Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Half-fixed my virus problem.


  • Please log in to reply
25 replies to this topic

#1 GreaLauren

GreaLauren

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 02:52 PM

I rarely get viruses on my own computer, so it really frustrates me when I do - even more when I cannot for the life of me fix it.
I don't know how long it was creeping because there is only about two explanations where I got it from since I only go to the same places... it means either deviantart.com had one in their ads, AGAIN (One of my homepages on firefox is dA and I'm not logged in on Firefox anymore.. shame on me for not taking it off homepage) OR someone on facebook was clicking stupid links and has stuff on their page and I didn't catch it.

Anyhow, it started with a BSOD. I was like okay.. maybe there is just too much power being used in house. (My stepdad just got a new heater and this house is old. Half the power got shut off when I turned on the microwave lol)

BUT THEN I turned my computer back on and I got a ton of warning pop ups.. okay, I've dealt with that before. I found the .exe in task manager and turned it off, deleted it from where it was found, and emptied recycle bin.

Now here's the problem. I restarted. Half the stuff on my desktop is missing, my task manager wasn't work (I don't remember how I fixed that). MBAM, which was supposed to be free version, is constantly telling me it's a trial and that it's expired and won't let me do anything. A lot of my pinned programs are now unpinned. Actually all of them are. And last night when I was scanning with Ad-Aware and Avira, I opened task manager and saw winrscmde in svchost.exe *32 climbing up and up and up in memory usage. I kept shutting it down and it kept coming back until today when I turned my computer back on and it had said 'there was a problem with the application' and shut down.

I also should mention that most of the stuff like control panel, my computer, etc is missing from the start menu and the only way I am able to go through it is because I have my documents folder on my desktop and can get to it through there.

So what all do I need to do to give you more information about what's creeping inside my computer? I wanted to clean my computer and organize but reformatting is something I didn't plan on doing! If it comes to that, then well I guess I have to do it.

I have TFC and I just /supposedly/ cleaned everything the other day before this happened and somehow when I was scanning it said I still had like 600 cookies or something?! That really upset me. I haven't been on the computer much.

Please help ASAP! I'll be checking this post continuously.


SPECS:
Windows 7 Home Premium
HP p6300z
AMD Athlon™ II X2 240 Processor 2.80 GHz
4.00 GB RAM
64bit OS

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:00 PM

How is this more appropriate forum when I know I'm infected >_>

#3 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:03 PM

Ugh nevermind. The svchost.exe with winrscmode came back and was up to 400K Memory.

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:16 PM

Posted 26 December 2011 - 03:23 PM

Hi and welcome to the forums! :thumbsup:

My name is bloopie. It's not uncommon for malware to hide some desktop and start menu items. In any case do you have a flash drive or USB device? You may need to transfer some of these programs to the infected computer with a USB or CD-ROM.

Also, please describe any of the pop-ups you see on your screen as this could be a good indicator of the infection you're experiencing. Names of the windows that pop up are a good help.

Please download Rkill by Grinler and save it to your desktop.Link 1
Link 2
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.

Now, please download Malwarebytes' Anti-Malwareand save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

How is your computer running now?

bloopie

Edited by bloopie reborn, 26 December 2011 - 03:31 PM.


#5 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:30 PM

First, root kill log came up:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/26/2011 at 15:26:13.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:

C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
\\.\globalroot\systemroot\svchost.exe
C:\Users\Grea\Desktop\Documents\Downloads\OTL.exe


Rkill completed on 12/26/2011 at 15:26:28.


Second, this is weird. I had no problem reinstalling MBAM last night but the links you gave say:

An error has occurred. Please report this error code to our support team.
PROGRAM_ERROR_LOAD_DATABASE (0,13, CreateSDK)



#6 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:32 PM

Nevermind, second one worked now.. that was weird. I'll be back with the results.

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:16 PM

Posted 26 December 2011 - 03:36 PM

:thumbup2:

After the full scan with MBAM, post the resultant log here. Then let me know of any other problems you are having/still have. Are your icons and start menu items back up?

bloopie

#8 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:39 PM

Yay okay. So glad it was scanning now. I don't know why downloading from the main site was giving me so much trouble.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122604

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

12/26/2011 3:39:22 PM
mbam-log-2011-12-26 (15-39-22).txt

Scan type: Quick scan
Objects scanned: 181271
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Grea\AppData\Local\Temp\oiu0.2880231202672848.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\oiu0.1788926108412522.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\oiu0.4253884162077435.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\oiu0.8887294657230768.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\oiu0.8900213670327886.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Users\Grea\AppData\Local\Temp\oiu0.12747885298553163.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\fsdfdsf0.20739365956585654.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\fsdfdsf0.34165571827363816.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\fsdfdsf0.35290118201518217.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\fsdfdsf0.49631212864714735.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
c:\Windows\Temp\oiu0.14011037055422892.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.



#9 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:41 PM

I have to restart so I will be back!

#10 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:46 PM

Oooook...

The stuff on my desktop is still missing and upon opening Task Manager I now see *counts them* FIVE "winrscmde" svchost.exe's .. none of them are climbing up in memory - yet. What should I do next?

K one of them is up to 14k now and still climbing.

Edited by GreaLauren, 26 December 2011 - 03:47 PM.


#11 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 03:49 PM

oh! I see 'computer' in start menu though xD

#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:16 PM

Posted 26 December 2011 - 03:53 PM

Hi again,

Please download and run UNHIDE on the sick computer. This should make your files visible again.

After running unhide, I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Next please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Please be sure to post both logs here in your next reply, and let me know of any remaining issues you may have.

bloopie

#13 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 04:07 PM

Taking a loooong time for stuff to unhide >_> Should I just do the second step to make sure all the bad stuff is off >_<

#14 GreaLauren

GreaLauren
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 December 2011 - 04:11 PM

Nevermind.. there it all is. It says I should disable anti-virus and stuff if my start menu items are still missing.. which they are...

#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:16 PM

Posted 26 December 2011 - 04:17 PM

Disable your antivirus, and run UNHIDE once more. Then proceed with ESET and Gmer.

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users