Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 rb1kenobi

rb1kenobi

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 24 September 2012 - 01:22 PM

Help! I'm infected. Windows 7 32 bit.
Symptoms: plenty of drivers won't load properly - potentially a Sirefef!cfg virus but not sure.
Combofix found some junk. Also ran FRST - Logs attached.

Attached Files


Edited by rb1kenobi, 24 September 2012 - 01:23 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:44 PM

Posted 24 September 2012 - 09:17 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\mdillon\...\Run: [Windows Update Server] C:\Users\mdillon\8c3bd39_15ed.exe [x]
2 5613; \??\C:\Users\mdillon\AppData\Local\Temp\5613.sys [x]
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\Windows\System32\c_7265103.nls
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 rb1kenobi

rb1kenobi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 25 September 2012 - 11:28 AM

After running FRST tool, still unable to use keyboard so had to boot into safe mode and copy offending file to USB stick.
Below is results of fixlog.txt AND virustotal analysis.

FIXLOG.TXT
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-09-2012 01
Ran by SYSTEM at 2012-09-25 10:00:42 Run:1
Running from D:\

==============================================

5613 service deleted successfully.

==== End of Fixlog ====


Virustotal scan of c_7265103.nls (from c:\windows\system32)


SHA256: e5fbe2443f88ed7850a9451abe6cd02a68a851ec6b0a7d5b59bed216efbbea86
SHA1: 236e8651aa80822095ab82f2ded6b19d2790aeed
MD5: 4d7e637c75c45eeb470e31cbbc312a6e
File size: 180.5 KB ( 184836 bytes )
File name: c_7265103.nls
File type: unknown
Detection ratio: 6 / 43
Analysis date: 2012-09-25 16:22:38 UTC ( 0 minutes ago )
00
More details
Antivirus Result Update
Agnitum - 20120924
AhnLab-V3 - 20120925
AntiVir - 20120925
Antiy-AVL - 20120924
Avast Win32:RLoader-B 20120925
AVG - 20120925
BitDefender Trojan.Simda.B 20120925
ByteHero - 20120925
CAT-QuickHeal - 20120925
ClamAV - 20120924
Commtouch - 20120925
Comodo - 20120925
DrWeb - 20120925
Emsisoft - 20120919
eSafe - 20120924
ESET-NOD32 - 20120925
F-Prot - 20120925
F-Secure Trojan.Simda.B 20120925
Fortinet - 20120925
GData Trojan.Simda.B 20120925
Ikarus - 20120925
Jiangmin - 20120925
K7AntiVirus - 20120924
Kaspersky - 20120925
Kingsoft - 20120925
McAfee - 20120925
McAfee-GW-Edition Heuristic.BehavesLike.Exploit.CodeExec.O 20120925
Microsoft - 20120925
Norman - 20120925
nProtect Trojan.Simda.B 20120925
Panda - 20120924
PCTools - 20120925
Rising - 20120925
Sophos - 20120925
SUPERAntiSpyware - 20120911
Symantec - 20120925
TheHacker - 20120925
TotalDefense - 20120925
TrendMicro - 20120925
TrendMicro-HouseCall - 20120925
VBA32 - 20120925
VIPRE - 20120925
ViRobot - 20120925
Comments
Votes
Additional information
ssdeep
3072:Uud0UW0nLPSn/ay4lsdHTuHqdsi77SduUUpvWz7hx1WrV:90UWrnNBpQniczdUV
TrID
Targa bitmap (Original TGA Format) (38.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (38.8%)
MS Flight Simulator Aircraft Performance Info (22.2%)
First seen by VirusTotal
2012-09-25 16:22:38 UTC ( 1 minute ago )
Last seen by VirusTotal
2012-09-25 16:22:38 UTC ( 1 minute ago )
File names (max. 25)
c_7265103.nls

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:44 PM

Posted 25 September 2012 - 11:48 AM

at what point did you lose the ability to use the keyboard?

see if you can find the first combofix log, should be located at c:\qoobox\combofix3.txt

did you run any other tools?


make sure these files are present

c:\windows\system32\drivers\i8042prt.sys

c:\windows\system32\DRIVERS\kbdclass.sys

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 rb1kenobi

rb1kenobi
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 25 September 2012 - 12:09 PM

Sorry, the keyboard/mousepad issue was an issue from the get go. Which I perhaps mistakenly attributed to all the drivers not being able to load (in event viewer) when booting in normal mode.
Safe mode an EXTERNAL USB keyboard works, but not the built in keyboard or mousepad (this is an HP laptop)

The files you asked about are indeed present:
i8042prt.sys and kbdclass.sys

I do not have a combofix3, just a combofix, and a combofix2
(both attached) as well as the combofix-quarantined-files associated with combofix2.txt
I've only run combofix, and frst.

p.s. Thanks for your help so far!

Attached Files


Edited by rb1kenobi, 25 September 2012 - 12:10 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:44 PM

Posted 25 September 2012 - 09:37 PM

Let's check the Image path of the registry key, make certain it points to the correct file

Please export this key:


Press the WinKey +R to open a run box, copy/paste the following command (it's one long command) into the run box and press OK:

regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\kbdclass"

A new file called look.txt should appear on your Desktop, please post the contents with your next response.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:44 PM

Posted 09 October 2012 - 09:12 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users