12 infected objects, Trojan.FakeAlert x2, Trojan.Agent x 4, Exploit.Drop.2 x 2, Hijack.StartMenuInternet x 1, PUM.Disabled.SecurityCenter x 3.

The saved log report

---------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8276

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/29/2011 10:03:17 PM
mbam-log-2011-11-29 (22-03-17).txt

Scan type: Quick scan
Objects scanned: 163028
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Trojan.FakeAlert) -> Value: Privacy Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Chris N. Stroppel\Local Settings\Application Data\kkg.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\privacy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\chris n. stroppel\local settings\Temp\0.875933655656423fdrgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\chris n. stroppel\local settings\Temp\5606.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\chris n. stroppel\local settings\Temp\350.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\chris n. stroppel\local settings\Temp\352.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\chris n. stroppel\local settings\Temp\0.4889185532603818.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\chris n. stroppel\local settings\Temp\0.8660324926684095.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
---------------------------------------------------------------------------------------------------------------------

These and the worm have been removed and I have full use of my desktop again. It's what I'm using to post this message.

Thanks for the help, you da man!

Chris

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:01 AM

Posted 30 November 2011 - 01:45 PM

Hi Chris,

Glad we could be of help! :thumbsup:
If you have any other problems, please let us know!

Best of regards,

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users