Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

repost so that site admins won't think my previous topic was handled


  • This topic is locked This topic is locked
5 replies to this topic

#1 gwhiz9999

gwhiz9999

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 02 March 2014 - 02:35 AM

A member replied to my previous posting of this, and I know from previous contact with admins that that might make it seem that someone from the site has already replied to me, so I am reposting it.  

 

I am trying to resolve some issues on an HP Invent PC running Vista.  Among them are:

 

1.  The PC has recently started to shut itself down randomly.

 

2.  It will not allow me to start Microsoft Security Essential's real time protection.

 

3.  Despite the problem in #2, on restart, MSE finds Alureon.J every time.

 

4.  There is a svchost.exe process that sometimes runs up to the high 90s.  It shows that it is connected to the services DcomLaunch and PlugPlay.

 

5.  For quite some time, if F11 is not used for system recovery on startup, the system quickly goes to a bluescreen after logging on to a user account.

 

I would appreciate any help.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:16 AM

Posted 02 March 2014 - 11:57 AM

Hi,
 
I am going to run this scan in order to see whether my suspicions are correct, it will not make any changes, but give me information I need:
 
Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
 
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

After the tool has finished running, a text file named Rkill.txt should be located on the desktop. Please copy and paste the contents into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 03 March 2014 - 06:48 AM

It won't download onto this computer on it's own, as it gives me something like a "Your current settings do not allow this file to be downloaded" error message.  I downloaded it on another PC and copied it to the desktop of the "bad" PC.  When I run it, it shuts down, seemingly before it gets done, giving me a "has stopped working" pop up error.  (It does the same thing under the versions for both links you provided.).  It gives "problem event name:  BEX" under the details of the stoppage error.  I will provide the log that it generates, but I am changing the file names to make my user name all asterisks under the rootkit notations.

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/03/2014 06:07:31 AM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Users\*******\AppData\Local\{86b55bb3-2453-4331-b933-8b54c269a60e}\ [ZA Dir]
     * C:\Users\*******\AppData\Local\{86b55bb3-2453-4331-b933-8b54c269a60e}\L\ [ZA Dir]
     * C:\Users\*******\AppData\Local\{86b55bb3-2453-4331-b933-8b54c269a60e}\U\ [ZA Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * C:\Windows\System32\rpcss.dll : 550,912 : 04/11/2009 01:28 AM : ecb4dc895e9ed3985d29284e17c703fc [NoSig]
 +-> C:\Windows\ERDNT\cache\rpcss.dll : 550,400 : 04/11/2009 01:28 AM : 3b5b4d53fec14f7476ca29a20cc31ac9 [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16386_none_67941a0040f4ed68\rpcss.dll : 545,792 : 11/02/2006 04:46 AM : b46d8ea6dd30baa49f674dacdc4c491f [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_67c4315e40d1bb6c\rpcss.dll : 549,888 : 03/02/2009 11:19 PM : 7b981222a257d076885bffb66f19b7ce [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_685b771559e4be8c\rpcss.dll : 550,400 : 03/02/2009 11:17 PM : b1bb45e24717a7f790b4411c4446ef5e [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\rpcss.dll : 547,328 : 01/19/2008 02:36 AM : 33fb1f0193ee2051067441492d56113c [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_69bb41ac3deac876\rpcss.dll : 551,424 : 03/02/2009 11:39 PM : 301ae00e12408650baddc04dbc832830 [Pos Repl]
 +-> C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_6a06ffcd57365beb\rpcss.dll : 551,424 : 03/02/2009 11:32 PM : 4dfcbdef3ccaa98f99038ded78945253 [Pos Repl]



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:16 AM

Posted 03 March 2014 - 11:20 AM

Hi,

 

Thanks for that log. It got the information I needed and my suspicions were indeed correct.

 

You got hit with the latest version of Zekos. One of your system files (rpcss.dll) has been patched. You are also infected with ZeroAccess.
You'll need more advanced tools to replace that file.
 
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 03 March 2014 - 08:20 PM

Here is the link to the new topic I posted.

 

http://www.bleepingcomputer.com/forums/t/526383/aleuronj-and-pc-auto-restarts/



#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:16 PM

Posted 04 March 2014 - 03:31 PM

MRL topic currently being worked, http://www.bleepingcomputer.com/forums/t/526383/aleuronj-and-pc-auto-restarts/ .

 

Please follow the guidance of your Helper in the above topic.

 

To avoid confusion, this topic is closed.

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users