Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan? Security programs are all dead


  • Please log in to reply
8 replies to this topic

#1 SethGekko

SethGekko

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 06 February 2015 - 02:23 PM

Hope I can get some help, this is perplexing me.

 

Windows 7.  I had AVG Free 2015, Super AntiSpyware and Malwarebytes Anti-Malwaware installed.  I hadn't noticed anything strange until I purchased the latest Turbotax and tried installing from the CD.  The program installed until 51%, then stopped and I got a message that I did not have permission to install (I can't give exact wording, as this was a few days ago.)  I don't have an admin account (home computer with me as the only user), so I right clicked on the Turbotax executable and selected "run as administrator."  This time, it installed, but when I ran program, it would open, then shut right down. 

 

Anyways, this isn't a story about Turbotax, but rather my initial discovery that something was wrong.  After the TT problem, I did what I always do when I have a problem - run a scan with AVG.  I clicked on the AVG desktop icon, and nothing happened.  I then tried running AVG from the Windows Start menu, and still nothing happened.  I checked AVG support, and determined I should uninstall it (using their uninstall tool) and reinstall.  I was able to uninstall it, but then when I try installing again, I get an "access denied" message.  I then tried to run Superantispyware (SAS), and that's when I noticed the SAS desktop icon had changed into a generic windows icon.  And, not surprisingly, when I tried Antimalware, that icon also has changed to a generic windows icon.  Neither of those programs will run now.  I tried to check my system restore, but that gives me the following message - "Windows cannot find 'C:\Windows|system32\rstrui.exe'. 

 

So at that point, I realized something is truly wrong.  I cannot say when or how this happened, as otherwise, my computer seems to be operating correctly.  I do have TDSSKiller, RKill, Stinger, Unhide and Roguekiller on the computer.  I ran all 4 of them, and none of them detected anything.  I tried downloading Avast, and it won't DL competely. 

 

I went into Safe mode, and downloaded a bootable Windows Defender onto a flash drive.  A full scan found no infections.  I then downloaded a bootable AVG scanner onto the flash drive.  Again, nothing detected.

 

I can only assume this is a trojan, but nothing I do will detect it.  Is it possible that instead of something malicious, I may have accidently deleted a crucial system file?  I very rarely have major issues with this computer, and whenever I have, I have been able to research and correct on my own.  I am at the point now, that I admit I need help.  I can follow directions fine, and have a safe laptop I can also use if needed.  Please let me know if I need to supply any more info.

 

To conclude:

 

Turbotax will not install

AVG Free 2015 wouldn't run

AVG Free 2015 won't re-install

Superantispyware won't run

Antimaleware won't run

System Restore won't run- missing file

Avast won't download

Windows Defender, TDSSKiller, RKill, Stinger, Unhide and Roguekiller all found no infections.



BC AdBot (Login to Remove)

 


#2 mikey11

mikey11

  • Members
  • 1,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Psychiatric Ward @ Beelitz-Heilstatten Hospital, Beelitz, Germany
  • Local time:02:28 AM

Posted 06 February 2015 - 02:41 PM

download and run malwarebytes,

 

if you cant do that in normal mode, do it in safe mode



#3 SethGekko

SethGekko
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 06 February 2015 - 06:33 PM

Thank you

 

I DL'd it using my secure laptop, put it on a flash drive, started the infected computer in Safe mode, and was able to install malwarebytes off the flashdrive. 

It did identify 87 dangerous files: a couple trojan.agent, and most of the rest security.hijack.

 

After that, I was able to re-install Superantispyware, and also download and install Avast.  System Restore is now working.

 

I still cannot get AVG to install, and I'm guessing that there's some residual security setting or protected file that is blocking it.  Because I can now use Avast, I won't worry too much about AVG.

 

Also, Turbotax still won't install (insufficient permission), but that may or may not be related to this issue. 

 

Thanks for the assistance.

 

 

I "may" be in the clear, but not 100% comfortable yet.  Anything else I should do?



#4 mikey11

mikey11

  • Members
  • 1,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Psychiatric Ward @ Beelitz-Heilstatten Hospital, Beelitz, Germany
  • Local time:02:28 AM

Posted 06 February 2015 - 06:40 PM

after you ran malwarebytes did you click on "quarantine all" ???

 

you should have, if not run it again,

 

also suggest downloading and running hitmanpro



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 06 February 2015 - 10:21 PM

You should post those logs so we can see what it found.


Also run Rkill..

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 SethGekko

SethGekko
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 08 February 2015 - 09:39 AM

Mikey11, yes I did quaranteen all.  I did run Hitman, and it found a few others.  Outside of Turbotax, things look back to normal, but I'll put my logs here.

 

This is the log file from Malwarebytes, when it detected all the security hijacks:

 

 

Scan Date: 2/6/2015
Scan Time: 4:34:21 PM
Logfile: Malwarebytes log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.06.08
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Paul

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 512773
Time Elapsed: 24 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 66
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVCPL.EXE, , [e858bc5f820870c60d33b058cf339f61],
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVCPL.EXE, , [e858bc5f820870c60d33b058cf339f61],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe, , [6ed268b34347320488c2f854f212bd43],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avconfig.exe, , [eb558c8fdfabc67076d7b5977f857e82],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgcsrvx.exe, , [004023f8503ab383d7884efe20e49d63],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgnt.exe, , [c080bb60226850e60b5d63e95ca802fe],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgrsx.exe, , [6ed2a17a711955e1aebc0d3f2bd9817f],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe, , [ec5444d78dfdbd79b9bad4780ef6d22e],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgui.exe, , [77c921fa6f1b95a17202eb619470b749],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgwdsvc.exe, , [d070c6552d5d1422a7d3f953ae56f907],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avscan.exe, , [360ab863602a51e5dacaee5e13f1eb15],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\blindman.exe, , [1d23ac6f5c2e8caa8307901d4cb7c33d],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe, , [d36da576226869cd13d86b87e61e17e9],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe, , [f54bfb209febd561e8673b12e81cf10f],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe, , [61df49d2e0aa6ccac67b391564a052ae],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe, , [d36d49d29ceed75f75752dc523e1d42c],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe, , [5fe1f229c7c31c1abb610a454bb96898],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamgui.exe, , [ac949982f1991c1a7df219e0937004fc],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbampt.exe, , [92aee6353a50cf67d98769939c68eb15],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamscheduler.exe, , [50f083981278ac8ad74e9e322fd4c43c],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamservice.exe, , [56ead14ad4b63afc4ad3d6792dd703fd],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe, , [4df30714b4d6e353e47552fd986cac54],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe, , [ed53ab704149c274e685341b0cf81ce4],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe, , [8eb24ccff991b482443a054afb091ce4],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe, , [370958c30a806bcb4143014ea163fa06],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\rstrui.exe, , [84bcd14a6426181e41c766ebf3117789],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFiles.exe, , [55eb54c74e3c181e2e60fdbfb94a817f],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDMain.exe, , [1f21b5667b0fe155e1aee1dbaf542fd1],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDWinSec.exe, , [77c9f9223258ee48820e665613f0d729],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe, , [0b351efdd0ba2c0ac427ad23ff0517e9],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe, , [f749da41a0ea5fd71fcd6b87a75da957],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe, , [122e8398404af640be1cb0a2ce365da3],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE, , [70d0eb301575ec4a70d6272533d1748c],
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE, , [91aff12a7317c571b3e3321a20e4659b],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe, , [a49c0a114a405bdb77d3fe4efc08e020],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avconfig.exe, , [9fa11605c1c996a058f5e765b54f7090],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgcsrvx.exe, , [df61f427e9a13ff7fe6119333ec62ed2],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgnt.exe, , [c37d978472180b2be8806ede1ce8eb15],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgrsx.exe, , [67d9e338cdbd86b070fa70dce71d2ed2],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe, , [132d1a01e7a3bf77c8abfd4ff90bda26],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgui.exe, , [023ec9524347270f3b394408d52fc739],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgwdsvc.exe, , [75cbed2eef9bd066a7d3b09c57ad31cf],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avscan.exe, , [053bb863cdbdec4a693beb6149bbb050],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\blindman.exe, , [162ae932d9b1082eeaa0a706887b21df],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe, , [5ae683983357ad8979727f739272ce32],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe, , [340c7ba0f29866d03f101439857fe31d],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe, , [59e7918a9ded64d22d14c6888f7514ec],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe, , [132d5ebd2c5e5dd9d51532c051b31ce4],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe, , [a39d7d9e5832df573ce06fe0a163cd33],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamgui.exe, , [033da07bfe8c11253d32a45536cd32ce],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbampt.exe, , [2b151cffcdbd1d1984dce21a7d879769],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamscheduler.exe, , [2c1470ab008ac4723fe66d63a55ebc44],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbamservice.exe, , [ae92c15a8cfee94d9885c08fb054cb35],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe, , [083839e24d3ddd592a2f8dc2aa5a9c64],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe, , [68d852c9aedc0c2a1556b09fcb39e61a],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe, , [c37dad6e206a3df9d5a94f00f90b639d],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe, , [7cc421fad8b255e198ec07480ff5a25e],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\rstrui.exe, , [86ba8893c2c8350187814e037c8824dc],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFiles.exe, , [91af110aa8e2d066abe3b10b26ddc937],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDMain.exe, , [a19f23f8692160d61f70ab11867da45c],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDWinSec.exe, , [18288f8c3e4cc373bcd4209c38cbd729],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe, , [56ea8a913b4fa59140aba32d10f420e0],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe, , [67d9d8430c7e21159a52f8fa14f0ad53],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe, , [5ae6a97226643105be1c084a7b8908f8],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE, , [40009d7ebad0a19565e199b3927251af],
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE, , [d967bd5e6f1b89ad0294d3790004b14f],

Registry Values: 13
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE|Debugger, nqij.exe, , [70d0eb301575ec4a70d6272533d1748c]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTUI.EXE|Debugger, nqij.exe, , [3d031dfe632747ef1d2b3b114fb58f71]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger, nqij.exe, , [91aff12a7317c571b3e3321a20e4659b]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BDAGENT.EXE|Debugger, nqij.exe, , [c0808a91731793a3507c71db798bc13f]
Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger, nqij.exe, , [63dd50cb9ceef145cedf0746e0249868]
Hijack.Security, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INSTUP.EXE|Debugger, nqij.exe, , [b18f15068406e452d7101aaf29da0000]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE|Debugger, nqij.exe, , [40009d7ebad0a19565e199b3927251af]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTUI.EXE|Debugger, nqij.exe, , [310f78a35139d066f454a5a79f65e020]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger, nqij.exe, , [d967bd5e6f1b89ad0294d3790004b14f]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BDAGENT.EXE|Debugger, nqij.exe, , [380869b20a80f93d53793d0f64a054ac]
Security.Hijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger, nqij.exe, , [132d49d28a002f078b22fc516c98e41c]
Hijack.Security, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INSTUP.EXE|Debugger, nqij.exe, , [99a78d8ed9b178be8e599930f11243bd]
Hijack.ShellA.Gen, HKU\S-1-5-21-4185935592-1285707758-140140404-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|shell, explorer.exe,"C:\Users\Paul\AppData\Roaming\Realtek\HD\RaVCPl.exe", , [6dd33ae1f09aeb4b7f8951344ab926da]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 8
Backdoor.Agent.MSC, C:\Users\Paul\AppData\Roaming\Realtek\HD\RaVCPl.exe, , [e858bc5f820870c60d33b058cf339f61],
Trojan.Agent.RND, C:\$Recycle.Bin\S-1-5-21-4185935592-1285707758-140140404-1000\$RRJNRHF.rar\startup(1).exe, , [61df3edd58326cca319a7b9dd62c06fa],
Trojan.Agent.RND, C:\$Recycle.Bin\S-1-5-21-4185935592-1285707758-140140404-1000\$RRJNRHF.rar\startup.exe, , [d46ce536dfab71c58d3ef8205ba72fd1],
Trojan.Agent.RND, C:\$Recycle.Bin\S-1-5-21-4185935592-1285707758-140140404-1000\$RZLI5W5.rar\setup.exe, , [c0808398bfcbbd79309ad6429270fa06],
Backdoor.Agent.Gen, C:\Users\Paul\AppData\Roaming\Winlogon.exe, , [9ea252c9cfbb77bf64e4d1dddf2442be],
Trojan.Agent, C:\Users\Paul\AppData\Roaming\csrss.exe, , [d46ceb30a9e13df91a01a2305fa4748c],
Trojan.Agent, C:\Users\Paul\AppData\Local\Temp\winlog.exe, , [7dc31efd4e3cea4cff6e15d0867d9769],
Trojan.Agent, C:\Users\Paul\AppData\Roaming\msconfig.ini, , [29170813d9b1d462112dcbf61fe521df],

Physical Sectors: 0
(No malicious items detected)


(end)


This is from Rkill, which I just ran this morning, after I identified and quaranteed with Malwarebytes:

 

Program started at: 02/08/2015 09:17:02 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\SysWOW64\astsrv.exe (PID: 1972) [WD-HEUR]
 * C:\Windows\SysWOW64\nlssrv32.exe (PID: 1968) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost
 

  2 out of 43 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 02/08/2015 09:20:28 AM
Execution time: 0 hours(s), 3 minute(s), and 25 seconds(s)
 


Edited by SethGekko, 08 February 2015 - 09:41 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 09 February 2015 - 02:09 PM

Ahh, This is what I worry about


.. IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan.

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:

  • Reimaging the system
  • Restoring the entire system using a full system backup from before the backdoor infection
  • Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

In your logs are Backdoor agents..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 SethGekko

SethGekko
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 09 February 2015 - 07:22 PM

Well that sucks . . .

 

Thanks for the info.  I have a lot of work to do . . . .



#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:28 PM

Posted 10 February 2015 - 12:43 PM

If you want to clean it post here, not recommended for PC's using financials.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users