Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware take over


  • Please log in to reply
13 replies to this topic

#1 firemanjonny

firemanjonny

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 10:12 AM

Appearantly I've been taken over. Essentials didn't catch something 2 days ago. Downloaded what appeared to be a regular Toshiba update (toshiba computer). Now IE is redirected to something like "click.get-results". Also, periodically advertisements run in the back ground wether using IE or not, with no picture, only sound. At start up, "catalyst host" get an error message. Tried Malwarebytes, trial, it picked up "PUM.Hijack.StartMenu". After removing, there has been no change. I've even tried to go back through the restore option, to a month ago. No change. Sneaky bastards got me. Any advice, beside using my laptop as a wheel chock? I'm obviously a novice but, help would be greatly appreaciated!!! Oh, I have done a bit of reading on the subject, was suggested to go into my computer, look at program list/updates. Tried to find something that stuck out but, all kinda looks the same to me. Security update starting with KB? like 200 of them. I am an idiot.

Edited by hamluis, 15 September 2012 - 10:50 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 10:16 AM

OH PS! This is the MBAM log? I think?



Protection: Enabled

9/14/2012 8:55:33 PM
mbam-log-2012-09-14 (20-55-33).txt

Scan type: Full scan (C:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 458920
Time elapsed: 1 hour(s), 36 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:51 PM

Posted 15 September 2012 - 10:20 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#4 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 10:40 AM

here is first scan- malware bytes chameleon

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.15.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

Protection: Disabled

9/15/2012 10:32:04 AM
mbam-log-2012-09-15 (10-32-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248740
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#5 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 11:11 AM

ADWARE CLEANER


# AdwCleaner v2.001 - Logfile created 09/15/2012 at 11:07:38
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2CTC3W6H\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\ProgramData\Ask
Folder Found : C:\ProgramData\Partner
Folder Found : C:\Users\kids\AppData\LocalLow\AskToolbar

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\Zugo
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Found : HKLM\SOFTWARE\Software
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{9D425283-D487-4337-BAB6-AB8354A81457}]
Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{9D425283-D487-4337-BAB6-AB8354A81457}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v11.0 (en-US)

Profile name : default
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\7pur6pmu.default\prefs.js

Found : user_pref("browser.search.order.1", "Ask.com");
Found : user_pref("browser.search.selectedEngine", "Ask.com");

*************************

AdwCleaner[R1].txt - [1551 octets] - [15/09/2012 11:07:38]

########## EOF - C:\AdwCleaner[R1].txt - [1611 octets] ##########

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:51 PM

Posted 15 September 2012 - 11:22 AM

Follow my instructions :)

#7 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 11:59 AM

Yes sir, I am on it. ESET is currently running, 2 trojans found already but, its taking forever. The other scanner, TDSS, Will not start up for some reason? Essentials is shut down too.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:51 PM

Posted 15 September 2012 - 01:49 PM

Download Listparts from here

For 64 bit

List parts 64

Launch it,click on SCAN,post the log

Edited by narenxp, 15 September 2012 - 01:49 PM.


#9 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 03:21 PM

ESET scan results

C:\Users\Owner\AppData\Local\Temp\89A8.tmp a variant of Win32/Kryptik.ALUA trojan cleaned by deleting - quarantined
C:\Users\Owner\AppData\Local\Temp\C3BB.tmp a variant of Win32/Kryptik.ALUA trojan cleaned by deleting - quarantined

#10 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 03:24 PM

Farbar scan


istParts by Farbar Version: 15-09-2012
Ran by Owner (administrator) on 15-09-2012 at 15:22:28
Windows 7 (X64)
Running From: C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PXH7VK3
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 52%
Total physical RAM: 2806.86 MB
Available physical RAM: 1339.99 MB
Total Pagefile: 5611.92 MB
Available Pagefile: 3842.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (TI105949W0C) (Fixed) (Total:286.57 GB) (Free:194.21 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 286 GB 1501 MB
Partition 3 Primary 10 GB 288 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105949W0C NTFS Partition 286 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================
==========================================================
TDL4: custom:26000022


****** End Of Log ******

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:51 PM

Posted 15 September 2012 - 03:27 PM

We need advanced tools to remove this one

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here with logs

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#12 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 03:29 PM

aswMBR and TDSSkiller will not open to run?

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:51 PM

Posted 15 September 2012 - 03:36 PM

Check my previous instructions :)

#14 firemanjonny

firemanjonny
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 September 2012 - 04:37 PM

I did try the tool kit with still no luck?



Trying to do the malware extriction guide things now.

Edited by firemanjonny, 15 September 2012 - 04:38 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users