Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Heavily infected by Expiro


  • This topic is locked This topic is locked
33 replies to this topic

#1 Gneffio

Gneffio

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 10 July 2013 - 04:11 AM

Hi all, unfortunately yesterday I did a bad move, searching for a mod for rFactor (a Motorsport simulator) I went to an illegal software sites I think, I had a few browser tabs open and I didn't payed attention to what sites was asking me to execute a java program, I clicked on yes and the infection started.

My SO is Windows 7 SP1
SSD 60gb<--SO installed here
HDD 1Tb in 2 partition
D:<---program file, heavily infected
E:<---documents and manual backup files, some of the exe file are infected.
AVG free antivirus


What I've done so far:
After a couple of hour I've understood that I was infected I installed malwarebyte's anti malware and run a scan, he found some infection and then asked to reboot, done and no change.
Full system scan with AVG, found infected file but nothing changed.

I'm now running the AVG expiro removal tool and he tell me my system memory is infected so I have to perform a boot scan, doing it for the second time to save the log (forgot to do the 1st time...)
After the removal tool complete its work I will post the log.

What else should I do?
What log do you need?
Please help me, I can't perform a full system format because I have some important data in a partition that was infected too so I will be exposed to the infection after the format.

Thanks a lot for the help.

Ignazio

BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 10 July 2013 - 04:13 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.

 

 

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Gneffio

Gneffio
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 10 July 2013 - 08:14 AM

Thanks a lot Marius for the fast response.

English is not my language too, mine is Italian so i hope we can understand each other in a good way.

 

1st, i've spent some hours to perform a full scan with the AVG Expiro removing tools (it was started before i started this topic) because system memory was infected. The log of the AVG Expiro removal tool is pratically empty, i will upload this too.

EDIT:I've also noticed that i cannot open the Uninstall windows under the control panel and my control center is not working (red cross on system tray icon) 

EDIT2: Now even AVG tel me "there are no active component"

 

 

Here are the logfile you asked me to perform.

 

Thanks again

Attached Files


Edited by Gneffio, 10 July 2013 - 08:30 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 10 July 2013 - 09:24 AM

I see you´ve already run combofix.

Please post up C:\combofix.txt


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Gneffio

Gneffio
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 10 July 2013 - 09:33 AM

I've had run Combifix yesterday after I saw some remedy here,do I have to perform a new scan or just the "old" one?

anyway, here is the yesterday scan.

 

thanks again Marius

Attached Files


Edited by Gneffio, 10 July 2013 - 09:35 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 10 July 2013 - 09:55 AM

uh oh...looks bad. Let´s try to get this fixed:


Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Gneffio

Gneffio
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 10 July 2013 - 10:07 AM

I knew it was not a good situation, usually I'm able to manage by my self the little infections....

Anyway, after a failed start of Combofix (quitted at half point of intallation) it had done the scan

 

AVG still doesn't work, should i uninstall it and reinstall or not?

 

Anyway, again thanks Marius for taking the time to help me

 

Ignazio

Attached Files


Edited by Gneffio, 10 July 2013 - 10:09 AM.


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 10 July 2013 - 11:27 PM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Gneffio

Gneffio
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 11 July 2013 - 04:49 AM

Hi Marius,

Here is the combofix report.

 

Thanks

 

 

Ignazio

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Attached Files



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 11 July 2013 - 05:10 AM

Search with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

Type the following in the edit box after "Search:"
 

ehsched.exe;mscorsvw.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Edited by TB-Psychotic, 11 July 2013 - 05:10 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Gneffio

Gneffio
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 11 July 2013 - 05:16 AM

Ok, Scan performed, here is the results

 

Ignazio

Attached Files



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 11 July 2013 - 05:31 AM

Scan file(s) via VirusTotal

Please check the file in the code box via Virustotal

  • Click browse
  • copy the following into the search box

    C:\Windows\winsxs\amd64_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_acd03d9b9048bd78\mscorsvw.exe
    
  • and click open.
  • click Send File.
please be patinet until the file is uploade completely. If you get the message

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
click on Reanalyse. Wait until Current status: Finished appears. Now, copy the link from within your browser´s adress bar and poste it here.

 

When finished, repeat the procedure with the following files and post up the links as well:

C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehsched_31bf3856ad364e35_6.1.7600.16385_none_0167f08155bf1c81\ehsched.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\ehome\ehsched.exe

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Gneffio

Gneffio
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 11 July 2013 - 05:49 AM

Hi again, the procedure was a bitt different from your explanation, but i mange to work it :)

Seems that only Avast can detect the virus, anyway here is the result in the requesting order:

 

https://www.virustotal.com/en/file/78431aac9d885219b3ce63aa03f1b18ee41f9ebdfd1a9600aef2e12614da0e0f/analysis/1373539447/

 

https://www.virustotal.com/en/file/ad67aac01605b7a84e019300efcbe3f2915015a6c52d7a38d916ff5903335a33/analysis/1373539545/

 

https://www.virustotal.com/en/file/b515da3dd9f93a8cf07ad26870e9f378641a50e5ba817a1f40df94c8d5582961/analysis/1373539615/

 

https://www.virustotal.com/en/file/78431aac9d885219b3ce63aa03f1b18ee41f9ebdfd1a9600aef2e12614da0e0f/analysis/1373539667/

 

https://www.virustotal.com/en/file/ad67aac01605b7a84e019300efcbe3f2915015a6c52d7a38d916ff5903335a33/analysis/1373539738/



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 11 July 2013 - 06:01 AM

Not easy to handle this fully...

 

 

ensure combofix is on your desktop.

Hit Windows-R and type the following:

 

combofix /killall /SysRst

 

Hit ok. Combofix should run and create another log which I need.

 

We have to replace the infected files but to do that, we have to find clean copies. This is a real, good old virus that infects legit files with its one code.


Edited by TB-Psychotic, 11 July 2013 - 06:01 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Gneffio

Gneffio
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 11 July 2013 - 07:37 AM

it took a whhile to perform the full scan, and also did a reboot itself, while i was waiting i did some reserch on the virus (from another device, not from the pc) and found this article http://blog.fortinet.com/W32-Kryptik-AX-tr---A-Masterful-FTP-Trojan/ well, i take it with philosophy, but i've taken the master of FTP virus! :) go big or go home?! :D Dang me!

 

here is the result of the combofix.

Not easy to handle this fully...

 

 

ensure combofix is on your desktop.

Hit Windows-R and type the following:

 

combofix /killall /SysRst

 

Hit ok. Combofix should run and create another log which I need.

 

We have to replace the infected files but to do that, we have to find clean copies. This is a real, good old virus that infects legit files with its one code.

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users