Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection...


  • Please log in to reply
14 replies to this topic

#1 Hansth

Hansth

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 August 2013 - 02:44 AM

Hi,

Starting to suspect that I'm infected...

Combofix won't run... It starts it's decompression of files, but I get repeated messages that pev.3xe has stopped working in the latter half of the decopression. and Combofix window never appears.

Also I noticed that a renamed version of combofix.exe on the desktop stays, whereas a downloaded version that was not renamed suddenly disappeared from desktop.

I've scanned with malwarebytes and McAfee without finding anything.

 

Tried to run combofix in safemode, but it won't start. (without the " pev.3xe has stopped working messages tho')

Tried running rkill.exe first also, but didn't help...

 

Anyone care to walk me through ? :-)

 

br,

Hans



BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 02 August 2013 - 02:50 AM

:welcome:

 

If EEK doesn't won't to start, run Rkill first.

 

:step1: Download Emsisoft Emergency Kit

  • Open EmsisoftEmergencyKit by  double-click Start.exe.
  • A new window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Deep Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 August 2013 - 04:11 AM

Emsisoft Emergency Kit - Version 4.0
Last update: 02.08.2013 09:56:37
User account:

Scan settings:

Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\

Detect Riskware: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 02.08.2013 09:57:58
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> ASSEMBLY  detected: Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> CLASS  detected: Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> RUNTIMEVERSION  detected: Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> THREADINGMODEL  detected: Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113} -> HELPTEXT  detected: Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113} -> MENUTEXT  detected: Trace.Registry.SEO Toolbar (A)

Scanned 646234
Found 6

Scan end: 02.08.2013 11:07:55
Scan time: 1:09:57

Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> ASSEMBLY Quarantined Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> CLASS Quarantined Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> RUNTIMEVERSION Quarantined Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\INPROCSERVER32 -> THREADINGMODEL Quarantined Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113} -> HELPTEXT Quarantined Trace.Registry.SEO Toolbar (A)
Value: HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113} -> MENUTEXT Quarantined Trace.Registry.SEO Toolbar (A)

Quarantined 6


Edited by Hansth, 02 August 2013 - 04:12 AM.


#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 02 August 2013 - 04:44 AM

:step1:  Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================

 

:step2: ESET Online Scanner

==================

Note: If your AV is blocking Eset online scanner, please temporarily disable your AV.

 

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and » UNCHECK "Remove found threats" <== Important
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.

===================================================


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#5 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 August 2013 - 05:09 AM

tdsskiller won't start....

 

ran rkill first... didn't help...

 

rkill log:

 

Rkill 2.5.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/02/2013 12:07:01 PM in x64 mode.
Windows Version: Windows 7 Enterprise Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\SysWOW64\srvany.exe (PID: 2856) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Disabled

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 08/02/2013 12:07:17 PM
Execution time: 0 hours(s), 0 minute(s), and 16 seconds(s)



#6 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 02 August 2013 - 05:19 AM

Strategy to get it may be work:

 

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#7 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 August 2013 - 05:30 AM

No success :-(

also tried to download TDSSKiller anew and save as / rename to a .com file during download.

when I start it, I get the "working"-circle for a couple of seconds... then nothing... :'(



#8 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 02 August 2013 - 05:45 AM

Let's try from safe mode. Reboot  the computer into safe mode, then try again running TDSSKiller.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#9 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 August 2013 - 06:05 AM

same result :'(

 

I see the process in TaskManager for a while...  10 seconds maybe.

then there's some other process there for a fraction of a second... and then

TDSSKiller.exe is gone.

The Process that's there for a brief instant looked like the MS error reporting... Werfault.exe ?



#10 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 02 August 2013 - 06:09 AM

It looks like something is blocking it or some components to run it are missing.

Let's try Kaspersky Virus Removal Tool:

 

Please download and scan with the Kaspersky Virus Removal Tool from one of the following links and save it to your desktop.

Be sure to print out and read the instructions provided in:

  • Double-click the setup file (i.e. setup_11.0.0.1245x11_2012_18-23_13_03.exe) to install the utility.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • The required files will be exracted and installed...be patient as this will take a few minutes.
  • At the 'Welcome!' windows, check the box next to I accept the license agreement and click Start.
  • A new window will open with two tabs (Automatic Scan and Manual Disinfection) and two icons on the right.
  • For a more comprehensive (but longer) scan, click the icon which looks like a round gear, Click Scan Scope and place a check mark in the box next to Local Disk (C:).
    System memory, Hidden Startups and Disk boot sector boxes should already be checked by default.
  • Click on the 'Automatic Scan' tab, and click the green Start scanning button to begin.
  • The time to finish and percentage completed will show as the scan is in progress...Important! Do not use the computer during the scan.
  • If no threats are detected, exit the program.
  • If threats are detected, you will be prompted for action: Disinfect, Delete if disinfection failes.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize allbutton.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • When finished, click the rectanular notepad icon > select Detected threats > click on to highlight and click the Save icon to save the results as a text file...name it avptool.txt).
  • Copy and paste the report results of avptool.txt with any threats detected in your next reply.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#11 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 August 2013 - 06:10 AM

This is from event-viewer when trying to run TDSSKiller:

 

(EventID: 1000 )

 

Faulting application name: tdsskiller.exe, version: 2.8.16.0, time stamp: 0x51190555

Faulting module name: tdsskiller.exe, version: 2.8.16.0, time stamp: 0x51190555

Exception code: 0xc0000005

Fault offset: 0x003543e0

Faulting process id: 0x888

Faulting application start time: 0x01ce8f6f5a961371

Faulting application path: C:\Users\jevhan02\Desktop\tdsskiller.exe

Faulting module path: C:\Users\jevhan02\Desktop\tdsskiller.exe

Report Id: a14070fa-fb62-11e2-a767-00ade1ac1c1a



#12 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 02 August 2013 - 07:40 AM

https://www.dropbox.com/s/5lh53kw4vlps2xa/avptool.txt

 

dunno if you'll be able to get this...  too large to post directly...

 

anyways... have to run now...  let's continue on Monday :-)


Edited by Hansth, 02 August 2013 - 07:41 AM.


#13 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 05 August 2013 - 04:07 AM

Kaspersky found nothing.

 

Combofix still getting "pev.3xe stopped working" during unpack, and won't start.

TDSSKiller still won't start.



#14 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 05 August 2013 - 05:05 AM

Because we are not able to identify your issue, I send you to the specialized category for malware. A expert will help you there.

 

:step1: Read this topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

 

:step2: Post a new topic with the DDS-log http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

 

:step3: A malware expert will help you there. 


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#15 Hansth

Hansth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 07 August 2013 - 02:51 AM

Did a little digging....

And think that this might not be malware...

but rather an incomp issue with "Digital Guardian" from Verdasys.

I will try to disable DG and then run Combofix and TDSSKiller...

 

Cheers,

Hans :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users