Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had infection, clean install of win 7 still infected.


  • Please log in to reply
5 replies to this topic

#1 Shakey

Shakey

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:04:21 PM

Posted 01 March 2014 - 11:14 PM

Ok I'll word this the best I can.

 

I've had what appears to be multiple types of infections.

 

I think I still have a browser based infection where ads seem to be getting hijacked.  Getting suspicious ads in place of google ads such as, your pc is running slow and you have won an ipad type ads on pages and videos.

 

But I'm pretty sure I've got a back door infection also.  My mouse cursor every now and then gets a bit jittery and seems to be skipping frames.

 

I also experienced not being able to connect to web pages, in Firefox I used to get error finding server or page could no be loaded, but by clicking on retry I would be able to load the page.

Such pages being Antec, Nvidia, Arctic Cooling.  Etc.

 

I ran Rouge Killer and found 2 HJDESK entries and my host file was empty.  So I fixed both of them.

 

I also Ran MBAM after the clean install of Win7 and that found 4 items.

 

Also Comodo Cleaning Essentials will not run.  Autoruns.exe closes as soon as it starts and the scanner closes after updating definitions and scanning about 700 objects.

 

I'll drop the logs for MBAM and RougeKiller after this post.

 

I am also running 2 1TB drives in Raid 0 if that has any affect on MBR scanning at all.

Windows 7 x64

Currently using Ad-Aware Free and MBAM as on demand.


Edited by Shakey, 01 March 2014 - 11:23 PM.


BC AdBot (Login to Remove)

 


m

#2 Shakey

Shakey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:04:21 PM

Posted 01 March 2014 - 11:19 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.02.25.04
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
BOGAN :: BOGAN-PC [administrator]
 
25/02/2014 9:16:48 p.m.
mbam-log-2014-02-25 (21-16-48).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207668
Time elapsed: 50 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 4
c:\users\bogan\videos\gbpxp.exe (Trojan.Banker) -> Delete on reboot.
c:\users\bogan\videos\mob127.bin (Malware.Trace) -> Delete on reboot.
c:\users\bogan\videos\helppanel.exe (Trojan.Agent) -> Delete on reboot.
c:\users\bogan\videos\winhelp.exe (Trojan.MSIL) -> Delete on reboot.
 
(end)


#3 Shakey

Shakey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:04:21 PM

Posted 01 March 2014 - 11:21 PM

RogueKiller V8.8.9 [Feb 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : BOGAN [Admin rights]
Mode : Remove -- Date : 02/26/2014 18:09:22
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) ATA Corsair Force 3 SCSI Disk Device +++++
--- User ---
[MBR] 48f909df9871206be1e143e808869fb6
[BSP] 96f25719f409d6fe8389d9fb2d156512 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114371 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ SCSI) Intel Raid 0 Volume SCSI Disk Device +++++
--- User ---
[MBR] 67a12447789a94358ff5e385715680bb
[BSP] 389a0256df3d05752e15dbdbf30634d1 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907731 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )
 
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ SCSI) ATA WDC WD5001AALS-0 SCSI Disk Device +++++
--- User ---
[MBR] 8422bbacc49f7506300730cca7ee58de
[BSP] 961f06e1cdc297f10aaa85861aceb946 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_02262014_180922.txt >>
RKreport[0]_S_02262014_164107.txt;RKreport[0]_S_02262014_164906.txt;RKreport[0]_S_02262014_180823.txt


#4 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 02 March 2014 - 12:16 AM

What do you mean under clean install?Formatting all drives?



#5 Shakey

Shakey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:04:21 PM

Posted 02 March 2014 - 01:39 AM

Just my C: Drive.  SSD using internal secure erase with parted magic.

 

Doing a full format of every drive takes about 7 hrs.  Full format not quick format.  2 hrs per TB + 1 hr for the 500GB.  Done it before after breaking down the raid array.

 

If I had done a full format of each would have made it completely pointless in posting here since the answer would have been throw every drive in the trash and take out a $1000 loan to replace all my drives if it were a firmware infection.

 

Possibly even have to replace the motherboard if it were that bad.

 

The problems aren't as severe as they were pre-clean install.  But obviously some characteristics are still there.



#6 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 02 March 2014 - 02:08 AM

So we are talking about backdoor Trojans.In this case use Emsisoft Emergency kit - http://www.bleepingcomputer.com/download/emsisoft-emergency-kit/

Start the program choosing first option Emergency kit scanner.Update it.Select check my PC from the left panel and do a full deep scan.The results will be displayed after scan is done.

Second tool I recomend is SUPERAntiSpyware - http://www.bleepingcomputer.com/download/superantispyware/

Install it.Start the program and click check for updates button on the bottom right.After that select a complete scan from the options above.Click the big button scan the computer,set tick on all your drives and click Start completely scan.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users