Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

one user cannot run .exe, another can


  • Please log in to reply
7 replies to this topic

#1 trink

trink

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 19 January 2012 - 07:48 PM

Hello,
History: 16 year old son's Dell laptop computer. Used for school and gaming. He accesses Steam for Company of Heroes and Team Fortress II (but we don't think this is where the problem started). He plays League of Legends in conjunction with Skype to play with friends, so that accesses some server somewhere (groan). He plays Minecraft, effectively stand-alone (used Hamachi once long ago to access a friend's server, but not for a long time). He rather avidly goes to YouTube to watch posted MW# videos, but since his last malware experience a few months ago (groan again) he has NOT been going to other gaming websites. Of course, Facebook, but I suspect that lesson was learned a while ago - he claims he doesn't click on posted links there anymore (but of course, one can't be sure).

Situation: He had a malware incident a few months ago ("you've been infected!" in the system tray that took over) but I managed to clear that with boot to safe mode, Malwarebytes/Norton multiple scans and file deletions. All was well after that, but I wonder if that was cleared all the way out. Last weekend he had a powerhouse gaming weekend, trying to rack up points in LOL for a champion, and after three days of multi-hour sessions, he says he was on Facebook when the Windows 7 Home Security screen took over. He tried to instantly start Malwarebytes, but it was too late: it wouldn't start (screen popped up and disappeared).

Currently: I managed to boot to safe mode, got malwarebytes to run, it found a trojan (trojan.exeshell.gen) and deleted it. It also found an adware agent, whitesmokeinstaller_9147.exe, and deleted it. Norton reported tojan.gen.2 inside jar_cache### and quarantined that.
But. Now his login and mine are behaving differently. Mine seems nearly normal but his won't run Firefox, IE, etc. It reports that it has lost the file association for .exe, but now I'm sufficiently paranoid that I don't believe even that. I downloaded FixNCR.reg and ran it, no help on his account. My account can start Skype, LOL, Firefox, etc. His cannot.

You guys have helped me before, so I'll wait until I am contacted here... any help or advice is of course greatly appreciated.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:18 PM

Posted 19 January 2012 - 10:57 PM

Please download exeHelper to your desktop.

Exehelper

Boot into the infected account

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Launch malwarebytes ,run a scan till you get a clean log

Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Good luck

Edited by narenxp, 19 January 2012 - 10:57 PM.


#3 trink

trink
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 20 January 2012 - 09:24 PM

Successful run of exehelper.
Malwarebytes reported Trojan.FakeAV embedded in a tmp file. Qarantined and removed.
Second scan with malwarebytes was clean.
downloaded and ran GMER - here is the log.

will wait to hear what's next... thanks so much.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-20 20:44:30
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932042 rev.D005
Running: bp1xn4py.exe; Driver: C:\Users\Matthew\AppData\Local\Temp\kwldqkow.sys


---- System - GMER 1.0.15 ----

SSDT 87D1F408 ZwAlertResumeThread
SSDT 87D1F4E8 ZwAlertThread
SSDT 87D1A780 ZwAllocateVirtualMemory
SSDT 87D148A8 ZwConnectPort
SSDT 87D1F168 ZwCreateMutant
SSDT 87CF2E68 ZwCreateThread
SSDT 87D1E288 ZwFreeVirtualMemory
SSDT 87D1F248 ZwImpersonateAnonymousToken
SSDT 87D1F328 ZwImpersonateThread
SSDT 87D1E188 ZwMapViewOfSection
SSDT 87D1F088 ZwOpenEvent
SSDT 87CF2E30 ZwOpenProcessToken
SSDT 87D1F008 ZwOpenThreadToken
SSDT 87D19428 ZwResumeThread
SSDT 87D1F8D0 ZwSetContextThread
SSDT 87D1FC88 ZwSetInformationProcess
SSDT 87D1F7F0 ZwSetInformationThread
SSDT 87D2BF90 ZwSuspendProcess
SSDT 87D1F630 ZwSuspendThread
SSDT 87D0A790 ZwTerminateProcess
SSDT 87D1F710 ZwTerminateThread
SSDT 87D1FD68 ZwUnmapViewOfSection
SSDT 87D1A6B0 ZwWriteVirtualMemory

INT 0x51 ? 9B1462D8
INT 0x61 ? 9D049A58
INT 0x72 ? 9B146058
INT 0x82 ? 9B146558
INT 0x90 ? 9B1467D8
INT 0xA1 ? 9D049CD8
INT 0xA2 ? 9D0497D8
INT 0xB0 ? 9D049558

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C945D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB9092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 254 82CC0894 8 Bytes [08, F4, D1, 87, E8, F4, D1, ...] {OR AH, DH; ROL DWORD [EDI-0x782e0b18], 0x1}
.text ntkrnlpa.exe!RtlSidHashLookup + 26C 82CC08AC 4 Bytes [80, A7, D1, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 30C 82CC094C 4 Bytes [A8, 48, D1, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 348 82CC0988 4 Bytes [68, F1, D1, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 37C 82CC09BC 4 Bytes [68, 2E, CF, 87]
.text ...
? System32\drivers\ggvltf.sys The system cannot find the path specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[512] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[512] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[512] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[512] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[512] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe[512] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3960] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3960] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3960] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3960] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75565E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000008f bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000091 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000005c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cfe6fdb
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cfe6fdb (not active ControlSet)

---- EOF - GMER 1.0.15 ----

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:18 PM

Posted 20 January 2012 - 11:13 PM

That looks clean

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

FSS

Checkmark

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Click on "Scan".
Please copy and paste the log to your reply.

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


Good luck

Edited by narenxp, 20 January 2012 - 11:14 PM.


#5 trink

trink
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 21 January 2012 - 09:08 PM

all done successfully. Don't know what to think of the ESET results, though...

aswMBR log:
aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-21 15:35:15
-----------------------------
15:35:15.781 OS Version: Windows 6.1.7600
15:35:15.781 Number of processors: 4 586 0x2505
15:35:15.782 ComputerName: MATTHEWS-PC UserName: Matthew
15:35:19.496 Initialize success
15:39:36.125 AVAST engine defs: 12012101
15:40:10.735 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:40:10.739 Disk 0 Vendor: ST932042 D005 Size: 305245MB BusType: 3
15:40:11.943 Disk 0 MBR read successfully
15:40:11.947 Disk 0 MBR scan
15:40:12.478 Disk 0 Windows VISTA default MBR code
15:40:12.599 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
15:40:12.648 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 81920
15:40:12.720 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290204 MB offset 30801920
15:40:13.754 Disk 0 scanning sectors +625140400
15:40:14.698 Disk 0 scanning C:\Windows\system32\drivers
15:41:46.590 Service scanning
15:41:47.905 Modules scanning
15:44:20.935 Disk 0 trace - called modules:
15:44:21.006
15:44:23.278 AVAST engine scan C:\Windows
15:46:10.568 AVAST engine scan C:\Windows\system32
16:04:32.567 AVAST engine scan C:\Windows\system32\drivers
16:08:43.405 AVAST engine scan C:\Users\Matthew
17:44:35.049 AVAST engine scan C:\ProgramData
17:54:41.512 Scan finished successfully
19:24:01.389 Disk 0 MBR has been saved successfully to "C:\Users\Matthew\Desktop\MBR.dat"
19:24:01.402 The log file has been saved successfully to "C:\Users\Matthew\Desktop\aswMBR.txt"


FSS log file
Farbar Service Scanner Version: 18-01-2012 01
Ran by Matthew (administrator) on 21-01-2012 at 19:24:54
Microsoft Windows 7 Professional (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-14 17:28] - [2011-09-29 10:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-16 09:10] - [2011-03-03 00:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 18:53] - [2009-07-13 20:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 18:54] - [2009-07-13 20:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 18:23] - [2009-07-13 20:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 18:24] - [2009-07-13 20:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2011-02-10 19:46] - [2010-12-21 00:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 19:15] - [2009-07-13 20:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 18:30] - [2009-07-13 20:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-07-13 18:33] - [2009-07-13 20:15] - 0135680 ____A (Microsoft Corporation) 9C231178CE4FB385F4B54B0A9080B8A4

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

ESET listing
C:\Users\Matthew\AppData\Local\Temp\plugtmp-17\plugin-2fdp.php JS/Exploit.Pdfka.OYH trojan cleaned by deleting - quarantined
C:\Users\Matthew\Downloads\Facemoods.exe a variant of Win32/SweetIM.B application cleaned by deleting - quarantined
C:\Users\Matthew\Downloads\GameBario_fmds3.exe a variant of Win32/SweetIM.B application cleaned by deleting - quarantined
C:\Users\Matthew\Downloads\setup.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:18 PM

Posted 21 January 2012 - 09:21 PM

That looks good,uninstall facemoods from your add or remove programs

Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://windows.microsoft.com/en-US/windows7/Turn-System-Restore-on-or-off

Uninstall your java update from add or remove programs and download latest from here

http://www.java.com/en/

Update your antivirus frequently,do not click on suspicious links

safe surfing :)

#7 trink

trink
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 23 January 2012 - 05:31 PM

OK, all done and seems to be fine. Thanks.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:18 PM

Posted 23 January 2012 - 08:29 PM

You're welcome :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users