Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection


  • Please log in to reply
9 replies to this topic

#1 ranosb

ranosb

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 30 December 2014 - 09:40 PM

Greetings and happy new year. Could use the help of experts in the field of virus
infection/malware/mbr infections

Computer has run fine for years, no problems but when I moved to another house,
I forgot to include the DIR-100 Router on the line & within a week troubles began.

System:
-WinXP Multimedia Center Edition SP2
[SP3 doesn't install correctly, not made for this OS & causes all kinds of problems,
system runs find for years on SP2]

-AMD Turion (x2)
-2GB Ram
_______________
-System has some kind of virus, maybe a rookit or MBR virus, not sure
-AVG, AVG Anti-rootkit, superantispyware,spybot, DO NOT detect any viruses.

-AVG became unuseable and had to be unistalled.
-Malwarebytes showed no virus before, now crashes the computer to a reboot

-Microsoft Malicious SRT-KB890830-V5.19 keeps rescanning in an endless loop with
it showing "Files infected: 7, rescans, rescans, rescans...

-These files are always created, showing created by
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\TEMP\Perflib_Perfdata_eac.dat
C:\TEMP\Perflib_Perfdata_???.dat

-Symptoms;

-Computer exe files slowly get infected but when scanned online by VirusTotal,
nothing is detected on those files.
Infected Program Files I overwrite from a backup restores those to working programs, temporarly
The infected files do not show a change in bytes or modification date.A hook maybe?

-My added Firewall takes MD5 checks of executable files and checks the MD5 before running,
starts producing a warning messages on various programs
"has detected that application [various programs] was replaced by another application with same
description. Do you want to accept replacement of this application?"

-Various programs fail to start with the message;
"The application failed to initialize properly (0xc0000005)"
Or;
"has encountered a problem and needs to close.
We are sorry for the inconvenience."

-Some programs will load into the taskmanager, then unload and disappear.

-Various Taskbar icons disappear, but are still loaded in the Taskmanager List

-Seems most .exe files are trying to connect to the internet;
Firewall detects "Outgoing connection Alert!"
[various different programs]' from your computer wants
to connect to...[Different IP's for the same program]

Over time after new programs are installed, symptoms like these occur with various programs.
______________
Windows;
-R-Click on Taskbar "properties" produces error message "DEP To help protect your computer,
Windows has closed this program. Windows Explorer

Which then clicking on the "Close message" button produces;
"Windows Explorer has encountered a problem and needs to close.
We are sorry for the inconvenience." Please tell Microsoft about this problem.

Then clicking on "Don't Send" error report button produces error message;
"Windows Explorer has encountered a problem and needs to close.
We are sorry for the inconvenience." If you were in the middle of something,
the information you were working on might be lost.

clicking on the "close" button produces the same error message;
"Windows Explorer has encountered a problem and needs to close.
We are sorry for the inconvenience." If you were in the middle of something,
the information you were working on might be lost.

Clicking the "Close" button then restarts Explorer

******** Problem is fixed by copying over explorer.exe with a new copy, but returns.
______________
Windows;
Folders stopped remembering their location & size on the desktop, and all open
at the same size and location
______________
BitDefender Threat Scanner;
A file containing error info has been created at C:\windows\Temp\BitDefender Threat Scanner.dmp.
You are strongly encouraged to send the file to the developers of the application for further investigation
of the error.

Clicking on the "OK" button will not dismiss the error message.
Terminating in taskmanager fails, R-click in taskmanager/Go TO Process shows csrss.exe
Attempt to end process csrss.exe produces message
"This is a critical system process"Unable to terminate process"
BitDefender error message can't be terminated
______________
-CCleaner;
Critical Error: The thread attempted to read from or write to a virtual
address for which it does not have the appropriate access

When the "Report" button is clicked;
"CCleaner has encountered a problem and needs to close.
We are sorry for the inconvenience."
_______________
-Unlocker;
EVERYTIME unlocker is run

Firewall detects "Outgoing connection Alert!"
'UNLOCKER.EXE' from your computer wants to connect to
p3nw8shg363.shr.prod.phx3.secureserver.net [50.63.197.139], port 80

I've never known this program to try to connect to the internet everytime its run
_______________
Spybot;
SDTray.exe
Does not load but Following error appears and disappears;
"Access violation at address 5005C1DA in module 'rtl150.bpl'. Read of address 00000024"

System Scan Freezes
_______________
CpuThermometer stops showing CPU temp values only load percent fiqures
_______________
Firefox;
"has encountered a problem and needs to close.
We are sorry for the inconvenience."
_______________
Skype;
"has encountered a problem and needs to close.
We are sorry for the inconvenience."
_______________
Herdprotect;
"has encountered a problem and needs to close.
We are sorry for the inconvenience.

and on and on...
 

Any help much appreciated going into the New Year!


Edited by ranosb, 30 December 2014 - 09:46 PM.


BC AdBot (Login to Remove)

 


m

#2 ImBackHerobrine

ImBackHerobrine

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mother's Backyard.
  • Local time:08:36 AM

Posted 31 December 2014 - 11:55 PM

Try running these if you can with a log.
Run RKill from http://www.bleepingcomputer.com/download/rkill/. When it finishes, a log will be made. Get the log and post it in a reply.

 

Run MBAM from http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/. When it is done, restart your computer like it says (if anything is found) and go to History at the top bar, click Application Logs, in the bottom left click Copy to Clipboard. Go to here and paste it in a reply.


Edited by ImBackHerobrine, 31 December 2014 - 11:56 PM.


#3 ranosb

ranosb
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 01 January 2015 - 12:37 AM

Rkill;

 

Firewall notification:

'Generic Host Process for Win32 Services' from your computer
wants to connect to 192.168.0.1, port 1780
c:\windows\system32\svchost.exe

 

"Selected "BLOCK"

_________________

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/01/2015 01:37:47 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\stsystra.exe (PID: 280) [WD-HEUR]

1 proccess terminated!

Active Proxy Server Detected

 * Proxy Disabled.
 * ProxyOverride value deleted.
 * ProxyServer value deleted.
 * AutoConfigURL value deleted.
 * Proxy settings were backed up to Registry file.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Backup Registry file created at:
 C:\Documents and Settings\Owner.YOUR-91C20D4A42\Desktop\rkill\rkill-01-01-2015-01-37-57.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * System Restore Disabled

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   "DisableSR" = dword:00000001

Checking Windows Service Integrity:

 * System Restore Service (srservice) is not Running.
   Startup Type set to: Automatic

 * Automatic Updates (wuauserv) is not Running.
   Startup Type set to: Disabled

 * System Restore Filter Driver (sr) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\kernel32.dll : 989,696 : 04/14/2008 03:41 AM : c24b983d211c34da8fcc1ac38477971d [NoSig]

 

* C:\WINDOWS\System32\wiaservc.dll : 333,312 : 08/09/2004 10:00 PM : d70b7f840dc21f1fd5d1a7aabfff5740 [NoSig]

 

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1    localhost
  127.0.0.1    www.verisign.com.au
  127.0.0.1    www.verisign.com
  127.0.0.1    www.verisign.be
  127.0.0.1    www.verisign.com.sg/
  127.0.0.1    getmyip.org
  127.0.0.1    getmyip.co.uk
  127.0.0.1    checkip.dyndns.org
  127.0.0.1    188.95.51.205
  127.0.0.1    94.100.17.52
  127.0.0.1    pog.com
  127.0.0.1    media1first.com
  127.0.0.1    engine.phn.doublepimp.com
  127.0.0.1    ads.ibtracking.com
  127.0.0.1    Ftr.freewebcams.com
  127.0.0.1    55624-3.popunder.loading-delivery1.com
  127.0.0.1    70059-3.popunder.loading-delivery1.com
  127.0.0.1    media1first.com
  127.0.0.1    offer.alibaba.com
  127.0.0.1    lazada.com

  20 out of 15707 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 01/01/2015 01:39:20 PM
Execution time: 0 hours(s), 1 minute(s), and 33 seconds(s)

_______________________


Edited by ranosb, 01 January 2015 - 02:21 AM.


#4 ranosb

ranosb
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 01 January 2015 - 02:25 AM

-MBAM Log;

 

Scan, 1/1/2015 15:25:00, SYSTEM, YOUR-91C20D4A42, Manual, Start:1/1/2015 15:16:17, Duration:8 min 43 sec, Hyper Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
(end)

_____________

-Tdsskiller
MD5 (Forged) Kernel drivers
C:\windows\system32\DRIVERS\bcmwl5.sys
C:\windows\system32\DRIVERS\yk51x86.sys
C:\windows\system32\DRIVERS\rdbss.sys

Repeated scannings & send to quarantine continue to show the same;
C:\windows\system32\DRIVERS\nv4_mini.sys
C:\windows\system32\DRIVERS\wiaservc.dll
_____________________________________________
RogueKiller; Freezes on Disk Scan with Error Message

"Anti-malware tool has encountered a problem and needs to close. We are sorry for the inconvenience."

IAT:inI (Hook.IEAT) explorer.exe [2020] rtl150.bpl @Classes@TReader@
C:\windows\system32\DRIVERS\Cdralw2k.sys
C:\windows\system32\DRIVERS\Cdr4_xp.sys
_____________________________________________
 


Edited by ranosb, 01 January 2015 - 02:46 AM.


#5 ranosb

ranosb
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 01 January 2015 - 10:42 PM

-Dr.Web CureIt! causes a reboot on run

 

Within 5 seconds of fresh copy of C:\WINDOWS\system32\WIASERVC.DLL

The file size changes from 141kb to 325kb which also changes its MD5

-C:\WINDOWS\system32\wiaservc.dll            [MD5 checksum did not match!]

 

Within 2 days

MD5 checksum verify on a few selected files;

-C:\WINDOWS\system32\drivers\yk51x86.sys       [MD5 checksum did not match!]

-C:\Program Files\Mozilla Firefox\updater.exe         [MD5 checksum did not match!]


Edited by ranosb, 02 January 2015 - 05:00 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:36 AM

Posted 02 January 2015 - 08:15 PM

Do not run Roguekiller or ComboFix,appears it can bork this machine.


Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



    Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  • .
    .
    .
    ADW Cleaner

    Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


    .

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • .
    .
    .
    .
  • Last run ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ranosb

ranosb
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 03 January 2015 - 08:44 AM

[MiniToolBox]

Result.txt
http://tny.cz/c5a04b5b
_____

[TDSSKiller]

Firewall Outgoing Connection Alert!
'TDSS rootkit removing tool' from your computer wants to connect to 4.59.181.216, port 80
 [Selected BLOCK]

TDSSKiller.Log
http://tny.cz/e7a2d0a1
_____

[AdwCleaner]

Firewall Outgoing Connection Alert!
'Aut2Exe' from your computer wants to connect to sd-1.archive-host.com [91.121.50.65], port 80
 [Selected BLOCK]

AdwCleaner[S0].txt
http://tny.cz/be24f307
_____

[Junkware Removal Tool]

JRT.txt
http://tny.cz/5f52fed2
_____

[ESET Online Scanner]

ESET found no infections



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:36 AM

Posted 03 January 2015 - 12:32 PM

Ok ,,I do not like these, md5summer.exe files.
I do not want to remove them here as it needs special tools.

md5summer.exe is kind of ransomware that can get encrypted the files and pictures or other documents on the infected computers

It gets in by masquerading itself as video codecs which you need to install so that you can view some videos

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 ranosb

ranosb
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 03 January 2015 - 05:31 PM

I need a Md5 checker to verify files when transferring files to external drives, and was using it to verify system/program files for virus modification. I downloaded this program for that use. Can you suggest another?

 

Since running the cleanup programs;

 

ADWCleaner or one of the other cleanup programs/ or a still active virus now causes peerblock to stop working with the error msg;

"PeerBlock requires administrator privileges tor run"

"PeerBlock is unable to load the packet filtering driver. pbfilter.sys can't be found"

 

R-Click on a file or pressing the DEL button now causes explorer.exe to crash. Used ShellExView and disabled MBAMShlExt which fixed the problem, something doesn't want megabytes in the content menu.

 

Opening the CLSID in regedit for that key shows;

[HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32]
@=""
"ThreadingModel"="Apartment"
"~~Disabled~~"="C:\\Program Files\\Malwarebytes\\mbamext.dll"


Edited by ranosb, 03 January 2015 - 05:58 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:36 AM

Posted 03 January 2015 - 08:50 PM

This is why I want to get the new topic for a deeper look at what is going on.
We can get you a MD5 tool there also.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users