Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.Gamarue Infection - Georgi (B-boy/StyLe)


  • This topic is locked This topic is locked
19 replies to this topic

#1 masihemami

masihemami

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 20 October 2013 - 08:42 PM

Dear Georgi,

My PC recently got infected by Worm.Gamarue. I followed your posts in the following link and tried to understand the fixation process but it seems that for each PC there is a unique fixation process and that is why I started a new topic to get my PC fixed by your help:

 

http://www.bleepingcomputer.com/forums/t/508515/usb-shortcut-created-and-all-files-transfered-to-it/

 

I have F-Secure Internet Secturiy 2013 which does not detect this worm at all. My OS is Windows 7 Professional x64. I also tried Malwarebytes Anti-Malware to clean my PC. Although it detects some malwares but it cannot delete them all. What I did is that I first disabled autorun by Microsoft Fix It to prevent this worm from spreading more and more on my external storages. Then, I installed MCShield 2 and made a log according to your instructions in the topic above. In addition, I ran OTL and made a log according to your instructions.

I would highly appreciate your kind help and attention. All the 3 logs are attached.

Best Wishes,

Masih

Attached Files


Edited by masihemami, 20 October 2013 - 08:44 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 21 October 2013 - 04:16 AM

Hi,

 

 

Why you think that your computer is infected with Gamarue? Although I noticed a few leftovers from ZeroAccess rootkit and I don't see any signs of Gamarue in the logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  • I'll catch you tomorror later today since I am going to work right now.

 

Regards,

Georgi


cXfZ4wS.png


#3 masihemami

masihemami
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 21 October 2013 - 07:53 AM

Dear Georgi,

 

I am amazed by how quickly you discover the problem root and also the effort and time you put to help people. I really appreciate it. I did so and the 2 logs are attached.

 

PS. The reason why I thought that my PC is infected with Gamarue is just that the signs described in the following topic (http://www.bleepingcomputer.com/forums/t/508515/usb-shortcut-created-and-all-files-transfered-to-it/) are exactly the same as what I encountered in my PC and flash drives. However, today at work, I noticed a somehow similar infection in my friend's flash drive as I inserted it in a PC having Symantec Endpoint Protection. At first, I thought it may be the same infection as mine but at that moment Symantec detected a trojan named as "Downloader.Dromedan" and I surprised that the name is not Gamarue. Anyway, I am not sure that my PC is infected by Gamarue. That was just a guess by the clues that I've got. I apologize for the wrong topic title. Hope that doesn't make a mess.

 

Again I say thanks from the bottom of my heart.

 

Hope you all the best,

Masih

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 21 October 2013 - 04:20 PM

Hi Masih,

 

 

Actually I found a leftovers from Gamarue

 

HKLM\...\Policies\Explorer\Run: [13633] - D:\PROGRA~3\LOCALS~1\Temp\mseacw.exe No File

 

 

(it's strange that OTL missed the entry but it happens from time to time). I realized that you outdated instructions for the scan with OTL, also it's important the scan to be run from the affected user account and these are some of the possible reasons why OTL failed to detect it. Anyway - we will sort the issues out. Please let me know if you set these proxy settings manually:

 

ProxyServer: http=127.0.0.1:8555;https=127.0.0.1:8555;ftp=127.0.0.1:9051

 

Also please let me know if you use HotSpot Shield, Babylon Translator because they are considered as adware and I recommend to uninstall them both.

 

Also you use a lot of pirated software:

 

S2 KMService; D:\Windows\SysWow64\srvany.exe [8192 2003-04-18] ()

 

127.0.0.1    localhost
127.0.0.1 activate.adobe.com
127.0.0.1 licensing.ultraedit.com
127.0.0.1       tonec.com
127.0.0.1       www.tonec.com
127.0.0.1       registeridm.com
127.0.0.1       3dns-5.adobe.com
127.0.0.1       adobe-dns.adobe.com
127.0.0.1       adobe-dns-2.adobe.com
127.0.0.1       adobe-dns-3.adobe.com
127.0.0.1       adobe.activate.com
127.0.0.1       activate.adobe.com
127.0.0.1       activate.wip3.adobe.com
127.0.0.1       activate.wip4.adobe.com
127.0.0.1       activate-sea.adobe.com
127.0.0.1       activate-sjc0.adobe.com
127.0.0.1       ereg.adobe.com
127.0.0.1       ereg.wip3.adobe.com
127.0.0.1       ereg.wip4.adobe.com

 

No wonder your computer was so severly infected. You use a lot of cracks. This is playing with fire though.

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications like LibreOffice, OpenOffice, Kingsoft Office Suite Free 2013, SSuite Office - Accel Spreadsheet 8.10, SSuite Office - WordGraph 8.10 etc.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

 

I suggest you to uninstall all illegal Adobe software (and any other illegal software).

 

 

 

Now please click Start Menu > All Programs > Accessories, right click on Command Prompt and select "Run as administrator".

Copy/paste the following text at the command prompt and press enter after each line:

sfc.exe /scanfile=c:\windows\system32\services.exe

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"

A txt file named sfcdetails.txt should appear on the desktop.

Upload it here and post the link to the log in your next reply.

Reboot the computer in order the changes to take effect

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply

.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 24 October 2013 - 03:46 PM

Hi,

 

Are you still with me?

 

 

Regards,

Georgi


cXfZ4wS.png


#6 masihemami

masihemami
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 26 October 2013 - 02:53 PM

Dear Georgi,

 

I apologize for the long delay. I was off my pc a few days.

 

About the proxy, I haven't manually set any proxy server and I just use hotspot shield. I also have cracked version of babylon which should be removed as you mentioned.

 

About the 2 commands in cmd, when I run the first one, I receive the following message: "Windows Resource Protection could not perform the requested operation."

and when I run the second command, an empty text document (sfcdetails.txt) is created on my desktop which does not have any information, so I did not have anything to paste in pastebin.com.

 

Finally, I ran the latest version of FSRT and pressed fix button. Since the size of Fixlog.txt (100KB in zip format) was bigger then the size limit of the forum messages(19KB), I have uploaded this file here.

 

Again sorry for my late reply.

 

Best wishes,

Masih


Edited by masihemami, 26 October 2013 - 02:58 PM.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 26 October 2013 - 04:36 PM

Hi,

 

It sfc cannot run properly, that mean that your OS is corrupted. We can still clean the infection but repairing System File Checker is not an easy task and if you need them you may need to reinstall Windows.

 

Go ahead and upload the following file for my review - C:\Windows\Logs\CBS\CBS.log

 

Also

  • Please re-run FRST again and type the following in the edit box after Search: services.exe
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

Regards,

Georgi


cXfZ4wS.png


#8 masihemami

masihemami
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 27 October 2013 - 08:26 AM

Dear Georgi,

 

Thanks again for your kind attention. The logs are attached to my post.

 

Best Wishes,

Masih

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 27 October 2013 - 08:56 AM

Hi Masih,

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply

 

Also please re-run FRST and attach the newest log files to your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#10 masihemami

masihemami
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 27 October 2013 - 09:51 AM

Dear Georgi,

 

I do not have the proper word to use for expressing my feeling right now. I hope that the universe will compensate for you in some way if I cannot do so. I have attached the Fixlog.txt in addition to the newest log of FRST.

 

PS. The file Addition was uploaded here due to file size limitations.

 

Best Wishes,

Masih

Attached Files



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 27 October 2013 - 10:21 AM

Hi Masih,

 

 

Nice work! :)
Let's check for leftovers.

The most of them should take no more than 5 minutes each.

 

 

 

STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 2




  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 4




  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 5



Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

Regards,

Georgi


cXfZ4wS.png


#12 masihemami

masihemami
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 27 October 2013 - 03:35 PM

Dear Georgi,

 

Thanks a ton! The logs are linked step by step:

 

Step 1: Link

Step 2: Link

Step 3: Link 1, Link 2

Step 4: Link

Step 5: Link

 

All the best,

Masih



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 28 October 2013 - 06:55 PM

Hi Masih,

 

 

Next let's try to fix the broken services.


Backup Your Registry

 


 

Now download the following files and save them to your desktop:

 

iphlpsvc.reg

 

fix.reg

 

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please attach fresh logs from Farbar Service Scanner.

 

 

Also please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click the Fix Proxy button
When it is finished, there will be a log on your desktop.
Post the newest log in your next reply.

 

 

And finally it's a good idea to immunize the computer against future autorun threats.

Please download USBFix tool from here...make sure that your flash drive is connected to the computer and MCShield 2 is active.

Run the tool and press the Vaccinate and wait for the process to complete.

Now press the Reserch button and wait for the tool to create a log file.
Now press the Listing button and wait for the tool to create a log file.

Attach both reports to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#14 masihemami

masihemami
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 29 October 2013 - 10:52 AM

Dear Georgi,

 

Again thanks. All the logs are zipped and uploaded to this link.

 

All the best,

Masih



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:09 PM

Posted 30 October 2013 - 06:21 AM

Hi Masih,

 

We are almost done.

 

Please download Windows Repair (all in one) from here

Install the program then go to step 4 and create a new system restore point and new registry backup.

step-4-tab.jpg

On the the Start Repairs tab => Click the Start

start-repairs-tab.jpg

Click on the Select All button and then click on Start

7fthj.png

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Post new Farbar Service Scanner log.

 

Thanks! smile.png

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users