Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected severely


  • This topic is locked This topic is locked
12 replies to this topic

#1 rangerray

rangerray

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:11:25 PM

Posted 27 April 2012 - 03:32 PM

Attached File  attach.txt   8.04KB   0 downloadsAttached File  dds.txt   7.19KB   7 downloadsAttached File  GMER log.txt   8.77KB   6 downloadsAttached File  aswMBR.txt   1.57KB   5 downloadsI have a severe virus. Malware, spyware, or adware? But it is severe. I can use my computer, but when i start researching malware, and rootkits, i start getting alot of errors. Sorry, page could not open etc. Everytime I attempt to seek help, i.e bleeping computer, my computer starts directing me to a different area,. Just awhile ago, i tried to validate my new email address with bleeping computers, error occurs. Sometimes i'll try to log on to a site for help, i'll put my user name and password, then i have to type in the capatica, ( the words you have to type in to verify), everytime i type in the right word, i'll either get, wrong password or i typed in the capatica wrong. I know their right. Anyway, about five days ago i requested help on this site. I can not find my topics. Which i figured, whatever i have pulled a wully over my eyes. I have had this problem for close to eight months. Everytime i think i am getting close to getting help, i got the wully pulled over my eyes. I ran the gmer log earlier today, ther were over 300 pages, i ran the same scan about an hour ago,(9kbs). So the virus/hacker knows what i am up to. I say this also, because i ran gmers mbr scan. Right after that, i ran the gmer scan, on the gmer scan, it stated under kernel code section "? local\docume\mbr\, in other words,someone was trying to find the document that i saved under mbr. I have reason to believe that part of problem is hiding there, and the other 3/4 of my problem is in the registry. Out of all scans i have done on my system, these scans have to be bootable disk,because whatever i have has a good grip on my system. Spybot search and destroy, was the only scanner that had acknowledge what i knew i had in my system. Someone/something is using a S-1-5-18, S-1-5-19, S-1-5-20, and S-1-5-21, in my registry under HKEY_ USERS and given themselves permission on a run of the mill on my computer. I have tried to get Microsoft to help me, it's beyond there scope. I really need help, five days from now, my computer will probably be down. Whatever i have, likes to play with me, and let me know i cannot use the internet, because it will not accept my wireless. It does the same thing with my printer. If i am printing something that deals with antivirus, or just to try to correct the problem i am having, this job has the lowest priority, three days ago, i was printing 45 pages of a manual for my motherboard on one of my four computers that are down from this problem. I took me about eight hours to print thta manual. I was printing a line, maybe two lines every four to five minutes. So, please i need help. I have the logs save as requested and cd player enumerated. My luck, i really doubt if you'll get this message. Thank you!, I hope I hear from someone.

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 AM

Posted 28 April 2012 - 07:48 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle

Edited by Blind Faith, 28 April 2012 - 07:51 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 rangerray

rangerray
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:11:25 PM

Posted 29 April 2012 - 12:20 AM

Hello, it is great to hear from someone, First, when I wrote this post, i forgot to put what operating system i was using. I just deleted the old logs for GMER, and i am not sure if it does state the operating system. I believe i was running windows XP professional, when i sent the forum my logs, (Gmer & dds). I can tell when i installed this windows xp Professional, alot of my problems went away. I still have all S-1-5-18 through S-1-5-21_class. Except I noticed this time, They did not give themselves access to the whole operating system, as they have done on windows xp home basic. Another thing I noticed in local security settings, their icon has a lock, stating it's password controled. Usually, i try to access it, and i am never allowed. I have had access and was reading someof there information. And last but not least,, I don't know if the ( ? ) whoever is doing this to me. I tried activating my operating system, and the phone responce is stating it can not identify it. It's not a bootleg disk. Usualyy when things are going my way, which does not happen to much, the virus/hacker will make some thing wrong so I can change my operating. I am not changing this operating system at this time. I have read some different postings, and understand. From today on, i will not make any changes, unless you request me to. I am attaching, these additional logs. I ran a scan when i started writing this. I'll run another one, so i'll have two of each, the times will be different. Thank you very much, you made me a happy man. :thumbsup: I did another scan of dds, I am afraid if i do another Gmer scan, I'll end up losing you, the page gets lost, i get disconnected. Hope to hear from you soon!

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 AM

Posted 30 April 2012 - 06:44 AM

Hi there,



Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 AM

Posted 03 May 2012 - 10:06 AM

Hi there,



Do you still need help? Have you resolved your problem?




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 rangerray

rangerray
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:11:25 PM

Posted 04 May 2012 - 10:02 PM

Sorry, i haven't replied sooner. A few days ago, i had some problems with Windows XP Professional. I was running a anti virus scan, I used the Icon on the bottom right hand corner of my desktop. Well, I wanted to check progress, so I went down to the same corner, and right clicked it, window did not want to open. So I went to my desktop and opened it up by right clicking. My anti-virus showed it had never opened up and started. Didn't think anything about it, so i started a scan. Not 10 minutes after I started the scan using the lower right hand corner Icon, a dialog box appearred "stating no infections found". While I had the same antiv-virus box opened, watching it go through its scanning, and had already detected 5 threats. Which after the scan i was unable to correct. So I opened up my registry and found that my S-1-5-21 file had control of the anti virus. So, I download Avira anti-virus, disabling AVG. Once Avira was functional, I started a scan., and begun to unistall AVG. The S-1-5-21 file would not allow me to unistall it. So now comes the kicker, I got pissed , went into the registry and started deleting a bleep load of the "S" files. I knew I would not be able to get back in. So, I did a new install, except this time I used Windows Vista Home Basic, its still the same. I still have the "S" files, Before I downloaded Vista. I downloaded Active Kill Disk, and attempted to delete/erase my MBR. I couldn't, but one thing thing for sure, active kill disk did show that something is in the MBR. I just don't know how to handle it. I am sorry, I let you down, because I stated I would not download anything. I don't even get warnings, that my anti virus needs to be installed, any type warnings. I looked at my events, the warnings. Theres nothing I can do about it. Give me guidance, please. I will not use TDSSKiller until you read this. To let you know, about a month ago, I made my own Rescue disk, its sort of like Ultimate or Hiren's, minus some of their material and I added some ISO bootable scans, I have on disk, also in my documents folder. Just about 40 minutes ago, I used Hijack this, ran a scan and saved the log. Also, I downloaded and installed all updates to include support pack 1 & 2 for VIsta. But the way i am reading my event logs, in applications, someone is or did prevent the service packs from downloading, saying not compatble for this system.

Edited by rangerray, 04 May 2012 - 10:07 PM.


#7 rangerray

rangerray
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:11:25 PM

Posted 05 May 2012 - 12:59 AM

Attached File  attach Safe Mode.txt   4.69KB   1 downloadsHere's some additional information. After i wrote the last post earlier today. I Downloaded defogger,dds & Gmer. Disabled my cd enumerator, ran a dds & gmer scan. Except i accidentally forgot that I was in safe mode at the time. LOng story short, I ran Microsofts SDK tools, as I started the running portion after downloading and saving. The scan stopped stating my windows installer could not be found. I went to services, windows installer was stopped, I put on automatic, taking it off manual and then tried to restart. It would not restart. So I sent a report to Microsoft, i then saw some information that caught my eye, in microsofts forums. I started opening up some of the forums. I saw one that was similiar to my problem, except that it was 8 years ago. I was also reading about a worm/virus? called W32.hllw.shower.l.html that also resemblies what I have. Then I started reading how to fix cannot find server or DNS on How to site. I was just reading the information, kept getting a dialog box stating" cannot open Internet explorer, etc ,etc, must close. So i would hit the top right hand x box to close, instead of the box down below. The page never closed so i continued to read, kept getting same dialog box, i kept closing the same way and kept reading. So I guess the "S" file got upset, because the next thing you know, the page I was reading kept opening up so fast, everytime I kept closing one, three or four more of the pages kept appearing. Until finally i had to many,that the of the page would tell internet explorer (25), etc. So I could not close them fast enough. I had to ctlr. alt, del, it stil would not close. So I held the power button in til the system shutdown, waited about 15 minutes, restarted and went to safe mode with networking. Anyway, did scans in safe mode and regular mode. Are attaching to this post. I also have a report from Microsofts SDK if you or someone would like to review it, I also save 19 events, from my logs, if anyone is interested. I also ran the TDSSKiller scan as requested. TDSSKiller 2.7.34.0 version by Kaspersky, i ran at 8;54 pacific time, the duration of the scan was 2.24 minutes, 347 objects were scanned, 1 threat found, suspicious object, medium risk, i placed it in quarantine. Closed scan, report was downloaded for me to save. Looked around to see, if there was something I needed to push, hit, whatever to save the report, but there was nothing for me. That is why i wrote the information and writing the results to you. It did show a report, but i could not save it. I even tried to copy and paste. System would not allow me to. I marked the log safe mode & regular mode. if your interested in the events, let me know and I will forward them. I also have the hijack this log.That show a discrepency in their log. Sorry, TDSSKiller medium risk object is WSWNA1100, certificate not signed, suspicious activity. Hijack this stated something about my WNA1100 opening up global. It has something to do with my wireless adapter.Attached File  gmer Safe Mode.log   2.31KB   0 downloadsAttached File  DDS Regular Mode.txt   12.2KB   0 downloadsAttached File  dds Safe Mode.txt   11.27KB   0 downloadsAttached File  Gmer Regular mode.log   4.1KB   0 downloadsAttached File  Attach Regular Mode.txt   4.69KB   0 downloads

Edited by rangerray, 05 May 2012 - 01:00 AM.


#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 AM

Posted 06 May 2012 - 09:43 AM

Hi there,


Please refrain yourself from making further changes, do not panic whenever something seems wrong. We are here to help you.



We need to see where your TDSSKiller log is. Please download TDSS Qlook on your desktop by clicking the following link.

Open TDSSQlook.exe and you will see two options: A (Scan) and B (Fix). Select A and wait for the scan to finish. A log should be created. Please copy/paste it within your next reply.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 AM

Posted 08 May 2012 - 03:33 PM

Hi there,



Do you still need help? Have you solved your problem? Please let us know.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 rangerray

rangerray
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, NV
  • Local time:11:25 PM

Posted 09 May 2012 - 02:35 PM

Attached File  Gmer.log   110.13KB   2 downloadsHello everyone! No, I have not corrected my problem, and yes, i still need help. I have not gotten to you, because my brother was in town. He has some experience with computers, he went to ITT. Anyway, he reinstalled windows vista. He using a site called Gizmo's Freeware, which asks you a few questions you answer, then it gives you recommendation, on how to proceed. He has installed some different programs I was unaware of. But no matter what, i still have my uninvited guests. The only other problem is, at least now. My system is acknowledging whether my updates are being installed or not. Not like before, I could download & install updates.the system was not identifying whether there were being installed or failing. This time i am now aware of what is happening with my updates. My brother downloaded TDSSKiller, a few days ago. I enclose the threat text file from that initial scan that day. Today is actually my first time on the computer since May 6, 2012. So no more changes, adding or deleting programs. I had to give my brother a shot at the dark. So I will install defogger, disable my CD enumerator , save and run DDS & Gmer. I am running a scan of Gmer, Comodo firewall blocked DDS, a virus attempting to enter in my system along with dds, the download was taking a little bit to long. After GMER, finishes it scan, I'll attempt another dds download. This Gmer scan is sweet, more than two pages long, instead of the 1/2 page i have been sending you. Tried to download dds again, comodo keeps identifying that file as a threat. RecommendationsAttached File  threat.txt   89bytes   2 downloads please!

#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 AM

Posted 10 May 2012 - 10:27 AM

Please follow the instructions listed above as well!

Disable your Antivirus/firewall protection as they interfere with the scans.





Elle

Edited by Blind Faith, 10 May 2012 - 10:31 AM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:25 AM

Posted 13 May 2012 - 05:23 AM

Hi there,

Do you still need help?



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:25 AM

Posted 16 May 2012 - 08:14 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users