Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still infected??


  • Please log in to reply
3 replies to this topic

#1 vaparker

vaparker

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hurst, TX
  • Local time:08:06 AM

Posted 13 February 2012 - 03:30 AM

I had/have? a backdoor trojan (Win32/pup-Gen) detected by Malwarebytes. Still had issues with computer after Malwarebytes removed it. (Computer just turning off unexpectedly, slow, still acting and doing strange things) Then going through my files and processes trying to figure out where the remains of this trojan was still hiding apparently got another bad one! (VIRtool:/WINNT/Xooba.A. (C:windows/System32/78B50F50.exe ??) (Even used Kapersky removal tool)
Tried Dr. CUREIT and everything I could to get rid of these..and still had issues I believe due to remnants of them hooked into my files, registry and no telling what else. (Did computer restore many times etc..) I believe it was just getting reinfected upon startup. I had installed an unhooker program and it said I had 6 hooks still..5 like in the kernel part and another one in a file. But I was scared I would crash it or mess it up worse dealing with the kernel hooks so I didn't use it.
So I just decided to wipe it clean by putting this computer back to factory settings like it was when I first purchased it,,reinstall everything. I saved pictures etc to a flash drive and did it. But it is still turning off by itself on occasion and acting funky at times even though it looks and seems much better in many other ways.
I was using Microsoft Security Essentials as my antivirus before restoring it and malwarebytes, SuperAntiSpyware and Spybot..(the latter 3 on demand)
I decided to use a different antivirus when I reinstalled everything...and it gave me a free trial of Norton Antivirus which I am using for now. I love malwarebytes so while installing Malwarebytes again..I saw on CNET site your RKILL program.... So I checked it out and installed it a bit ago. Here is what known malware processes it is killing:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/13/2012 at 1:37:06.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Users\Vicky\AppData\Local\Google\Update\1.3.21.99\GoogleCrashHandler.exe
C:\Users\Vicky\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Vicky\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Vicky\AppData\Local\Google\Chrome\Application\chrome.exe


Rkill completed on 02/13/2012 at 1:37:43.


Then I ran Malwarebytes quick scan and this is what it said..No malicious items detected but don't understand what it is saying about the following:

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Here is the remainder of the log from Malwarebytes:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.13.01

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Vicky :: HOME-PC [administrator]

Protection: Enabled

2/13/2012 12:47:19 AM
mbam-log-2012-02-13 (00-47-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 174805
Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


So....wondering if still infected with the PUP or whatever the heck in startup and or registry which is why it keeps just turning off? And now wondering how RKILL has found those Malware processes already when Yesterday I just reinstalled Windows and all? What the heck am I doing?

I am totally fascinated/intrigued with Malware...and would love to learn to help others with PC issues as well. I have done a lot of research on my own and thought I could figure this one out. I understand they were both pretty severe infections..so I think it is way beyond what I know to do and tired of trying to figure it out!! ; )
Your help would be so greatly appreciated.

Thank you,
Vicky

BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:06 AM

Posted 13 February 2012 - 11:04 PM

Hi vaparker and welcome to BC!! :thumbsup:

That's an interesting issue, and I'd love to share the knowledge with you! My name is bloopie and I'll be assisting you the best I can. :thumbsup:

You mention you still "have issues" with your computer, could you please describe what those issues are in detail so that we can better help you?

You've ran Rkill which did stop processes, but have you run Rkill, then run Malwarebytes immediately afterwards without rebooting in between Rkill and MBAM?

Also, doing a system restore may not work as you may be re-restoring old malware that likes to infect the old restore points on your system. More on that later though.

Try the above again (Rkill first, and without rebooting, rerun Mbam), and also do the following:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Next, Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Please include in your next reply:

The most recent logs after doing the above.
The GMER log.
The aswMBR log in your next reply if you can!

bloopie

Edited by bloopie, 14 February 2012 - 07:02 PM.


#3 vaparker

vaparker
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hurst, TX
  • Local time:08:06 AM

Posted 20 February 2012 - 11:29 PM

Good Evening and thanks again for all your help!
No..I didn't restart my computer between doing RKill and Malwarebytes. My understanding is you were not suppose too.
The biggest issue I have is my computer just shutting down randomly. Also it is slower than normal and questionable processes in my task manager.
A friend of mine who works on computers said I didn't have any malware and I disagreed with him. He thought it was an issue with my explorer.exe.
I was wondering if it was my memory or hard drive issue if it was not a virus. I still believe it is some type of malware still lurking. = )
Like I said I am fascinated with malware and have been trying to learn all I can about it.

Here are the logs for you:

GMER log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-20 21:23:39
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 TOSHIBA_MK1652GSX rev.LV011C
Running: x5ddcted.exe; Driver: C:\Users\Vicky\AppData\Local\Temp\kxldipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186306213
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002186306213 (not active ControlSet)

---- EOF - GMER 1.0.15 ----



The aswMBR log:


aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-20 22:06:06
-----------------------------
22:06:06.591 OS Version: Windows 6.0.6002 Service Pack 2
22:06:06.591 Number of processors: 1 586 0x301
22:06:06.596 ComputerName: HOME-PC UserName: Vicky
22:06:14.661 Initialize success
22:06:15.685 AVAST engine defs: 11112801
22:06:34.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5
22:06:34.734 Disk 0 Vendor: TOSHIBA_MK1652GSX LV011C Size: 152627MB BusType: 3
22:06:34.765 Disk 0 MBR read successfully
22:06:34.765 Disk 0 MBR scan
22:06:34.765 Disk 0 unknown MBR code
22:06:34.781 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 142537 MB offset 2048
22:06:34.828 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10088 MB offset 291917824
22:06:34.843 Disk 0 scanning sectors +312578048
22:06:34.952 Disk 0 scanning C:\Windows\system32\drivers
22:06:58.649 Service scanning
22:07:28.991 Modules scanning
22:08:00.715 Disk 0 trace - called modules:
22:08:00.747 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
22:08:01.246 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a2d110]
22:08:01.261 3 CLASSPNP.SYS[8079f8b3] -> nt!IofCallDriver -> [0x84bc3918]
22:08:01.277 5 acpi.sys[8060d6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-5[0x84bb9b98]
22:08:02.166 AVAST engine scan C:\Windows
22:08:05.941 AVAST engine scan C:\Windows\system32
22:12:14.168 AVAST engine scan C:\Windows\system32\drivers
22:12:38.233 AVAST engine scan C:\Users\Vicky
22:13:47.731 AVAST engine scan C:\ProgramData
22:14:22.313 Scan finished successfully
22:17:22.218 Disk 0 MBR has been saved successfully to "C:\Users\Vicky\Desktop\MBR.dat"
22:17:22.218 The log file has been saved successfully to "C:\Users\Vicky\Desktop\aswMBR.log"


Very curious to understand what these logs mean....please let me know and also how I can learn more about malware and maybe help out in anyway....would love too!

Thanks again soooo much...

I also downloaded CCleaner and cleaned up my registry etc....thought maybe that was maybe the problem? Since then ....just can't be on long due to computer shutting off randomly.

I also just lately have been using my phone ..to access the internet with my mobile AP. Don't know if that could be an issue as well>?

Have a great evening and hope to hear from you soon. Let me know what else I might need to do.

Take care,
Vicky
vaparker13@yahoo.com

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:06 AM

Posted 21 February 2012 - 10:59 PM

Hello again Vicky,

Let's take this a bit at a time, ok? Don't worry, I'm not going anywhere and I'm here to help you! :)

So far, your logs are looking quite clean! In the GMER log, I wasn't surprised to find a short log due to your Operating System (Vista). I'd be looking for unknown or suspicious modifications to driver files or memory addresses there, but no go.

The biggest issue I have is my computer just shutting down randomly.

Do you see any bluescreen with white lettering flash briefly before the monitor shuts off?

I had installed an unhooker program and it said I had 6 hooks still..5 like in the kernel part and another one in a file. But I was scared I would crash it or mess it up worse dealing with the kernel hooks so I didn't use it.

Do you know what particular program that was (i.e. Rootkit Unhooker)? Post a log here if you could.

Your aswMBR log is also not showing anything out of the ordinary. I'd like to run another scan or two. But before that:

questionable processes in my task manager.

Could you list the questionable processes from your task manager here please? We'll go through them together. :)

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users