Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS security reports rootkit from webpage yahoo


  • This topic is locked This topic is locked
23 replies to this topic

#1 pitwolf

pitwolf

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 25 June 2013 - 11:38 AM

While reading news online, a screen pop up reporting that a rootkit was on my system, and I need to clean my computer. I ran a linux based anti virus boot disk, and no virus were found. I then ran mbar and it hit trojan.psw.win32.launch, and removed it. I also ran aswmbr cleaner recommended by this site and no hits, with the exception of a acpi.sys [fffff8800100b7a1] ->nt! Iofcalldriver -> [0xfffffa80079769b0]. That was yesterday, and after that it ran fine. Now today some of the keyboard works and some does not, yesterday key board work fine. Computer seem slow and laggy. I run on a reg bases ccleaner, mbar, temp file cleaner, and have MS securtys loaded as anti virus. I beleave the malware was not fully removed and reloaded some time while my wife was on.  I just ran Gmer and the section on IAT shows section unknown. Could u take a look and see whats going on...There are 2 logs attached to note. 1 from yesterday is aswmber, and 1 from today is gmer. Thx

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 25 June 2013 - 01:20 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK


IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

 

Also post up the mbar log. You´ll find it in the folder.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 pitwolf

pitwolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 25 June 2013 - 03:25 PM

Thanks for the reply, did as asked and rebooted machine no error messages, did you want me to re-run mbar or just give you the old log from when it saw malware?



#4 pitwolf

pitwolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 25 June 2013 - 03:38 PM

Here is old mbar from yesterday...

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.24.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
ADMIN :: ADMIN-PC [administrator]

6/24/2013 8:44:57 AM
mbam-log-2013-06-24 (08-44-57).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 397929
Time elapsed: 36 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\$Recycle.Bin\S-1-5-21-3729448584-83226447-1569802221-1001\$RJK5U4Q.exe (Trojan.Agent.rf2) -> Quarantined and deleted successfully.

(end)
 

I will be leaving for work in a few I will be back on at 0030 us west time zone. Im currently doing a full scan of system again to give you a updated mbar.


Edited by pitwolf, 25 June 2013 - 03:45 PM.


#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 26 June 2013 - 11:53 AM

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 pitwolf

pitwolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 27 June 2013 - 03:14 AM

K ran dds, it will save but will not show up for me to send u a copy. And I tried to save in multi directory. I dont know if thats normal or not??? But when i saved it from note pad it show multi copys there on desk top.



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 27 June 2013 - 01:17 PM

We need dds.txt and attach.txt, can you find them?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 pitwolf

pitwolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 28 June 2013 - 03:51 AM

ok found files and they are attached. Im running 3 accounts, admin, reg limited access, and guest. The file were on admin side of account which I was in when i ran this program.

 

Thx again

Attached Files



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 28 June 2013 - 03:33 PM

I´m currently on my way back from a military training and will reply as soon as I´m at home.

Please be patient with me.

 

Thank you!


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 pitwolf

pitwolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 28 June 2013 - 04:00 PM

No worries, thx again....



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 29 June 2013 - 05:24 AM

Combofix


Combofix should only be run when adviced by a team member!


Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 pitwolf

pitwolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 29 June 2013 - 07:08 PM

Combofix done here is the attached file, also running the ms scan to see if anything pops up.....

 

Thx again...



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 30 June 2013 - 11:23 AM

You forgot to attach the log. ;)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 pitwolf

pitwolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 01 July 2013 - 02:58 AM

We will try this again....Should be there now....

Attached Files



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 01 July 2013 - 08:49 AM

Looks good!

 

 

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users