Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection-Hidden Files and Access Denied


  • This topic is locked This topic is locked
44 replies to this topic

#1 kiwipoppy

kiwipoppy

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 01 April 2013 - 02:38 AM

Hi,am running win 7 ultimate on a stand alone computer not currently connected to the internet.I am only user and have two visible accounts,a standard admin,and the Built in admin account Recent scans have shown the existence of an account named C:\users\ADMINI~1,its files are hidden,and cannot be shown,I have tried the folder option panel,the attrib command and would like to know what else I can try. Many thanks

Activity includes hidden files that can't be unhidden Firewall disabled windows update disabled system restore disabled and access blocked to System Volume information...this appears in scans as C\:SYSTEM~1 Hidden services running at startup Access denied in various areas of registry,and permissions that can be changed revert back on reboot Built in admin denied specific permissions(seen in Process Explorer) ''Account Unknown'' appears in some file properties Malwarebytes found Trojan activity but I think there are areas that need cleaning up When I was connected to internet,credit card details were stolen,and various unknown websites were being accessed Anti virus programs appear to install but either will not run,or update,or skip hundreds of files Recycle bin is corrupted Reinstalling Windows does NOT help.
Have transferred this topic from win 7 forum,hope this is OK
Also am using tablet and have problems copying from documents so am hoping it will be alright to attach things
Have included MBAM log which was first time any security program ran properly and found something
Also DDS logs

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:33 PM

Posted 04 April 2013 - 06:50 AM

Hi and Welcome!!
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
 

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

     
    Having said that.... vegeta_zps7f4345cf.gifLet's get going!!
    ----------

    aswmbr-1-1.jpg
  • Please download aswMBR to your desktop.
  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.
  • aswmbrscan.jpg
     
  • Click the image to enlarge it

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 04 April 2013 - 09:01 PM

Hi Jeff,thanks for replying

Log attached

Attached Files



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:33 PM

Posted 05 April 2013 - 06:52 AM

Hi,

 

 

ComboFix
 
Download Combofix from the link below, and save it to your desktop.  
 
**Note:  It is important that it is saved directly to your desktop**
 If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.  
  • Please post the C:\ComboFix.txt for further review.
  • ----------

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #5 kiwipoppy

    kiwipoppy
    • Topic Starter

    • Members
    • 47 posts
    • OFFLINE
    •  
    • Local time:09:33 PM

    Posted 05 April 2013 - 03:42 PM

    Couldn't see link,so am downloading from your downloads page...hope this is OK

    #6 kiwipoppy

    kiwipoppy
    • Topic Starter

    • Members
    • 47 posts
    • OFFLINE
    •  
    • Local time:09:33 PM

    Posted 05 April 2013 - 04:42 PM

    Sorry that didn't work,downloaded as 0 bytes,and told me''this is not a valid win32 application''
    Could you try putting up the link again please?

    Also forgot to mention some other features of this infection
    Creates shortcuts for every file I use,
    Creates encrypted data entries in the registry relating to admin and other SIDS functions
    Set keyboard to a custom preference without a backward slash..Latter I was able to fix

    Thanks again

    #7 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:33 PM

    Posted 05 April 2013 - 05:42 PM

    Download Combofix from the link below, and save it to your desktop.  
    Link


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #8 kiwipoppy

    kiwipoppy
    • Topic Starter

    • Members
    • 47 posts
    • OFFLINE
    •  
    • Local time:09:33 PM

    Posted 06 April 2013 - 02:04 AM

    Hi,Combofix seemed to run OK,gave me a message re compatibility mode,and created a file called 32788R22FWJFW.nircmd
    Cannot find combofix.txt anywhere
    Thanks

    #9 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:33 PM

    Posted 06 April 2013 - 03:06 PM

    Is the log at C:\ComboFix.txt?  If it's there go ahead and post it.  Don't worry about the other file it created.   :)


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #10 kiwipoppy

    kiwipoppy
    • Topic Starter

    • Members
    • 47 posts
    • OFFLINE
    •  
    • Local time:09:33 PM

    Posted 06 April 2013 - 06:21 PM

    No,not there,will do another search for it,but computer infection good at hiding things!

    #11 kiwipoppy

    kiwipoppy
    • Topic Starter

    • Members
    • 47 posts
    • OFFLINE
    •  
    • Local time:09:33 PM

    Posted 07 April 2013 - 01:52 AM

    No,definitely cannot find combofix.txt
    Ran the program again and captured the details that show while running,output is directed to c:\32788R22FWJFW
    Don't know if it was any use but I saved those details as a txt file,which I cannot transfer via USB for some reason
    If you need to see them,I can try a screenshot,if that is possible,otherwise I can copy the list manually,will take a while
    The nircmd bit you said to ignore was created April 2009,and modified same date...probably not relevant?
    Gmer scan shows a filter device attached to my desktop,so that might affect results
    Will try and attach the gmer log

    Attached Files


    Edited by kiwipoppy, 07 April 2013 - 02:32 AM.


    #12 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:33 PM

    Posted 07 April 2013 - 08:14 AM

    Ok let's try a different tool...
     
     
     
    OTL.jpg  OTL

    • Download OTL to your desktop.
    • Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Select All Users
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.

    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.

    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #13 kiwipoppy

    kiwipoppy
    • Topic Starter

    • Members
    • 47 posts
    • OFFLINE
    •  
    • Local time:09:33 PM

    Posted 07 April 2013 - 05:42 PM

    As far as I can see failed to create extras txt,as I mentioned earlier am using tablet to communicate,have not worked out how to copy and paste from stored documents,so have attached
    Hope this is OK
    Many thanks for all your efforts

    Attached Files

    • Attached File  OTL.Txt   41.12KB   7 downloads


    #14 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:33 PM

    Posted 07 April 2013 - 07:53 PM

    No problem with attaching files if need be.  :)  

     

    Unfortunately I am having some serious problems with my own system right now and won't be able to reply again until tomorrow.  I will return just as quick as I can.  I appreciate your understanding.  :)


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #15 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:33 PM

    Posted 08 April 2013 - 10:37 AM

    TDSK.jpg Please download TDSSKiller
    • Double click TDSSKiller.exe
    • Press Start Scan but do nothing else as we are just looking for what is there.
    • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
    • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users