Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

aswMBR Ransom-WH [Trj] trojan


  • Please log in to reply
16 replies to this topic

#1 Miroku16

Miroku16

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 24 October 2012 - 10:55 PM

Okay, so I wanted to make sure that I had a good, clean system. So, I ran aswMBR, a program that I got from this site before to check on any underlying problems after Malwarebytes did not detect anything. I tried running aswMBR a couple times, but my computer ended up crashing on those two times. It worked the third time. However, it also showed me two infected files. Those files were the following:

c:/windows/notepad.exe Ransom-WH [Trj.]
c:/windows/system32/notepad.exe Ransom-WH [Trj]

So, what is the problem with my computer? I have all the usage of it, but am afraid it is either an information stealer or some virus that will develop into a bigger problem. So can someone let me know what this is and how to remove it? Thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 PM

Posted 25 October 2012 - 08:50 PM

These may be Rogue antivirus files.

Do you have the full asw log to post?

Please download Rkill by Grinler and save it to your desktop.Link 1
Link 2
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.





Please Download

TDSSkiller


Launch it. Click on change parameters-Select TDLFS file system

Click on "Scan".
Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 26 October 2012 - 12:04 PM

Okay, so here are a slew of logs.

aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-24 23:19:54
-----------------------------
23:19:54.031 OS Version: Windows x64 6.1.7601 Service Pack 1
23:19:54.031 Number of processors: 4 586 0x2505
23:19:54.031 ComputerName: BOOT-PC UserName: Boot
23:19:57.229 Initialize success
23:19:57.322 AVAST engine defs: 12102500
23:20:11.783 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:20:11.783 Disk 0 Vendor: TOSHIBA_ GJ00 Size: 610480MB BusType: 3
23:20:11.799 Disk 0 MBR read successfully
23:20:11.799 Disk 0 MBR scan
23:20:11.799 Disk 0 unknown MBR code
23:20:11.799 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
23:20:11.815 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 586853 MB offset 409600
23:20:11.846 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 23323 MB offset 1202284544
23:20:11.893 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
23:20:11.955 Disk 0 scanning C:\Windows\system32\drivers
23:20:31.627 Service scanning
23:21:32.716 Modules scanning
23:21:32.716 Disk 0 trace - called modules:
23:21:33.247 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
23:21:33.247 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006b70060]
23:21:33.262 3 CLASSPNP.SYS[fffff88001a8443f] -> nt!IofCallDriver -> [0xfffffa80069e5b10]
23:21:33.262 5 hpdskflt.sys[fffff88001602189] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800687f050]
23:21:37.038 AVAST engine scan C:\Windows
23:21:38.442 File: C:\Windows\notepad.exe **INFECTED** Win32:Ransom-WH [Trj]
23:21:43.028 AVAST engine scan C:\Windows\system32
23:22:56.146 File: C:\Windows\system32\notepad.exe **INFECTED** Win32:Ransom-WH [Trj]
23:25:22.771 AVAST engine scan C:\Windows\system32\drivers
23:25:59.462 AVAST engine scan C:\Users\Boot
23:33:42.566 AVAST engine scan C:\ProgramData
23:37:53.929 Scan finished successfully
23:39:04.770 Disk 0 MBR has been saved successfully to "C:\Users\Boot\Desktop\MBR.dat"
23:39:04.785 The log file has been saved successfully to "C:\Users\Boot\Desktop\aswMBR10.txt"



Rkill:

Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/26/2012 12:44:14 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 10/26/2012 12:44:30 PM
Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s)


Malwarebytes:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.26.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Boot :: BOOT-PC [administrator]

10/26/2012 12:46:48 PM
mbam-log-2012-10-26 (12-46-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221487
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


TDSSKiller:


TDSSKiller.2.8.13.0_26.10.2012_12.52.11_log.txt (137.90 KB)

http://www.filefactory.com/file/52i0tqfvsujx/n/TDSSKiller_2_8_13_0_26_10_2012_12_52_11_log_txt




Questions and Concerns:

Everything ran good. One thing that I did was temporaryily disable the shields to my Avast! antivirus while doing the scans. Was I suppose to do that, or would having it on not affect the scans at all? Also, I did not reboot the computer after the Malwarebytes scan, because it did not find any problems. Was i suppose to reboot anyway? Also, no objects were foud in any of my scans. What is the next move?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 PM

Posted 26 October 2012 - 09:37 PM

I take it neither the "Fix" or 'FIXMBR' areoptions after the asw scan.







Finally,I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Edited by boopme, 27 October 2012 - 08:17 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 27 October 2012 - 03:25 PM

Yes, I did mean by Malwarbytes when I did not reboot after it due to not having anything.

So, I tried the eset scanner. At first, it said it could not find the proxy settings or something. So, i clicked back and then forward. Then it ran the scan as desired. I did not see the export log option for some reason. It might have been because of the fact that it did not find any items or threats to remove or quarantine. Do I need to run the scan again and try to get a log? My Avast! antivirus was on, just for your information, just in case it affects anything. What should be done now that the last few scans have not found anything?

Edited by Miroku16, 27 October 2012 - 03:26 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 PM

Posted 27 October 2012 - 08:22 PM

Yes, sometimes if no infections are found it will not produce a log.
If you run aswMBR does it still see those 2 items?

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 28 October 2012 - 03:31 PM

I ran the scan again. However, it is weird that the two items did not show up this time. What could this mean? Anyways, here is the log.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-28 15:46:43
-----------------------------
15:46:43.172 OS Version: Windows x64 6.1.7601 Service Pack 1
15:46:43.172 Number of processors: 4 586 0x2505
15:46:43.174 ComputerName: BOOT-PC UserName: Boot
15:46:46.989 Initialize success
15:46:47.066 AVAST engine defs: 12102800
15:47:03.148 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:47:03.151 Disk 0 Vendor: TOSHIBA_ GJ00 Size: 610480MB BusType: 3
15:47:03.180 Disk 0 MBR read successfully
15:47:03.183 Disk 0 MBR scan
15:47:03.186 Disk 0 unknown MBR code
15:47:03.201 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
15:47:03.223 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 586853 MB offset 409600
15:47:03.266 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 23323 MB offset 1202284544
15:47:03.295 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
15:47:03.391 Disk 0 scanning C:\Windows\system32\drivers
15:47:28.877 Service scanning
15:48:15.082 Modules scanning
15:48:15.096 Disk 0 trace - called modules:
15:48:15.506 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys
15:48:15.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006b70060]
15:48:15.523 3 CLASSPNP.SYS[fffff88001a8443f] -> nt!IofCallDriver -> [0xfffffa80069e5b10]
15:48:15.532 5 hpdskflt.sys[fffff88001602189] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800687f050]
15:48:16.793 AVAST engine scan C:\Windows
15:49:03.404 AVAST engine scan C:\Windows\system32
15:57:44.780 AVAST engine scan C:\Windows\system32\drivers
15:59:26.621 AVAST engine scan C:\Users\Boot
16:16:12.980 AVAST engine scan C:\ProgramData
16:21:23.727 Scan finished successfully
16:29:37.529 Disk 0 MBR has been saved successfully to "C:\Users\Boot\Desktop\MBR.dat"
16:29:37.547 The log file has been saved successfully to "C:\Users\Boot\Desktop\aswMBR11.txt"

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 PM

Posted 28 October 2012 - 03:51 PM

It rwemoved it,but did not note it. I'll have to contact the tools author.

How is it now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 28 October 2012 - 08:28 PM

But how did it get removed? Why wasn't it removed the first time I ran it? How do I know that it is completely gone? Reason is because it did not affect anything noticable on my computer.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 PM

Posted 29 October 2012 - 07:03 PM

I'll be back.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 31 October 2012 - 10:11 PM

So, what is the next move? Am I clean or do I need to run more tests?

Update: I Ran aswMBR again and it found nothing. I ran it because saw a brief flash image of a black box appear on the top left-hand corner of my screen. kinda similar to the one where you would enter commands to perform specific actions to the computer. But moreso of aswMBR, that type of black box. Not sure what that is about. But right now, my computer is okay. is there anything else that needs to be done? Just let me know.

Edited by Miroku16, 01 November 2012 - 12:09 PM.


#12 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 05 November 2012 - 02:08 PM

Anything else that I need to do?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 PM

Posted 05 November 2012 - 02:21 PM

Hi, the hurricane knocked me offline for a bit.

These were detections of the Avast definitions. It has nothing to do with a rootkit and also nothing with the fix options AswMBR has. If I were to guess I'd say it was a false-positive and was fixed in between the two scans. However, to be sure you can have the user upload the file to VirusTotal. Another possibility is that the files were disinfected/cleaned by a resident AV. Finally, sometimes there are "ghost" detections, meaning that somehow a scanner picks up files that aren't there (any longer).

So,if there is nothing going on you are OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Miroku16

Miroku16
  • Topic Starter

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 08 November 2012 - 03:42 PM

Okay. But what about uploading to VirusTotal? Should I worry about it if I did not get any reads on some negative activity?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 PM

Posted 08 November 2012 - 04:02 PM

You can upload and post the results if you want to.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users