Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Expiro infection


  • This topic is locked This topic is locked
65 replies to this topic

#1 PlumAmp24

PlumAmp24

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 10 July 2013 - 08:55 PM

Hello,

 

My avast program went nuts when I clicked on a link from a email that I get regularly, Avast prompted me to a lot of normal looking programs being infected. I thought they were false positives but then I notice that most of them were labeled "Win32:Expiro-CE" and one was labeled "Win32:Vitro". I looked them up and they appear to be serious, but I disconnected my computer from the internet and avast seem not to be detecting anything more. I did run malwarebytes but it needed to update its virus definitions so I connected back to the internet and let it download the new definitions, after that I disconnected and restarted the computer because malwarebytes needed too. I ran malwarebytes and it detected Trojan.FakeMS and Trojan.Agent both got quarantined and deleted successfully. There are a total of six items that malwarebytes found so if that needs to be posted I'll copy the log from my main computer to the laptop.

 

I almost forgot avast picked up two supposedly rootkits when I restarted my computer, they both looked like normal programs  but expiro apparently does that.

 

That is all I got for now thanks for reading!

 

Sorry about the double post the track pad on this laptop is iffy 


Edited by PlumAmp24, 11 July 2013 - 01:49 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 10 July 2013 - 09:16 PM

A quick, and not happy, intro into the infection -

We will only have a quick look to see if this helps. If you are still scanning after 4 hours post back, and we will upgrade the problem.

 

Vitro injects itself into ALL .exe files on your computer slowly and over time, making them unable to run. This includes Notepad, Paint, WordPad, Word, Excel, Outlook and Outlook Express, Quicken, Adobe products, and all of you browsers, and any software you have installed.

 

Scan your machine with ESET OnlineScan
1.Hold down Control and click HERE to open ESET OnlineScan in a new window.
2.Click the ESET Online Scanner button.
3.NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

1.Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
2.Double click on the ESET Online Scanner icon on your desktop.

 4.Check "YES, I accept the Terms of Use."
 5.Click the Start button.
 6.Accept any security warnings from your browser.
 7.Under scan settings, check "Scan Archives" and "Remove found threats"
8.Click Advanced settings and select the following:
Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

 9.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take quite some time to download the program for a first time, and then download updated data base (2 to 3  hours is not unusual)
10.When the scan completes, click List Threats
11.Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12.Click the Back button.
13.Click the Finish button

 

 

Thank You -

EDIT - Reboot only after you post the logs back here -


Edited by noknojon, 10 July 2013 - 09:18 PM.


#3 PlumAmp24

PlumAmp24
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 10 July 2013 - 09:41 PM

Does it infect image, music, text, files? What files does it not infect? Is possible to backup them up? Also will this infect the thumb drive? I am not sure if I was clear that I only have a laptop to fix my main computer. So I should reconnect my main computer to the internet? I am really hesitate to reconnect. Now I am more hesitate to this I tried mspaint and it give me an error. Should I turn off my computer to stop it? Is it still salvageable? Update: Neither firefox or IE wants to open. What ever I have to do must be done threw the thumb drive unless some one knows how to get back my internet browsers to working order.   

 

Thanks for the fast response! 


Edited by PlumAmp24, 10 July 2013 - 10:40 PM.


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 10 July 2013 - 10:35 PM

You can remove your other computer if the infected onewill connect to internet ok.

These are for the infected computer only -

 

Run this small program first -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them.
NOTE : You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

 

 

Thanks -


Edited by noknojon, 10 July 2013 - 10:46 PM.


#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 10 July 2013 - 10:45 PM

EXTRA -

You are loading via the Flash drive and that is all -

A Flash Drive can be disinfected quite easy, so use what ever you can to install these programs -

 

 

Thanks -



#6 PlumAmp24

PlumAmp24
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 10 July 2013 - 11:03 PM

Thank you again but I want to be clear on couple of things that I left out because I was panicking on my first post.

I have Microsoft Windows XP Professional version 2002 service pack 3 

Now from what I understand I'll put Rkill on to the flash drive transfer it to my main and run said programs on my main. Afterwards disinfecting the flash drive will avast or malwarebytes do that?


Edited by PlumAmp24, 11 July 2013 - 01:50 AM.


#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 10 July 2013 - 11:35 PM

I can give the dirctions for that if needed.

It sounds like the infected computer will not connect to internet at this time .......

 

Thanks -



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 10 July 2013 - 11:44 PM

This from the avast! forum -

Panda USB Vaccine - Antimalware and Vaccine for USB devices http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
Use the Drive letter that suits your Flash Drive (I think they use F: Drive, but many are G or E Drive
Follow the directions, but use Your Drive letter to suit -

Thanks -


#9 PlumAmp24

PlumAmp24
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 11 July 2013 - 01:33 AM

 

This from the avast! forum -

Panda USB Vaccine - Antimalware and Vaccine for USB devices http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
Use the Drive letter that suits your Flash Drive (I think they use F: Drive, but many are G or E Drive
Follow the directions, but use Your Drive letter to suit -

Thanks -

 

I tried the dds.com program so I can get the logs and nothing happened when I transferred them from the infected main computer to the non-infected laptop. I still can't thank you enough for helping me out. I edited my dds log into my first post. 



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 11 July 2013 - 01:36 AM

Please Delete the DDS logs or the topic will be moved to another forum area.

 

Read the Heading for this topic where you start these posts -

 

No DDS, OTL or ComboFix logs are to be posted in this forum area -

 

Thank You -

EDIT - The logs are useless as they are corrupted and incomplete -


Edited by noknojon, 11 July 2013 - 01:44 AM.


#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 11 July 2013 - 01:43 AM

This is the only log to be posted -

 

Please download MiniToolBox, Save it to your desktop and run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files
 
Click Go and copy / paste the result (Result.txt).



#12 PlumAmp24

PlumAmp24
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 11 July 2013 - 02:17 AM

I forgot to mention that I did a quick scan with avast and that moved firefox.exe and iexplore.exe to the virus chest. I would also like to add that Avast stop giving warnings does that matter at all?

Also I am very sorry about that I have a very big headache from all of this. 


Edited by PlumAmp24, 11 July 2013 - 02:23 AM.


#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 11 July 2013 - 04:02 AM

Please continue with Post #4 and then move to Post #2

 

Thank You -



#14 PlumAmp24

PlumAmp24
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 July 2013 - 06:02 AM

Sorry for the long delay I was backing up my files. Here is the rkill log. I tried to run firefox but I get this message.

 

"This application is run after a crash to report the problem to the application vendor. It should not be run directly" 

 

I just want to add this if it helps at all, Before running rkill I checked mspaint to see if it was infected like the other exe programs and it was, it didn't open and avast told me that some other exe programs got infected, but when I ran rkill I tried again and it worked but avast told me another exe got infected. 

 

 

Rkill 2.5.4 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/12/2013 06:55:06 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\WINDOWS\system32\HPZipm12.exe (PID: 1884) [WD-HEUR]
 * C:\WINDOWS\system\HsMgr.exe (PID: 524) [WD-HEUR]
 * C:\WINDOWS\System32\alg.exe (PID: 2180) [WD-HEUR]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]
 
Checking Windows Service Integrity: 
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Disabled
 
 * dmadmin [Missing Service]
 * ImapiService [Missing Service]
 * mnmsrvc [Missing Service]
 * NetDDE [Missing Service]
 * NetDDEdsdm [Missing Service]
 * RDSessMgr [Missing Service]
 * RpcLocator [Missing Service]
 * SCardSvr [Missing Service]
 * SysmonLog [Missing Service]
 * VSS [Missing Service]
 * WmiApSrv [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 07/12/2013 06:55:52 AM
Execution time: 0 hours(s), 0 minute(s), and 45 seconds(s)

Edited by PlumAmp24, 12 July 2013 - 06:51 AM.


#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:58 PM

Posted 12 July 2013 - 07:07 AM

Thanks

That shows what I expected - Can you run Post #2 now please -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users