Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple Win32 malware types popping up


  • This topic is locked This topic is locked
8 replies to this topic

#1 strelok86

strelok86

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 22 November 2014 - 06:51 PM

Hi, for the past week or two, somewhere after downloading a file, avast has been blocking multiple trojans and malware in the form of Win32 malware, dropper, and evo-gens most of them comming from program data/ microsoft/ secure/ icons/ temp/ (insert file name).tmp and emisioft's a2service.exe process  withransom-auz, kryptik-orh and occasionally a file rep malware in explorer.exe

 

i have tried many removal guides short of modifying the registry manually.

 

using:

avast! antivirus

MBAM

Sophos

Emsisoft

hitman pro

TDSS killer

aswmbr

trend micro attk

and norton power eraser

 

I have also done this in normal and in safe mode but they keep comming back.

 

I have finaly come here for help as this seems like it's a specific issue. Thanks


Edited by strelok86, 22 November 2014 - 08:55 PM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 AM

Posted 22 November 2014 - 09:36 PM

Hello strelok86 -
Just to start with .........

 

avast has been blocking multiple trojans and malware in the form of Win32 malware, dropper, and evo-gens

Do you have a way to Copy and Paste these items as listed ??
avast! must have an area where it stores or notifies you about the problems.

 

From here we can see if it is minor or major ...................

Thank You -



#3 strelok86

strelok86
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 22 November 2014 - 10:24 PM

unfortunatly, I can't seem to find those on the free one, i would have to generate a log from a boot scan for a report.

 

win32:dropper-gen, malware-gen, and evo-gen all show up in c:/program data/microsoft/secure/icons/temp/.tmp

Filerep-malware, ransom-auz[trj], kryptik-orh[trj], showed up in c:/windows/temp on c:/program files(x86)/emisisoft/a2service.exe process tree



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 AM

Posted 22 November 2014 - 10:58 PM

OK, I was just asking -

Win32:Kryptik or Win32:Kryptik -xxx [trj] is a specific detection named by avast! Each company can have a name applied.

 

Please download RKill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 / 8, right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
Do not reboot until the next scan completes
*If the tool does not run from any of the links provided, please let me know.
- If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with RKill log.
Post it in your next reply.

NOTE. RKill.txt log will be present on your desktop.
 

 

Run ESET Online Scanner.

  • For Internet Explorer users only, hold down Control  (Ctrl) and click on This Link to open ESET OnlineScan in a new window.
  • Click the ESET Online button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu. to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.

     

    Temporarily Disable your Antivirus when requested.

  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives and Remove Threats"
  • Click Advanced settings and select the following:
    Scan potentially unwanted applications
     Scan for potentially unsafe applications
     Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • Please be patient as this will take some time (2+ hours is not unusual for a first scan).
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.

 

 

 

After ESET log has been posted -

Please download Temp File Cleaner by Old Timer
Usage Instructions:
1 .Download TFC from the download link above and save the file on your desktop.
2 .Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
3 .Double-click on the TFC icon.
4 .When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
5 .When done, press OK > Exit, and reboot your computer and finish the cleanup
No log is produced or expected.

 

Thanks -



#5 strelok86

strelok86
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 23 November 2014 - 01:55 PM

rkill log:

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/22/2014 11:30:42 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * WinDefend [Missing Service]
 * wscsvc [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1 localhost

Program finished at: 11/22/2014 11:31:36 PM
Execution time: 0 hours(s), 0 minute(s), and 53 seconds(s)
 

 

ESETScan log:

C:\Users\Strelok\AppData\Local\Temp\NOD2B1.tmp    a variant of Win64/Sathurbot.A trojan    cleaned by deleting (after the next restart) - quarantined
 

 

I also had uninstalled emsisoft and that seemed to have taken care of anthing popping up on a2service.exe process



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 AM

Posted 23 November 2014 - 05:02 PM

Thanks for those,

But I will be a pain and (if you have time) please repeat the ESET scan.

Win64/Sathurbot.A trojan has been known to return after cleaning.

 

This may be the problem infection (or part of it).

 

EDIT - it has been known to cause this >>>

 * WinDefend [Missing Service]
 * wscsvc [Missing Service]


Edited by noknojon, 23 November 2014 - 05:04 PM.


#7 strelok86

strelok86
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 25 November 2014 - 12:13 AM

this time it caught some activity:

 

ESETScan round two:

 

C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll    a variant of Win64/Sathurbot.A trojan    
C:\Users\All Users\Microsoft\Secure\Icons\temp\trz571B.tmp    Win32/Boaxxe.BR trojan    
C:\Users\All Users\Microsoft\Secure\Icons\temp\trz6253.tmp    Win32/Rovnix.N trojan    
C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll    a variant of Win64/Sathurbot.A trojan    cleaned by deleting (after the next restart) - quarantined
C:\ProgramData\Microsoft\Secure\Icons\temp\trz571B.tmp    Win32/Boaxxe.BR trojan    cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Secure\Icons\temp\trz6253.tmp    Win32/Rovnix.N trojan    cleaned by deleting - quarantined
 



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 AM

Posted 25 November 2014 - 12:30 AM

Hello strelok86 -

 

Win64/Sathurbot.A trojan has not been deleted or quarantined as first noted. This infiltrates, and is a known password stealer.

 

Personally I researched this one, and found it may be a Backdoor Trojan (the reason I asked you to rescan).

 

These can not be treated by me in this area, so I would ask you to follow these directions for your protection >>

 

Please follow the instructions in the Malware Removal Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs.

When you have done that, Copy and Paste both logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them.

A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one, to prevent others answering incorrectly.

 

 

Thank You -



#9 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:15 PM

Posted 26 November 2014 - 09:22 AM

malware removal logs topic http://www.bleepingcomputer.com/forums/t/557578/persistent-sathurbot-and-related-trojans/

This topic is closed






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users