Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse hider.mpr infection


  • This topic is locked This topic is locked
57 replies to this topic

#1 Meerkatmaz

Meerkatmaz

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 20 December 2013 - 07:02 PM

Hi there,

I appear to have been infected by the above malware which is causing my laptop all sorts of problems (I'm using another device to write this post).

I note that you have resolved this issue for several people in the past although every case looks slightly different and I'd be very grateful if you are able to help me.

I'm running windows vista with AVG security which picks up the threat each time the machine is restarted. I believe the first thing I need to do is provide you with a DDS log but I'm unsure how to do this as the malware is preventing me from accessing your site on my infected device. Apologies but you'll probably have to explain everything very carefully to me but I will follow everything to the letter.

Rather than provide you with random information which may not be relevant, can you tell me what I can do to get the initial information to you please?

Thank you.

BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 22 December 2013 - 05:28 AM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days.

:)


Hello there, Meerkatmaz

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

---------------------------------------------------------------------------------------------------

You mention that AVG picks up a threat. Can you tell me what are they?

---------------------------------------------------------------------------------------------------
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 22 December 2013 - 06:06 AM

Hi Conspire,

The AVG detection is as follows:
Threat: Trojan horse Hider.MPR
Object name: c:\Users\Innes\AppData\Local\Temp\wfamnjky.sys
Severity: High
State: Infected
Identified by: Resident Shield

Extended element information:
Process Name: c:\Windows\System32\services.exe
Process id: 912
Username: SYSTEM
Session id: 0

Found registry key with reference to infected file c:\Users\Innes\AppData\Local\Temp\wfamnjky.sys

In addition, my Windows Security Center has been disabled and I'm unable to turn the service back on.

Thank you,
M

#4 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 22 December 2013 - 06:41 AM

Hello,

Thanks for the information. On top of your DDS, I need you to do these as well.

Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Allow it to update where necessary
  • Click Scan
    • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
    • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
===================================================

Download TDSSKiller.exe and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

===================================================

On your next reply please post :
DDS log
aswMBR log
MBR.dat (attached)
TDSS Killer log



Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#5 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 22 December 2013 - 11:29 AM

Hi, I've completed the above request and have the 4 logs available but don't seem to be able to upload them into this post (can't find the 'attachment' button). Therefore, would you like me to post the output from each log directly onto this thread? Or can you advise how to upload an attachment?

 

Thank you.



#6 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 22 December 2013 - 11:33 AM

Hi, I've completed the above request and have the 4 logs available but don't seem to be able to upload them into this post (can't find the 'attachment' button). Therefore, would you like me to post the output from each log directly onto this thread? Or can you advise how to upload an attachment?

 

Thank you.

Apologies, ignore the last post - I've just realised I can attach the logs after all. Here they are:

 

Attached File  DDS Log.txt   10.03KB   5 downloadsAttached File  aswMBR.txt   1.72KB   5 downloadsAttached File  MBR.zip   569bytes   0 downloadsAttached File  TDSSKiller.2.8.16.0_22.12.2013_16.11.05_log.txt   120.73KB   4 downloads

 

Thank you.



#7 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 22 December 2013 - 12:37 PM

The DDS log is the Extra log and it's not the one I need. Do you have the other one log located on your desktop?
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#8 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 22 December 2013 - 01:02 PM

The DDS log is the Extra log and it's not the one I need. Do you have the other one log located on your desktop?

Hi,

When DDS completed, the pop up box stated:

"DDS has created 1 log file.

1. attach.txt (must be zipped, then attached to your forum post)"

 

It didn't create a dds.txt file although this option was selected when starting the DDS scan (I didn't touch the default options) - these were set as follows:-

 

Scan - checked

dds.txt - checked (but not produced)

attach.txt - checked (sent to you earlier)

options for dds.txt - checked

check MBR - checked

extend search period - unchecked

Force scan all domains - unchecked

disable whitelist - unchecked

 

Thanks again,

M



#9 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 22 December 2013 - 05:15 PM

Hi again Conspire,

 

Upon reviewing that I had carried out the correct action to produce the dds, I realised that I had not temporarily disabled my AVG. I did this and reran the dds - it produced the dds.txt file this time round - therefore I've zipped it and attached it here.

 

Attached File  dds.zip   4.13KB   7 downloads

 

Hopefully this is the one you are after - I await your further advice.

 

Thanks,

M



#10 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 22 December 2013 - 11:15 PM

Hello,

Yes, that's the one I need. Thanks! :)

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide


Download ComboFix from one of these locations:

Link 1
Link 2



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#11 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 23 December 2013 - 02:35 PM

Hi Conspire,

 

I've downloaded ComboFix and saved it to my desktop.

I double clicked the icon to start and the ComboFix Disclaimer popped up for approx. 1 second then disappeared. I double clicked the icon again, the disclaimer window appeared again and I clicked "I agree". The disclaimer window then disappeared and nothing appears to be happening - there is no blue window, it doesn't seem to be installing itself and doesn't seem to be preparing to run. :huh:

 

Is there anything I check to see if it is actually running?

 

Thank you.



#12 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 23 December 2013 - 02:55 PM

Hi Conspire,

 

I've downloaded ComboFix and saved it to my desktop.

I double clicked the icon to start and the ComboFix Disclaimer popped up for approx. 1 second then disappeared. I double clicked the icon again, the disclaimer window appeared again and I clicked "I agree". The disclaimer window then disappeared and nothing appears to be happening - there is no blue window, it doesn't seem to be installing itself and doesn't seem to be preparing to run. :huh:

 

Is there anything I check to see if it is actually running?

 

Thank you.

Just to confirm - my anti-virus was disabled when I tried running ComboFix. It looks to me like the process was possibly killed immediately after starting - but I don't want to touch / check anything without your guidance (I'm posting this message from another machine).

 

Thanks.



#13 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 23 December 2013 - 10:14 PM

Try running ComboFix in safe mode.

Reboot your computer in Safe Mode
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Tutorial if you need it How to boot into Safemode
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 Meerkatmaz

Meerkatmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 24 December 2013 - 03:17 AM

Hi,

 

I started the computer in Safe Mode and tried running ComboFix again. No success I'm afraid.

When I double clicked ComboFix a scan window popped up for <1 second then disappeared. Again, it looks like the process was somehow killed immediately after starting.

 

I await your next advice.

 

Thanks,

M



#15 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 24 December 2013 - 07:20 AM

Hi,

Before doing anything, I would like you to create a system restore point just in case anything happens. We will skip ComboFix for now.
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    ===================================================


    Please download Farbar Recovery Scan Tool and save it to your Desktop.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
  • Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

Edited by Conspire, 24 December 2013 - 07:20 AM.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users