Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty malware


  • This topic is locked This topic is locked
10 replies to this topic

#1 RavenLord

RavenLord

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 October 2012 - 05:53 PM



Hello BleepingComputer community,

I require some help, as my laptop seems to be infected with some malware. It's an old laptop, intel dual core @1.60Ghz with only 1Gb RAM, but perfectly suitable for small office-type tasks (such as e-mail, browsing, and editing documents). On it I have Win XP SP2 (yes, ancient, i know... I plan to upgrade it to SP3 as soon as I manage to solve the malware issue, hopefully with your help).


There are 3 reasons which led me to suspect that there is an infection:

1. There are always at least 2 or 3 iexplore.exe processes running in background, even though i NEVER use IE. After terminating them and setting Firefox as the default browser in the "set program defaults" section of Control Panel, they seem to want to rise back from the dead, as I am constantly bugged by that pop-up window which says "IE is not your default browser, would u like to make it.."

2. I am unable to access any antivirus website with any browser; can't go to kaspersky.com or eset.com, or malwarebytes.org

3. A couple of USB memory sticks that have been plugged in this laptop have started to show that autorun.inf file, which i know is usually associated with malware infections (though I can't be sure this is the case)



Below this post you will find the logs that are required. But first, I think I should tell you what I've tried so far:

-installed, updated and ran Quick Scan with MBAM, it found various infections, and cured them all; I have the log file available should it be required;

-ran TDSS Killer, which found nothing except a suspicious service called 'blcmq'; i chose not to cure it, but right now as I am preparing your logs a funny thing happened: when i ran Gmer for the first time, i got that pop-up with rootkit activity suspected, there was a text line highlighted in red with reference to that exact service that TDSS identified as potentially suspicious (blcmq, found in a svchost.exe)

-ran Rkill, followed by Combofix, but combofix got stuck for over 2 hours at Stage_32; so i rebooted and ran Combofix in Safe Mode, it completed successfully, and yes, i have the log files with everything it did available if required; I know I shouldn't have used Combofix unless instructed to by an expert; in the past MBAM+Rkill+CF helped get rid of annoying malware on some other computers, I just hoped it would work this time too, but as it turns out, it didn't; I am aware CF is a powerful tool which can cause damage if miss-used, every time I made use of it in the past I read the log file very carefully to try to understand what it did, and googled information about every file/process/registry key that got modified; I would say that by now I have some knowledge (not much at all) about such malware removal tools.


All right... Now judging by the fact that both TDSS and Gmer found rootkit activity related to that 'blcmq' service i mentioned earlier, I'm assuming that's one of the culprits... However from now on I will refrain from taking any other actions towards the disinfection process on my own, and will patiently await your instructions; once again, i apologize for getting into ComboFix on my own, I do hope that I didn't make your job more difficult by having done this.


Oh, and one more thing: DDS only created 1 log file, DDS.txt, there wasn't any mention of an Attach.txt anywhere, doesn't seem to exist.


Thank you for reading my topic, and most of all thank you for being out there and providing your services free of charge for all those in need!

Attached Files

  • Attached File  ark.txt   46.41KB   2 downloads
  • Attached File  dds.txt   11.79KB   0 downloads


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:15 AM

Posted 22 October 2012 - 06:40 PM

Please post the TDSSKiller and the ComboFix Log(s)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 RavenLord

RavenLord
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 October 2012 - 07:27 PM


There you go sir, thank you for the speedy response!

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:15 AM

Posted 22 October 2012 - 07:59 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic472731.html/page__pid__2875947#entry2875947

Folder::
c:\documents and settings\All Users\Application Data\nakyblyojzxieas

Collect::
c:\windows\system32\TR2468ieegfh.dll
c:\windows\system32\cepalavo.exe
c:\documents and settings\Irina B\Start Menu\Programs\Startup\kmtjygwh.exe 
c:\windows\system32\ieegfh.dll
c:\Program Files\WuuCxBSL1Ʞkmtjygwh.exe\kmtjygwh.exe     
C:\Program Files\cLswMjwl\kmtjygwh.exe
             
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\CardDetector\HUAWEI160\carddetector .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\DAEMON Tools Lite\dtlite .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\Orange\InternetEverywhere\SessionManager\sessionmanager .exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Trojan Remover\trjscan .exe
c:\program files\Vodafone\Vodafone Mobile Connect\Bin\mobileconnect .exe
c:\program files\Yahoo!\Messenger\yahoomessenger .exe
c:\windows\pchealth\helpctr\binaries\msconfig  .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\boujoosequ]
[HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4063:TCP"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\blcmq]

Driver::
blcmq
oxaywmkx

NetSvc::
isiweyn
blcmq

FireFox::
FF - ProfilePath - c:\documents and settings\Irina B\Application Data\Mozilla\Firefox\Profiles\hwuv3837.default\
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=adknlg&q=
FF - user.js: extensions.funmoods_i.id - 1404b89a000000000000001dd96b2062
FF - user.js: extensions.funmoods_i.instlDay - 15432
FF - user.js: extensions.funmoods_i.vrsn - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsni - 1.5.11.16
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.11.1622:33
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef - 
FF - user.js: extensions.funmoods_i.dfltLng - 
FF - user.js: extensions.funmoods_i.excTlbr - false

Rootkit::
c:\documents and settings\Irina B\Start Menu\Programs\Startup\kmtjygwh.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 RavenLord

RavenLord
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 23 October 2012 - 02:29 PM

Sorry it took a while; here is your log sir:

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:15 AM

Posted 23 October 2012 - 05:59 PM

still a little more work to do,please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic472731.html/page__pid__2876531#entry2876531

Collect::
c:\program files\internet explorer\wmpscfgs.exe

Folder::
c:\program files\WuuCxBSL1Ʞkmtjygwh.exe

RenV::
c:\program files\Skype\Phone\skype .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT




Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 RavenLord

RavenLord
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 23 October 2012 - 11:29 PM

Hi Catbyte,

I did all that you asked me too except for the ESET online scan. I've attached all the relevant logs from the scans; MBAM did not find a single infection.

The reason why I didn't do the online scan is because of bandwidth concerns. I am a foreign student in London, and this week I just moved into a new flat, which doesn't not have a phone line installed hence I do not have internet hooked up, right now I am using a sh1tty USB dongle, and of course, I have a traffic limit imposed, if I go over it the charges on the bill will go sky-high. My monthly limit is 3Gb (download+upload), so I just wanted to ask you aproximately how much would you reckon the online scan will consume; I am willing to sacrifice like maybe 200-300Mb of traffic for it, but if it's more than that I would rather do it from the university campus, where I can get WiFi at a decent speed (far above that of the dongle connection). I assumed that it might be quite a bit of traffic, since my HDD is 1Tb.

Cheers!

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:15 AM

Posted 24 October 2012 - 05:25 PM

no,

I wouldn't use up your bandwidth for the ESET scan, it can take hours.

There are still a couple of issues remaining on your machine

this folder c:\program files\WuuCxBSL1Ʞkmtjygwh.exe - it's formed as a file but the log says it's a folder

please navigate to it (you may have to show hidden files and folders) right click > properties > what does it contain?
If the folder is empty > right click and delete it.


Skype has been infected (note the space before .exe - indicative of infection)

<pre>
c:\program files\Skype\Phone\skype .exe
</pre>

I have attempted to replace it, but there is no replacement available. The easiest way to fix this is to uninstall Skype, then download and install a fresh copy.


what AntiVirus program are you using?


Please re-run GMER, post the new log.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 RavenLord

RavenLord
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 24 October 2012 - 09:06 PM


Hey CatByte,


Here is what I've done so far:

- I navigated to that directory from Program Files, it contained 1 .exe file, namely kmtjygwh.exe , which I know is responsible for some of the malware; I forgot to mention in my OP that before starting the malware removal process, every time at boot-up a cmd window would flash for a couple of seconds, and in the title bar it said kmtjygwh.exe, I was expecting it to be gone since I remember seeing references to it in the ComboFix logs; anyway, it was there, so I deleted the whole directory with Shift+Del

- uninstalled skype and skype toolbars extension through CCleaner

- ran Gmer, log file is attached below; I noticed it mentioned something about DeamonTools, the CD emulation software; although it is not running in the background, in explorer I can see a virtual drive created by DaemonTools, I assume you will want me to disable it;

- to answer your question simply, I have no AV installed, I only got this old laptop before coming here to London, I wasn't the one using it before and had no ideea about the condition it was in; I'm not even using it that much since I have my desktop PC with me("my precious"), but I do want the laptop to be malware-free so I won't have to worry when transferring stuff via USB sticks; obviously I will have to install an AV on the laptop after we're done with the cleansing, and to this regard I was about to ask you to suggest a combination of AV and firewall that would be light on system resources consumption (only 1Gb of RAM installed); I had to disable the MBAM active protection service since it was constantly eating around 120Mb of RAM memory in idle mode, not when scanning or updating


Once again, thank you for your time and efforts !

Attached Files


Edited by RavenLord, 24 October 2012 - 09:13 PM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:15 AM

Posted 24 October 2012 - 09:22 PM

ok, that's good, the bad stuff is gone from GMER


give combofix another run, allow it to update if it asks to do so (did you re-install skype? i want to make sure it is ok now)

then download and install Microsoft Security Essentials and run a scan with it (it is excellent and free)

let me know if it finds anything that isn't already in quarantine

http://www.microsoft.com/security_essentials/

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:15 AM

Posted 04 November 2012 - 02:45 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users