Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eraem Vire Studaa 2021 Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 Proszz

Proszz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 18 January 2015 - 05:41 PM

Hello, lately my computer have been really slow, so i did some research in my computer and found some files.

In task manager i found naiqte.exe and abafilm.exe, both from Eraem Vire Studaa 2021.

Also found other suspicious stuff like atieclxx.exe , csrss.exe and dllhost.exe , althought i'm not sure if those are viruses or not...

Also in Windows boot there is other files from Eraem Vire Studaa. Quite a lot really. Feyhxyxyo , Zayxleexsei, 3 of each...

 

In advance, thanks.

Attached Files

  • Attached File  1.png   50.87KB   0 downloads
  • Attached File  2.png   20.32KB   0 downloads


BC AdBot (Login to Remove)

 


m

#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:08:13 PM

Posted 18 January 2015 - 11:12 PM

Hello Proszz and welcome to BleepingComputer!    :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 2 days, feel free to PM me.     :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please don't run Combofix on your own.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

Farbar Recovery Scan Tool (FRST)

  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop.
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should.
  • Double click the icon.
  • Click Yes to the disclaimer.
  • Make sure the Addition.txt box is checked.
  • Click Scan and allow the program to run.
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen.
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 Proszz

Proszz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 19 January 2015 - 08:27 AM

FRST.txt

 

Spoiler
 
Addition.txt
 
Spoiler

Edited by Proszz, 19 January 2015 - 08:28 AM.


#4 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:08:13 PM

Posted 20 January 2015 - 12:09 PM

Hi Proszz. Please don't put your logs in Spoiler, just copy and paste.
 
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so viaStart > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

 

 

 

One or more of the identified infections is a backdoor trojan.
 
This allows hackers to remotely control your computer, steal critical system information and download and execute files.
 
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
 
Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
 
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
 
 
 
We need to run a fix with FRST:
  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
==========

 

After the fix was completed, please create new FRST log for me.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#5 Proszz

Proszz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 20 January 2015 - 04:12 PM

Hello, i did everything just as you said till the restart point.

I downloaded the file and put it in the same place as the FRST64.exe and click fix. After this process finish i click ok to restart the computer... Then poof, blue screen after putting the password... 

 

Thanks in advance.



#6 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:08:13 PM

Posted 22 January 2015 - 12:09 AM

Hi Proszz.

 

Please try this:

  • Turn on your computer, as soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Please use arrow key to select "Last Known Good Configuration (advanced)" and press Enter.
  • Windows will continue to boot, please try logging in.

Does it BSOD this time?

 

If it still won't work then please try this:

 

 

On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#7 Proszz

Proszz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 24 January 2015 - 06:58 AM

Hello Siriwat.

Im using an HP Pavillion g6 Notebook

 

And i cant find Advanced boot options.

F8 Dont work for that



#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:08:13 PM

Posted 24 January 2015 - 12:22 PM

Hi Proszz.

 

You need to tap F8 key repeatedly before Windows logo appears, try tapping it since HP logo appears. 

 

Also please read this guide: http://windows.microsoft.com/en-us/windows/using-last-known-good-configuration#1TC=windows-7

 

Can you able to access Advanced Boot Options now?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 Proszz

Proszz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 25 January 2015 - 06:14 AM

Hi. i did that but when it starts to boot the screen gets black and stuck there



#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:08:13 PM

Posted 25 January 2015 - 07:39 AM

Hi Proszz.

 

After you go in Advanced Boot Options screen, please select repair your computer, did the screen goes black this time?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#11 Proszz

Proszz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 25 January 2015 - 07:50 AM

Yes... Black again



#12 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:08:13 PM

Posted 27 January 2015 - 11:50 AM

Hi Proszz.

 

Try this please. You will need a USB drive and a clean computer.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Right click on xPUD_userinit_fix and save it to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB. You may need to press another F-key, depending on your computer.
  • Follow the prompts
  • Welcome to xPUD screen will appear
  • Choose English as a language
  • After the program has been loaded, press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see xPUD_userinit_fix.ndf that you downloaded there
  • Double click on xPUD_userinit_fix.ndf to run the script. This may take some time, please be patient.
  • After it has finished a report will be located on your USB drive named UserinitReport.txt
  • When you see the information "All Done", click on Home -> Power Off -> Turnoff
  • Remove the USB drive and insert it back in your working computer and navigate to UserinitReport.txt
  • Copy and paste the UserinitReport.txt for my review.

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#13 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:08:13 PM

Posted 30 January 2015 - 01:29 PM

Are you still here?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#14 Proszz

Proszz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 30 January 2015 - 02:48 PM

Yes, sorry, ill do it

#15 Proszz

Proszz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 31 January 2015 - 03:20 PM

Hello, will this do something in the clean computer? Cause it is my fathers computer, and if something happens im dead...

 

Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users