Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I got some bad, NASTY group of viruses/trojans, even AFTER a new install


  • Please log in to reply
10 replies to this topic

#1 stanleybeast

stanleybeast

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 23 December 2014 - 05:21 PM

Hi Guys,
 
 
I am new here. I am also new to learning the back end of a computer, lightly! But I seem to have got something I cannot get rid of. 
It seems my computer has some kind of safety back set up for itself no matter what I do to remove programs/updates/weird named files and folders in system32 folder. Its like everything I try to download to remove it, is no good as this writes and injects  inf files and other ones to make that program miss them in the search. Even regular files like google or skype, it will still inject its self in and then when I right click it, its no longer an EXE file I installed, but deatils says its an MSI file now. I have win 7 32 bit yet its controlling my computer as an NT comp, or XP as it has many dos programs, win sever 2008 so it can do remote in, all crazy stuff....

I am always seeing leaking reg s15 21, classes making changes to everything, and sure enough, no matter what I did, my comp is restored to where I did nothing, even despite turning off system restore, deleting them all, cleaning temp files,, zap-0 my hardrive, new install(install cd seems infected as well as it has a hugely bloated system 32 folder and even c root dir.
 
I need help bad. It owned my destop computer, then my laptop, then my back up desktop.. I cant even open my1 terabyte external hardrive no mater what I did in device mgr.. Maybe thats what got infected and passed it around..

Edited by Budapest, 23 December 2014 - 05:50 PM.
Moved from Win7 ~Budapest


BC AdBot (Login to Remove)

 


#2 Guest_LighthouseParty_*

Guest_LighthouseParty_*

  • Guests
  • OFFLINE
  •  

Posted 23 December 2014 - 06:29 PM

Hello there     :welcome:
 
Welcome to Bleeping Computer, I'm LighthouseParty. Let's run a couple of scans to see what could be causing this.

:step1: Please download MiniToolBox to your desktop

  • Double click MiniToolBox.
  • Select the following and then press go.
  • Post the log in your next reply.

Flush DNS
Reset IE Proxy Settings
Reset FF Proxy Settings
List Installed Programs
List Restore Points

:step2: Please download Malwarebytes Anti-Malware to your desktop

  • Double click mbam-setup-x.x.x.xxxx and follow the on-screen instructions.
  • On the dashboard, click update now.
  • After that, click scan now - the scan will now begin.
  • When the scan's completed, select apply actions - make sure the action is quarantine.
  • Restart your computer.

How to get the log.

  • On the dashboard, select the history tab and click application logs.
  • Select the log which has the time and date of when you did the scan.
  • Click copy to clipboard and paste it into your reply.

:step3: Please download Security Check to your desktop

  • Double click SecurityCheck and follow the on-screen instructions.
  • A log should open, called checkup.txt.
  • Please post the contents of it in your next reply.

:step4: Please download Malwarebytes Anti-Rootkit to your desktop

  • Double click it and click ok (Make sure to extract it to your desktop)
  • When it opens, click next and then update.
  • After it's updated, click next and then scan.
  • If malware is detected, select clean, then restart your computer.
  • Open 'MBAR' on your desktop and paste the contens in your reply of the following logs:
  • mbar-log-xx.xx.xx.txt and system-log.txt.

:step5: Non-malware removal steps

Run System File Checker - http://support.microsoft.com/KB/929833
Run Disk Check - http://support.microsoft.com/kb/2641432
Run Disk Cleanup - http://windows.microsoft.com/en-gb/windows/delete-files-using-disk-cleanup

Thanks and good luck!



#3 stanleybeast

stanleybeast
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 27 December 2014 - 03:11 PM

Hi Lighthuse, sorry for the delay. I spent last couple of days reading on microsoft products for all there different windows OS's and it seems I have products from all of them that allows my pc to look and and act legit while being controlled remotely...

 

 

Anyhoo, here is the mini toolbox result

 

MiniToolBox by Farbar  Version: 30-11-2014
Ran by Stephan (administrator) on 28-12-2014 at 03:59:39
Running from "C:\Users\Stephan\Desktop"
Windows 7 Home Basic Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Restore Points ==================================
 
Could not list Restore Points.
 
**** End of log ****
 
 
 
 
 
 
I could not install malware antimalware, could not pull up proc server error?
However, just before I logged in here I did an otl iinstall and it shows some odd entries if you want me to post that for you now while we may use
that info towards what our next step may be


#4 stanleybeast

stanleybeast
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 27 December 2014 - 03:18 PM

Ahhh

 

I forgot, when I download any program I have to click properties ad unblock it first as it says it could have come from a different computer and was blocked. I did that and re did mini-toolbox scan

 

 

MiniToolBox by Farbar  Version: 30-11-2014
Ran by Stephan (administrator) on 28-12-2014 at 04:16:39
Running from "C:\Users\Stephan\Desktop"
Windows 7 Home Basic Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
 
=========================== Installed Programs ============================
AppNHost 1.0.5.1 (HKLM\...\{A8CB86C7-CD4C-4C4F-AF6A-33D1CAC63562}) (Version: 1.0.5.1 - Mixesoft Project)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5645 - AVG Technologies)
AVG 2015 (Version: 15.0.4257 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5645 - AVG Technologies) Hidden
Google Chrome (HKLM\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
NVIDIA 3D Vision Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 340.52 - NVIDIA Corporation)
NVIDIA Control Panel 340.52 (Version: 340.52 - NVIDIA Corporation) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)
NVIDIA Graphics Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 340.52 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.154.1150 - NVIDIA Corporation) Hidden
NVIDIA Stereoscopic 3D Driver (Version: 7.17.12.6514 - NVIDIA Corporation) Hidden
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
NVIDIA Update Core (Version: 10.4.0 - NVIDIA Corporation) Hidden
Skype™ 7.0 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1168 - SUPERAntiSpyware.com)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
========================= Restore Points ==================================
 
Could not list Restore Points.
 
**** End of log ****


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:02 AM

Posted 08 January 2015 - 05:53 PM

Can you give more details as to what your problems are ? What are these strange inf files and exes that you are concerned about?

#6 stanleybeast

stanleybeast
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 08 January 2015 - 07:34 PM

Hi Lawerence,

 

I just figured a winsxs folder would be so big after a few years of patches and installing programs, same with system32 folder

but even after a new install of just a home basic edition it has files and dll's and dos programs that you would find on many other install editions as well as win computer versions like xp, vista and the like, when I am just a win 7 32bit.  and the c root dir,has many files there which I never seen before in all my years after a clean install. I have a resource file on notepad I'll PM you, and this is whats running and happening and I still not install one program. 

Maybe you could suggest a diff test to show all on my pc to you so you can see as well. I feel a driver or script or scripts are running the show right from the boot but I am laymen when it comes to what belongs and what dont and researcing online with my desktop which is on another log, and this I am using now, my pc, all do not give me straight and clear answers to files I find and search on. Always getting some results saying its a virus/trojan, bad, here's how to remove it and other results saying its normal for the OS..  This post here now is for my main desktop to which I think is the reason why all my comp's got infected, even a ipad for a phone I have is not "rooted" just because I usb'd it and put some songs on it. I also see sinked D-link router on the other comp, which I removed but is persistent in coming back, and there has never been a d link router in my home ever.. It connects to the dsl because I can use it to connect wirelessly with the ipad, which is NOT my router but  is on my dsl paths(Not a neighbors) I'll send you the resource file now.. 

Also, no matter what is done, the comp in this post has the computer set up to do tasks soon as the comp sleeps or is rebooted, to un do all I have done, protecting itself with, what I believe to be, virtual scripts/partitions that tests done on here dont pick up. I seen 4gig ram, which is what I have and I seen 8-32gig virtual ram, with 16+gig virtual in use when I looked at the comp advanced resource program. 

What do you think of it all?
 



#7 stanleybeast

stanleybeast
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 08 January 2015 - 08:04 PM

And lighthouse party, is not a real malware support on here is he? What would he benefit from getting me to do those tests and posting my results btw? Should I be worried?



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:02 AM

Posted 09 January 2015 - 12:24 PM

Lighthouse was deleted at his request. Personally, I think you are reading into something that doesnt exist.

The standard System32 folder (not including subfolders) is going to be filled with TONS of programs. Mine has about 3000 files. This is absolutely normal.

The WinSXS folder should be huge too. My WinSXS folder, has 16k subfolders.

Even on a brand new install, with updates from Windows, that folder is going to be huge. This is because when Windows installs updates, it puts the new files there and archives of the old ones.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:02 PM

Posted 09 January 2015 - 12:26 PM

I also see that you have an open virus removal topic with Nasdaq. If there is an issue he will find it.

Personally, unless he finds something, I think you are interpreting normal WIndows installations as issues.

#10 stanleybeast

stanleybeast
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 PM

Posted 09 January 2015 - 02:17 PM

I could be, but its hard to refute the things I see.. 

A new install should not have programs  files and ext's and dll's files to which I havent even installed the corresponding applications for..
why should there be a notepad.exe, regedit.exe, mbr.exe, twunk_32.dll,twain.dll, exe2bin.exe, bfsvc.exe,pev.exe,bootstat.dat files in c root dir which is easily remote accessible by a win xp OS? notepad so it can remotely make notepad.dat.exe excutable files, scripts, which inturn runs dormant files?.. 

I know for some, its hard to understand it all, but I am learning it fast, and from what I seen since June this past yr, is, no scans can find it as its legit windows files from either of microsofts previous windows versions, files that allow my OS platform to be hidden, thus I am using a fake shell one,  from virtual files, and finding hidden remote access files, as well as

a hidden sinked d link router piggying off my modem, controlling everything...  windows xp files are notorious for remote abilities, win NT for putting it all in strict place, a few strategically placed older win ME, WIN XP, WIN 2000, and vista files that hack SO EASY by win XP system.

I know too of USA and metadata and people saying GOV'T spyware is what is hitting most comp's and thats the issue for mostly 3rd world countries, and being told nothing can be done about it, just leave it, and any and all help and assistance offered by sites like these, or actual PC repair shops, is to combat spyware/malware/trojans and forget govt metadata because nothing can be done about it,

where in fact, its MICROSOFT'S 

long, methodical, and meticulous plan from the very first win OS to the last; BEING, each OS will contribute aspects/pieces/files over the years, that once all those files are combined and dropped onto a WIN OS, it will leave that OS hopeless to be repaired, even with a new install, and what's best? All just say , " OH, its windows OS, its normal,, because of course microsoft's files and drivers are going to be legit. I ran autorun and I see most of the win7 services/drivers are having 3 or 4 diff locations where the file is being ran simultaneously........  I ever only remembered back in the day, when you saw processes running from system32 folder, it was one file with a few diff processes, not one file with 30 processes with 3 or 4 copies of it all over the C drive..  

Is there any test I can take so you can see a little about what I am talking about? I think REG is corrupt on this, system32 folder, and win sxs as well. How I wish I could have a brand new win 7, 32 bit, SP1 registry:(



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:02 AM

Posted 09 January 2015 - 02:35 PM

A new install should not have programs  files and ext's and dll's files to which I havent even installed the corresponding applications for..


Give me some examples please.

why should there be a notepad.exe, regedit.exe, mbr.exe, twunk_32.dll,twain.dll, exe2bin.exe, bfsvc.exe,pev.exe,bootstat.dat files in c root dir which is easily remote accessible by a win xp OS? notepad so it can remotely make notepad.dat.exe excutable files, scripts, which inturn runs dormant files?..


What do you mean its easily remote accessibly by a win xp OS? How are you accessing it? More details please.

Your telling me that those files are found in C:\. If so, then they shouldn't be. PEV is a tool we use here at the site. Its possible that a tool you ran with Nasdaq or on your own installed it there.

notepad so it can remotely make notepad.dat.exe excutable files, scripts, which inturn runs dormant files?..


I am not sure what you mean by this. Notepad is a text file viewer. It doesnt have anything to with remote access or executable files.

strict place, a few strategically placed older win ME, WIN XP, WIN 2000, and vista files that hack SO EASY by win XP system.


Why do you think its so easy to hack via XP? Please provide more details.

Without getting into goverment and corporate conspiracy theories, its perfectly normal to see multiple instances of processes and services running.

Is there any test I can take so you can see a little about what I am talking about? I think REG is corrupt on this, system32 folder, and win sxs as well. How I wish I could have a brand new win 7, 32 bit, SP1 registry:(


I have to be perfectly honest. I do not think there is any foul play here and that you are reading into normal installs and think its something else.

Brand new installs, still install updates and have updates installed. WinSXS is going to be filled with this stuff.

System32 folder is going to be filled with executables, files, infs, etc. This normal.

I am not sure why you think reg is corrupt.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users