Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes & TDSSKiller won't run.


  • This topic is locked This topic is locked
13 replies to this topic

#1 James_990

James_990

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 02 October 2012 - 01:27 PM

One of our user's computers at work appears to have several infections, so I attempted to update/download Malwarebytes and I am receiving an "Access is denied" error. I did a little research and a lot of what I discovered suggested installing TDSSKiller which, I've also used in the past; however, it will not run. I saved the .exe file to the desktop, tried renaming it (such as 123abc.com) and it still will not run. I just downloaded and ran RKill hoping that I could then get at least one of the other programs to run and I'm still in the same boat. If anyone has any suggestions I'd greatly appreciate it.

Edited by hamluis, 02 October 2012 - 03:55 PM.
Moved from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 02 October 2012 - 01:41 PM

Hello James,

If you still cannot run any EXE utilities, and if this system is running either Vista or Windows 7 / 8
then do this


For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt Posted Image
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 James_990

James_990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 02 October 2012 - 01:44 PM

I should mention that this is an XP machine. We are planning on updating to Windows 7 but until then, we need to get it cleaned.

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 02 October 2012 - 02:33 PM

Are you logged in with an administrator-rights account ? Are you the sys admin ? If not, please do make sure you have contacted your corporate help desk ! Make sure your management is aware of this incident and that corporate and or client information may be risk.
Get the system administrator to consider rebooting into Safe Mode or Safe mode with Networking and then running Rkill / TDSSKILLER from there,

Edited by Maurice Naggar, 02 October 2012 - 02:33 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 James_990

James_990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 02 October 2012 - 02:34 PM

Yes I am logged in as the administrator and have already tried running in safe mode with networking.

#6 James_990

James_990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 02 October 2012 - 02:43 PM

narenxp,

The aswMBR download would not run. I was able to download the ESET online scanner and run that. Below are the contents of the text file:


E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MR5DBI3U\DownloadManagerSetup[1].exe a variant of Win32/InstallCore.AW application cleaned by deleting - quarantined
E:\Documents and Settings\USER\Local Settings\Temp\A10646A9-BAB0-7891-93B8-263663E92915\MyBabylonTB.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Documents and Settings\USER\Local Settings\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Documents and Settings\USER\Local Settings\Temp\F2B11314-BAB0-7891-8BB4-BC9572E09F4F\MyBabylonTB.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0U43RYVF\kitty-goes-crazy-for-laser[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
E:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RBXYS2O6\cse[1].htm HTML/Iframe.B.Gen virus deleted - quarantined
E:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Z17M7VPE\cat-and-dolphin-playing-together[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
E:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
E:\Program Files\I Want This\I Want This.dll a variant of Win32/Toolbar.CrossRider.A application cleaned by deleting - quarantined
E:\Program Files\Windows Savevid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application cleaned by deleting (after the next restart) - quarantined
E:\Program Files\Windows Savevid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
E:\Program Files\Windows Savevid Toolbar\Datamngr\IEBHO.dll probably a variant of Win32/Toolbar.SearchSuite application cleaned by deleting (after the next restart) - quarantined
E:\RECYCLER\S-1-5-18\$23cf99aee06edcf4054cb6956554bcdc\n Win32/Sirefef.EV trojan cleaned by deleting (after the next restart) - quarantined
E:\RECYCLER\S-1-5-18\$23cf99aee06edcf4054cb6956554bcdc\U\00000004.@ Win32/Conedex.D trojan cleaned by deleting - quarantined
E:\RECYCLER\S-1-5-18\$23cf99aee06edcf4054cb6956554bcdc\U\00000008.@ Win32/Sirefef.FG trojan cleaned by deleting - quarantined
E:\RECYCLER\S-1-5-18\$23cf99aee06edcf4054cb6956554bcdc\U\000000cb.@ Win32/Conedex.E trojan cleaned by deleting - quarantined
E:\RECYCLER\S-1-5-18\$23cf99aee06edcf4054cb6956554bcdc\U\80000000.@ a variant of Win32/Sirefef.FA trojan cleaned by deleting - quarantined
E:\RECYCLER\S-1-5-18\$23cf99aee06edcf4054cb6956554bcdc\U\80000032.@ probably a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
Operating memory probably a variant of Win32/Sirefef.FD trojan

Edited by James_990, 02 October 2012 - 02:44 PM.


#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 02 October 2012 - 02:43 PM

You should consider doing a wipe & re-image from the most recent image-backup. That is the safest & surest way to get this back in shape.
Because there is no 1 or 2-bullet - type app that will clear this infection.



The longer way, if you can manage, download from a clean pc and put on a CD or DVD or a new USB-flash the tool(s) and then transport to the problem-pc.

You can also try renaming the tools as you download to like Gazork.com etc.....

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller



~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 02 October 2012 - 02:45 PM

Backdoor trojan warning:ZeroAccess / Sirefef
This system has some serious backdoor trojans. ZeroAccess / Sirefef


This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.
* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.
While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx
Consumers Identity Theft http://www.ftc.gov/b...mers/index.html
When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx
Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx
Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx
Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Let us know what you decide.


Edited by Maurice Naggar, 02 October 2012 - 03:01 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 James_990

James_990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 02 October 2012 - 02:46 PM

Also, here is the log from the Listparts download:


ListParts by Farbar Version: 25-09-2012
Ran by Administrator (administrator) on 02-10-2012 at 15:45:52
Windows XP (X86)
Running From: E:\Documents and Settings\Administrator\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 35%
Total physical RAM: 3062.34 MB
Available physical RAM: 1984.88 MB
Total Pagefile: 4952.86 MB
Available Pagefile: 4106.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.98 MB

======================= Partitions =========================

1 Drive e: () (Fixed) (Total:298.09 GB) (Free:271.71 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 32 KB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 E NTFS Partition 298 GB Healthy System (partition with boot components)
======================================================================================================

****** End Of Log ******

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:14 PM

Posted 02 October 2012 - 03:36 PM

Follow the instructions of Maurice Naggar

#11 James_990

James_990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 02 October 2012 - 03:51 PM

Thank you everyone.

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 03 October 2012 - 05:49 AM

James,

Please advise on what you decided. Cheers.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 James_990

James_990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 04 October 2012 - 08:50 AM

We've decided to play it safe and wipe the computer. Thanks again everyone!

#14 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 04 October 2012 - 12:05 PM

You're most welcome. Thank you for the status update. I wish you well.
Cheers.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users