Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'File Removal' malware


  • Please log in to reply
14 replies to this topic

#1 bruce_C

bruce_C

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 09 September 2012 - 11:56 AM

I'm infected with some nasty malware and I'm having a hard time getting rid of it. Not sure how or where I got infected. I'm usually very careful.

I'm not sure what this particular malware is called, but I get the pop ups warning me that my hard drive has failed and it hides all my files.

I am running in safe mode now.

I've tried to fix this myself by following some of the suggestions on the forums, but now I'm stuck. I've run RKILL and unhide. I've also scanned with malwarebytes anti malware (found some entries, but when I boot normally, the nasty program is still there.) I've tried to run TDSSKILLER.EXE - but I get no response. The program seems to start, but it goes away without opening any dialog boxes or gui's. I have tried renaming it. No luck.

I found the .exe's for file removal and deleted them just now. I also emptied the recycle bin. I ran RKILL again after they were deleted. I still can't get TDSSKILLER to run so I'm pretty sure I'm not out of the woods.

I've run gmer, DDS, and defogger. - But I don't want to clog the forum up with unasked for logs.

I should also report that I'm using 64 bit Windows 7 and the malware probably came to me through Mozilla somehow.

Edited by bruce_C, 09 September 2012 - 12:00 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 09 September 2012 - 12:05 PM

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


Download Listparts from here

For 32 bit

List parts 32

For 64 bit

List parts 64

Launch it,click on SCAN,post the log

#3 bruce_C

bruce_C
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 09 September 2012 - 12:14 PM

I download, but when I run the applications - i.e. aswMBR, nothing happens. Is this because I'm in safe mode?

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 09 September 2012 - 12:16 PM

It is because your MBR is infected.Move on to next step

#5 bruce_C

bruce_C
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 09 September 2012 - 01:31 PM

Eset Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9e96ca831396a54e8af4ac1e482e739a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-09-09 06:08:35
# local_time=2012-09-09 12:08:35 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 66 94 10163501 98755067 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=161773
# found=5
# cleaned=5
# scan_time=2498
C:\Users\BClegg\AppData\Local\Temp\DirectX11_update.exe a variant of Win32/Kryptik.ALPC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\BClegg\AppData\Local\Temp\EF0F.tmp a variant of Win32/Kryptik.ALPC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\BClegg\AppData\Local\Temp\WUPHqMQUXizARY.exe a variant of Win32/Kryptik.ALPC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\BClegg\AppData\Local\{D82EE8A4-F837-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\BClegg\AppData\Roaming\clint.dll a variant of Win32/Medfos.DH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251

next step coming...

#6 bruce_C

bruce_C
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 09 September 2012 - 01:33 PM

results.txt from listparts 64:

ListParts by Farbar Version: 10-08-2012
Ran by BClegg (administrator) on 09-09-2012 at 12:32:21
Windows 7 (X64)
Running From: C:\Users\BClegg\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 33%
Total physical RAM: 4002.05 MB
Available physical RAM: 2664.2 MB
Total Pagefile: 8002.3 MB
Available Pagefile: 6912.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:278.45 GB) (Free:128.98 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 19 GB 101 MB
Partition 3 Primary 278 GB 19 GB
Partition 4 Primary 10 MB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Recovery NTFS Partition 19 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 278 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 09 September 2012 - 07:49 PM

Download

TDSS fix

Do not update,click on CONTINUE and scan it

It should find a rootkit.Restart the PC and run the latest version of TDSSkiller and post the new log

#8 bruce_C

bruce_C
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 10 September 2012 - 12:38 AM

I run TDSS fix, It discover's the rootkit. I choose 'cure,' reboot the pc - still in safe mode - then I try to run TDSSkiller and I get nothing. The application appears to start but a few moments later it dies. If I run the TDSS fix again, it shows the rootkit still in place. I also tried quaranteening the rootkit - with the same results.

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 10 September 2012 - 02:06 AM

Restart the PC

Press F8 on bootup

Select REPAIR YOUR COMPUTER

Click on REPAIR

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Can you get to this screen?

If yes

Select command prompt and run these commands

diskpart
select disk 0
select partition 4
inactive

select disk 0
select partition 2
active


Now restart the PC and run TDSSkiller again

#10 bruce_C

bruce_C
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 10 September 2012 - 09:23 AM

It hangs on 'Windows is loading files...'

It has been about 10 minutes - doesn't look like it is going forward. How long should I wait?

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 10 September 2012 - 09:27 AM

Did this happen after running the commands?

Did you reach the recovery screen?

#12 bruce_C

bruce_C
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 10 September 2012 - 09:30 AM

I never made it to the recovery screen. F8 gets me to the advanced boot options where I have been choosing 'safe mode'

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 10 September 2012 - 09:31 AM

Do you have your windows 7 DVD?

If yes can you insert it and try the steps again?

#14 bruce_C

bruce_C
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 10 September 2012 - 09:33 AM

I don't have the dvd. The PC was shipped to me without one

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 10 September 2012 - 09:35 AM

No problem.We have other ways to remove this rootkit

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users