Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very persistent win32k.sys hooking and more


  • This topic is locked This topic is locked
19 replies to this topic

#1 STRANGEDAYZ

STRANGEDAYZ

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 01 July 2013 - 05:24 AM

I can't seem to figure out the source of this for the life of me which is disturbing because usually I'm great with this. A lot of tools don't seem to be able to find anything and I have cleared the mbr and updated the cmos to a fresh new version. I've taken a good look at the autoruns util from Sysinternals (now M$), ran sfc from a boot disk, tdsskiller didn't find anything, I've run MBAM,aswmbr, and gmer can't restore the code to win32k only without a bsod.. Sophos is running and I've included the gmer report along with aswmbr which found traces of zeroaccess as notepad.exe in my temp folder. Please advise.

 

 

gmer.log http://pastebin.com/3hTTDyWf

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 01 July 2013 - 09:08 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 STRANGEDAYZ

STRANGEDAYZ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 02 July 2013 - 02:18 AM

Thank you very much for your assistance. I have attached the requested logs. No malware found from mbar and I did update it.

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 02 July 2013 - 02:23 AM

don´t change logfiles!

 

 

Combofix


Combofix should only be run when adviced by a team member!


Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 STRANGEDAYZ

STRANGEDAYZ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 02 July 2013 - 03:34 AM

ok here is combofix

Attached Files


Edited by STRANGEDAYZ, 02 July 2013 - 03:35 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 02 July 2013 - 03:49 AM

Please check the file in the code box via Virustotal

  • Click browse
  • copy the following into the search box

    C:\win32k.sys
    
  • and click open.
  • click Send File.
please be patinet until the file is uploade completely. If you get the message

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
click on Reanalyse. Wait until Current status: Finished appears. Now, copy the link from within your browser´s adress bar and poste it here.

 

Repeat that procedure with the following files:

 


C:\autoruns.exe

C:\autorunsc.exe

 


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 STRANGEDAYZ

STRANGEDAYZ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 02 July 2013 - 03:51 AM

Win32k.sys is a copy I already analyzed, I mentioned earlier it was clean on virus total ( I did reanalyis ) Autoruns and Autorunsc are tools for viewing startups and I downloaded them directly from microsoft. Very puzzling infection..



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 02 July 2013 - 04:09 AM

Please upload C:\Users\jane sebille\AppData\Local\Temp\notepad.exe here:

 

http://www.bleepingcomputer.com/submit-malware.php?channel=156


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 STRANGEDAYZ

STRANGEDAYZ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 02 July 2013 - 04:18 AM

I am sorry to say that I used MBAM to clean this file from my PC before I made the post but it was identified by a scanner as "zeroaccess"



#10 STRANGEDAYZ

STRANGEDAYZ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 02 July 2013 - 04:29 AM

I can try to undelete



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 02 July 2013 - 04:34 AM

You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.
  • The logs can be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Zip any and all of these logs and attach the file to your next reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 STRANGEDAYZ

STRANGEDAYZ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 02 July 2013 - 05:07 AM

Attached as requested sir.

Attached Files



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 02 July 2013 - 08:35 AM

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 STRANGEDAYZ

STRANGEDAYZ
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 04 July 2013 - 12:33 PM

ESET: C:\Users\Public\Pictures\Sample Pictures\TelevisionFanatic.exe    Win32/AdInstaller application
 

 

Attached Files

  • Attached File  FSS.txt   2.81KB   2 downloads

Edited by STRANGEDAYZ, 04 July 2013 - 12:34 PM.


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 05 July 2013 - 12:47 AM

Navigate to the directory where you extracted mbar to.
Open the plugins folder and run fixdamge.exe by doubleclick.
Reboot and post up a new fss log.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users