Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OMG, where do you start


  • This topic is locked This topic is locked
6 replies to this topic

#1 JMK2012

JMK2012

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 10 December 2011 - 02:14 PM

Where do you start? An explanation:

It's my sister-in-law's HP laptop. Last week she got the System Fix virus, and I went over to her house and ran through the online instructions on how to eradicat using Malwarebytes and Spybot, etc. It looked OK afterward, but I didn't have time to really do an in-depth recheck. A couple days later, she's calling again with the same problem. This time she brings the machine to me and I start to get invasive. At that point, she'd already lost all her Start button shortcuts, so I suggested doing a restore as far back as we could, but she had important business Quickbook data that she didn't want to lose, and she's desperatedly afraid of losing all her iTunes music files. So, instead of the restore, I set about to get the machine stable enough to export Quickbooks data and her iTunes songs. Turns out, she's able to use a flashdrive backup of her QB data to get it loaded onto my brother's machien, so she's ok there. Still, she's desperate to not lose the iTunes...

So, I set about to eradicate again using Malwarebyte, Spybot, and using whatever info I could glean off the net regarding this and it's associated malware (ooopppps... just got another Microsoft Essentials warning that JS/blacole.A is trying again to infect...). Having jumped through most of the hoops now two to three times, the machine is as clean as I can get it in order for her to actually run it long enough to export iTunes, but is that safe? Could these exploits/trojans/viruses get passed on to whatever machine she uses?

In all likelihood, we'll have to do a complete system restore, and not just use a restore point. After all the efforts to eradicate, all the browsers are still redirecting, even after installing IE 9 and giving it a go for highest security settins. Here's some of the names of the nasties.

These have all been ID'd by Microsoft Security Essentials after I gave up on the Malwarebytes and Spybot efforts:

trojandropper:win32/sirefef.b
exploit:java/cve-2011-3544.d
exploit:java/cve-2010-0840.ni
exploit:java/blacole.cc
exploit:java/cve-2011-3544.e
trojan:ss/redirector.hq


With Malwarebytes I kept getting a program error, even after mulitple safe mode installations and runs... Sometimes it would run ok and ID stuff, but I'd get an error message saying it failed. I think the same thing happened with AVGFree. Wasn't sure what to trust.

Initially this all started with the Win7 Security Fix [Virus] 2012. At that same time, there were also multiple Interactive Service Detections (since have shut it off...). Some of the initial virus/trojan/exploits that Malwarebytes supposedly removed were:

Trojan-bnk.win32-keylogger
jucheck.exe
pum.hijack
knh.exe - win32\cryptor
jgfhtdt.exe - trojan horse dropper.generic5.nb
trojan horse generic_r.ju

Ok. so at this point, I'm of the opinion that since all of her regular shortcuts are gone (either by her running a cleanup of the temps or whatever...), and since this redirect c-r-a-p just doesn't want to go away, and since I could just do a complete system restore and get her back to store bought (if it's not an infection in the root...) THE ONLY REAL ISSUE is trying to save her music files and getting her back and working system with MSE installed from the gitgo and wean her off her Incredimail (never used it, but read all the bad publicity...).

The big question then is, DO YOU AGREE? Is it worth trying to restore functionality to this totally messed up system. I'm thinking NO. (I've already spent about 30 hours "learning all about this nonsense" I really didn't need to know about.) Secondly, do you think it's safe to get her music files exported, or would they (the virus idiots) have already suspected you'd do that and created a pathway to infect another machine??? I did merge this laptop into my home network to see if I could have transferred her files (~36 gb) over to one of my machines with AV running, but I then decided against that since this mess seems so pervasive.

What do you all think? While I was writing this and had that MSE warning and removal, I've lost the desktop, so I'm gonna hit POST and hope this gets posted. I'd post a logfile, but can't get to them now since I don't have a even have a Start button or task bar (at the moment...).

Frustrated beyond belief, but I know the answer is out there.

Thanks for your time and patience.
Joe

PS - I'm on my personal computer now, while running a full scan with MSE to see what happened during the time I was writing to you all. I should have mentioned that I did try to do Windows Updates but Service Pak 1 failed to install twice, leaving me returning to a restore point. Once it would not restore until I finally hit a restore that worked, but otherwise I was locked out. Can't think of all the other nasty stuff that has been happening, but the main question remains: IS IT WORTH trying to get this cleaned up as opposed to a complete RESTORE?

PPS - I thought I'd be able to add a (dds?) logfile to this message, but I've currently got a completely black screen on the laptop (with an MSE window running) until I finish the MSE scan. Consequently, I don't have much additional "machine info" to add here, but it's a Win7 64bit Home Premium HP laptop with (now) all the miscellaneous antivirus programs removed (or so it seems...), just running MSE now.

Edited by JMK2012, 10 December 2011 - 02:28 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:05 AM

Posted 10 December 2011 - 02:52 PM

If you want to run the dds program and post a long then please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.

#3 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 10 December 2011 - 02:57 PM

Yes, I will do that when I can get done with the current MSE scan AND can figure out what happened to the desktop on the infected laptop.

I posted in this forum purposely to get suggestions/advice on the actual benefit of trying to remove the problems vs doing a complete RESTORE and also how to know if the root is actually infected, preventing a clean complete restore.

Joe

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:05 AM

Posted 10 December 2011 - 03:06 PM

It may turnout that you will need to do a restore, but give the experts here at BC a run at the issue.

#5 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 10 December 2011 - 03:27 PM

Will do!

#6 JMK2012

JMK2012
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 11 December 2011 - 12:35 AM

Here's the link to the message with all of the log files I produced after posting this original message:

http://www.bleepingcomputer.com/forums/topic431806.html

Thanks for any assistance offered.

Joe

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:05 AM

Posted 11 December 2011 - 06:38 AM

Hello,

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to a week, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users