Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

URGENT HELP, my PC is infected and I am terrified


  • Please log in to reply
2 replies to this topic

#1 xereeto

xereeto

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 04 October 2012 - 05:05 PM

Hi,

I was using ooVoo, the IM and VoIP client, which is not malware, but it has ads.

One of the ads simply said, "I love you but this is only for business". Without clicking anything, a (probably real) UAC notification pops up and tells me "Adobe Flash" by "Adobe Systems Incorporated" wishes to modify my system. Obviously I clicked "No", and it was then I knew something was fishy. Then another UAC notification pops up, again with Flash. I clicked "No" again, and then went to find out what was going on.

I opened task manager and I saw two processes, starting with tmp and then had a string of random numbers. I killed them both, which stopped the UAC notifications. All the while, Panda IS 2012 was giving me notifications telling me (temp) files had been detected and quarantined.

I ran a Panda quick scan, which told me cookies (*.txt), which it said were "Spyware Programs", were detected in {normal IE cookie directory}. I don't use IE, I use Chrome, so I was wondering why IE was involved. Every time I (quick) scanned, it detected more of these "Spyware Programs", coming from the same directory. I opened task manager again and I saw two IE processes open. I killed one, but it popped back up. I killed the other, which made both of them disappear, but then ~30 seconds later they both appear again.

"Bugger this :tvhorror: ", I thought, so I ran rkill to see what it would find. It found a few registry hijacks (I don't want to post the log because I'm told not to post logs here), and something about a corrupted recycle bin being a symptom of a rootkit. Instinctively (stupidly?) I opened the recycle bin and looked to see wtf was going on.

Sure enough Windows Explorer told me to empty the bin as it was corrupted. I emptied the Recycle Bin like it said (I had 1.8 GB of stuff there lol) and then the (empty) recycle bin opened as normal. I think the malware is hiding in $RECYCLE.BIN. Anyway, now scared bleepless, and 1.8GB of semi-deleted files down, I ran MBAM.

I ran a quick scan at first, which found 8 items, again not posting log because the sticky tells me not to, and they were mostly trojans and spyware. There was one memory module. I clicked "Remove All", and MBAM told me I needed to reboot. I was reluctant to do so, as I know that it is at logon that most malware runs, but I rebooted anyway and that's almost the point I'm at now.

It's worth mentioning that, while all this was going on, iexplore.exe kept popping up in taskmgr. I wanted to make sure it didn't run for very long, so I killed it each time. I snapped taskmgr to one side and MBAM to the other so I could baby-sit MBAM and kill any iexplores that pop up.

On to where I am now. I logged on, it took an unusual amount of time and the Windows alert sound chimed. I shat a brick, but then it was revealed that it was only Windows telling me my recycle bin is corrupt (again). I checked taskmgr, and it ran. I looked for any suspect processes, but I couldn't find any... except from the mother f :censored: ck ing IE (2 of) again. I killed both and waited like two minutes, and neither reappeared.

I wanted to make sure that I had no malware currently running, so I ran rkill again, and this time all it found was a registry hijack. I still got that rootkit warning though.

Frustrated :killcomp: and scared, I ran a MBAM full scan. I was going to baby-sit it and ensure any possible IEs were killed, but I realised that the scan would take too long, so I (stupidly?) left it to its own devices and went to another (linux, so the virus can't spread via network) PC downstairs, where I would post to BleepingComputer.

So that's where I am right now. I have no idea what state my PC is in, what MBAM detected, and what I've to do now. As stupid as it sounds, I don't want to go back upstairs and check. I know I have to, but to be honest I'm scared.

Sorry for the long story and rant :ranting:, TL;DR is below. But really, what should I do now?

TL;DR A flash ad infected my PC, I ran rkill and mbam, killed the processes etc, and now I don't know what to do. But I think I have a rootkit. I'm scared.



Thanks,

--xereeto


EDIT:This is the only thing of importance rkill gave me on second run:

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

     * HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
Nothing was found anywhere else.

Edited by xereeto, 04 October 2012 - 05:25 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:16 AM

Posted 04 October 2012 - 05:29 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 xereeto

xereeto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 04 October 2012 - 05:34 PM

Thanks a lot. Unfortunately, I need to go out now and shut down the PC. I'll try it tomorrow.

SORRY!!! :blush:


In the mean time, if it helps, here's my MBAM log for the first scan:


Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.04.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Xereeto :: XEREETO-PC [administrator]

Oct 04 2012 21:33:06
mbam-log-2012-10-04 (21-33-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230597
Time elapsed: 19 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Xereeto\AppData\Roaming\hetat.dll (Trojan.RedirRdll2.Gen) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|hetat (Trojan.RedirRdll2.Gen) -> Data: rundll32.exe "C:\Users\Xereeto\AppData\Roaming\hetat.dll",RetrieveQoSql -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\$Recycle.Bin\S-1-5-21-1879297684-1888632060-1731462345-1000\$576025041eee9d636bca632b5f023d8d\n (Trojan.0Access) -> Delete on reboot.
C:\Users\Xereeto\AppData\Local\Temp\oobvr.exe (Trojan.ExploitDrop) -> Quarantined and deleted successfully.
C:\Users\Xereeto\AppData\Local\Temp\~!#5077.tmp (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\Users\Xereeto\AppData\Local\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Xereeto\AppData\Roaming\hetat.dll (Trojan.RedirRdll2.Gen) -> Delete on reboot.

(end)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users