Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rat


  • Please log in to reply
46 replies to this topic

#1 Zazotazo

Zazotazo

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 25 February 2014 - 08:53 PM

Merged all topics - Hamluis.

 

I've got a computer conected to internet by wlan (win7 ultimate) and a notebook (win7 home basic) via wiifi.. From a couple of days ago some weird stuff happened so i called the specialist.
He was able to install adwcleaner and combofix but he couldnt fight the virus and took the notebook home.
I've been taking a look at the desktop and i found a problem related to remote acess (rpcss via pptp and l2tp). I deleted some virus like 360HookOem.sys 360FileOem.sys 360RegOem.sys, 360HookOem.dll (and i also found catchme.dll).
I was unable to use navigators for too much time but right now the virus took away almost all my administration tools such as internet and running some .exe (like pandava installer).
I've tried to create a new administration user through control password2 settings but it was unable to even acess c:/ file.
In user mngmt i found my user and two other: administrador and convidado (guest) and lots of group services.
I've Hijacked but cant post the log once computer do not acess the web anymore.
I also tried my available tools (adwcleaner, combofix and ccleaner full mode) but all of them registered couple of viruses like .vir, spdt.sys and stuff that were moved to quarantine, but none of the programs are able to find the dangerous malware.

I also made some notes of weird archives I've found: swt-win32-374.swg
UIADesktopToggle
lsass.exe
winit.exe (not sure if its spelled right)
Ax_files.xml
The processes when i turn the computer on are pretty much explorer.exe (even when im not using it) windefend.exe (but firewall and windows update's off and i'm not able to turn it on) rpcss.exe and some described as "host for windows" programs.

Please i'm really worried about this problem, hope someone can tell me my next step.


Edited by hamluis, 26 February 2014 - 03:02 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 25 February 2014 - 09:08 PM

I really need assitance

#3 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 25 February 2014 - 09:28 PM

Is it possible to be "the mask" virus?

#4 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 26 February 2014 - 10:22 AM

Merged all posts - Hamluis.

 

I've got a computer conected to internet by lan (win7 ultimate) and a notebook (win7 home basic) via wiifi.. From a couple of days ago some weird stuff happened so i called the specialist.
He was able to install adwcleaner and combofix but he couldnt fight the virus and took the notebook home.
I've been taking a look at the desktop and i found a problem related to remote acess (rpcss via pptp and l2tp). I deleted some virus like 360HookOem.sys 360FileOem.sys 360RegOem.sys, 360HookOem.dll (and i also found catchme.dll).
I was unable to use navigators for too much time but right now the virus took away almost all my administration tools such as internet and running some .exe (like pandava installer).
I've tried to create a new administration user through control password2 settings but it was unable to even acess c:/ file.
In user mngmt i found my user and two other: administrador and convidado (guest) and lots of group services.
I've Hijacked but cant post the log once computer do not acess the web anymore.
I also tried my available tools (adwcleaner, combofix and ccleaner full mode) but all of them registered couple of viruses like .vir, spdt.sys and stuff that were moved to quarantine, but none of the programs are able to find the dangerous malware.

I've made some notes of weird archives I've found:
swt-win32-374.swg
UIADesktopToggle
lsass.exe
winit.exe (not sure if its spelled right)
Ax_files.xml
The processes when i turn the computer on are pretty much explorer.exe (even when im not using it) windefend.exe (but firewall and windows update's off and i'm not able to turn it on) rpcss.exe and some described as "host for windows" programs.

Will it hellcanwaitp if i remove the admin group from my user on control password2? If I delete orhers will it be useful? Pleasei'm really worried about this problem, hope someone can tell me my next step.


Edited by hamluis, 26 February 2014 - 03:01 PM.
Moved from MRL to Am I Infected - Hamluis.


#5 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 26 February 2014 - 01:55 PM

JUST THANKING YOU FOR COMPLETELY IGNORING ME ONCE I HAVE NO ACESS TO LOGS =]]]

Just saying u have limitations would be way better than IGNORING my possible rat post
THANKS for making me reload my page a thousand times since yestrday for nothing =]


Edited by hamluis, 26 February 2014 - 02:52 PM.
Merged with AII topic - Hamluis.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 26 February 2014 - 02:44 PM

You only waited about 3 hours before complaining that your post was ignored. We generally respond to posts in time order, and there are still 4 people who posted before you who have not yet received a reply. You just need to be more patient.

 

I can remember when times were busy that there were hundreds of people waiting for a reply and it would take well over a week. We only have a limited number of volunteers here.


The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 26 February 2014 - 02:53 PM

I wanted to say i'm really sorry for being rude, it wasn't actually necessary. The thing is its a progressing virus and i'm worried.
My original post was: http://www.bleepingcomputer.com/forums/t/525725/win7-issues/ which after two hours i found no answer and the guy who posted it couple of minutes after me was attended.
The I posted a second forum in case u'd confuse because of my comments: http://www.bleepingcomputer.com/forums/t/525733/win7-horrible-issues/ it has apparently been removed.


Once again I'm sorry for being rude but I don't like to be made a fool.

#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 AM

Posted 26 February 2014 - 03:15 PM

Hi,

 

I believe all your posts have been merged together in order to reduce confusion for those trying to help you. Hence why you cannot see the threads.

 

This thread should explain why posts are not answered in order: http://www.bleepingcomputer.com/forums/t/515734/why-arent-threads-answered-in-order/?p=3220084

 

You are not being made a fool at all, that is not how we work here. Being patient will help you, and quite a few of us who help out here first came with a malware problem so we know how it feels.

 

Anyway, since you have run Combofix, it would be best follow these instructions (sorry for all the moving around and having to repost, but certain logs can only be analysed by certain trained members):

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created (make sure to include the combofix log created, probably located at C:\ComboFix.txt. If you have other logs, then include them too), then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

 
xXToffeeXx~


Edited by xXToffeeXx, 26 February 2014 - 03:16 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 26 February 2014 - 03:26 PM

My desktop's not connecting to Internet anymore, so i cant download programs or upload logs.
This is pretty much about administration issues on windows. About that "control userpasswords2" I once mentioned: would it be safe if i removed administration group from my user? Is there anyway i can delete the other users and groups in order to acess Internet once again?

You have no idea how thankful I am to your services. Sorry for my confusion.

#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 AM

Posted 26 February 2014 - 03:35 PM

Hi,

 

You mention another laptop which has internet access, if you have a usb or a CD you can transfer the logs this way.

 

You need at least one user with administrator rights on your computer, and as long as the users are not the default administrator or guest accounts then yes you can delete them. I'm not sure it will solve the internet problem though, that's likely something else I think.

 

It's okay, don't worry about it.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 26 February 2014 - 03:47 PM

My specialist took the laptop home. I can only acess Internet through my iPod touch (i'm not sure if i'm able to get logs through explorer and iTunes's not opening but ill try to come up with something).
The administration user (which was once mine) is a computer named "Administrator" and another named "Guest" which are both connected to me through workgroup.
The laptop had Bluetooth connection and it was always on after the problem started, which leads me to think its not connected via Internet but dial service or something else.
The computer is loading explorer.exe and windefend.exe services which consume lots of memory. svchost.exe refered to remote acess and hosting windows, rpcss.exe as well. If I stop those services the computer turns off or turn to a black page and do not allow me to use keyboard, mouse, and only shuts down after holding the on/off button for some time.
Thats frightening but i'm optimistic about connecting and having acess to logs once again.
I may be able to run combofix on safe mode as well, not sure what else i can do right now. Would you recommend it?

#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 AM

Posted 26 February 2014 - 04:43 PM

Hi,

Do not run Combofix, that tool should only be run when supervised and requested by a trained individual. What happens when you try to access the Internet, and have you tried safe mode with networking?
All those files listed are legitmate Windows files, as long as they are in the right location. Hence why your computer mucks up when you stop them, which you shouldn't do.
Preferable we need another computer or this computer to be able to access Internet.

xXToffeeXx~

Edited by xXToffeeXx, 26 February 2014 - 04:44 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 26 February 2014 - 05:02 PM

I've entered it once again so i could explain you better. Please notice i'm brazilian so thats a free translation:
I entered safe mode with network, there were no Internet links or references. I enterent control area and sharing network (rede de compartilhamento, in Portuguese) there where no Internet available, or description, it was written: "status detection service is off" so I clicked "yes" to "would you like to turn it on?" and then i received an "acess denied" message.
I also got hijackthis to run and took some pictures about it's log. If there's anyway i can send you let me know, otherwise ill be writting it down in the next reply.

#14 Zazotazo

Zazotazo
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  

Posted 26 February 2014 - 06:56 PM

Here's the log:

 

EDIT: Removed log, as it's not allowed in this forum. ~bloopie


Edited by bloopie, 28 February 2014 - 06:07 PM.


#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:56 AM

Posted 27 February 2014 - 12:12 PM

Hi,

 

I did not ask for a HijackThis log, and it's not allowed in this forums. Running tools when you have not been asked to makes my job a lot harder to help you. Please remove that log, there's nothing wrong there except an outdated version of IE and Java. 

 

Is there no icon for the internet browser you normally use on the desktop or the toolbar in safe mode with networking? Have you clicked on the Windows logo button -> All Programs -> Internet Explorer? You could also try this: press the Windows logo key and r at the same time, a box will appear, type cmd and press enter. Command Prompt will appear, type "%ProgramFiles%\Internet Explorer\iexplore.exe" and press enter.

 

Any luck on launching Internet Explorer, or do you use another browser?

 

xXToffeeXx~


Edited by xXToffeeXx, 27 February 2014 - 12:13 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users