Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Affected by Win32/Sathurbot and Backdoor:Win32/Simda.A


  • This topic is locked This topic is locked
7 replies to this topic

#1 francescoboc

francescoboc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 22 March 2015 - 07:06 AM

Hello, i am new to this community.

I just registered because i need help!

I ma running Windows 8.1 64 bit and last day Windows Defender started to popup alerts about malicious software activity. I got frightended, so, after a full system scan (that detected 4 or 5 files and quarantined them), i downloaded Malwareytes anti-malware and Spybot search&destroy.

They both found other files, expecially located in C:\ProgramData\Microsoft\Security\Client, and deleted/quarantined them, so i thought my pc was clean.

Well, today, just to make sure, i ran again a Malwarebytes scan, and it found the same 2 files that it deleted a couple of days ago! They were still located at: C:\ProgramData\Microsoft\Security\Client or some Temp subfolders, and they are .dll or .exe files. Malwarebytes report says that they are Win32/Sathurbot and Win32/Simda.A trojan horses.

Now i have removed them again, but i am afraid they might be created again at the next reboot.

 

Can someone help me? 

I am attaching the two reports of FRST.

 

Thank you very much,

 

Francesco

Attached Files



BC AdBot (Login to Remove)

 


m

#2 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 22 March 2015 - 03:22 PM

Hi. My name is Brian, and I would be happy to look into your issue.
 


- General Instructions -

  • Please read all instructions and fixes thoroughly. Read the ENTIRE post BEFORE performing any steps so you understand all that needs to be done.
  • I would advise printing any instructions for easy reference as some of the fixes may require you to boot in Safe mode. Access to these instructions may not be available in Safe Mode.
  • Any fixes provided by myself are for this log file only and should not be used on any other systems.
  • Do not run any other removal software or perform updates other than the ones I provide, as it will complicate the cleaning process.
  • It's very likely that part of our cleanup will include emptying your recycle bin. If you use your recycle bin as an archive and do not wish this to be emptied, please let me know.
  • You have 4 days to reply to each post or the topic will be closed.
  • Please feel free to ask any questions, especially if you are having problems with my instructions.


- Save ALL Tools to your Desktop-

 

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.
 
Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

- Finally Before We Start-

 
Removing malware is a complicated multiple step process, Please stay with me until I have declared your system clean. I strongly recommend you backup your personal files and folders. Although rare, attempting to remove malware can render your machine unbootable or cause data loss. Having backups of your data is your responsibility. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

 

 

 

It appears you may have run Combofix or AdwCleaner. Have you?

 

Please do the following.

 

Step#1 - CKScanner
1. Download CKScanner by askey127 from here & save it to your Desktop.
2. Right-click on CKScanner.exe then click Run as Administrator to open. Allow if prompted.
3. Click Search For Files
4. When the cursor hourglass disappears, click Save List To File
5. A message box will verify the file saved
6. Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

 

Step#2 - Retrieve Malwarebytes Log
1. Open up the Malwarebytes program again. You can simply double click on the shortcut on your desktop that says "Malwarebytes Anti-Malware".
2. Click the History button as shown in the picture below.
3. Click Application Logs as shown in the picture below.
4. Put a check mark next to Scan Log as shown in the picture below.
5. Click the view button as shown in the picture below.
GetLog.JPG

 

 

 

Items for your next post

1. CKFiles log

2. Malwarebytes log

 

 



#3 francescoboc

francescoboc
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 23 March 2015 - 04:20 AM

Hello Brian, and thank you very much for your time.

It's ok for me to empty the recycle bin, I don't usually use it as a folder.

 

I am posting the logs:

-Here is the one from  CKFiles:

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\users\francesco boccardo\desktop\apophysis\apophysis.7x16.x86_amd64\plugins\crackle.x64.dll
c:\users\francesco boccardo\desktop\apophysis\apophysis.7x16.x86_amd64\plugins\crackle.x86.dll
c:\users\francesco boccardo\music\reggae-faves\rockers (no crackers).m4a
c:\users\francesco boccardo\music\tchaikovsky - the nutcracker, swan lake, sleeping beauty ballet suites (karajan, p.o) (1952)\pyotr ilyich tchaikovsky - the nutcracker, swan lake, sleeping beauty ballet suites.log
scanner sequence 3.ZZ.11.OUAPNZ
 ----- EOF ----- 
 
-And here is the one from Malwarebytes:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Data scansione: 23/03/2015
Ora scansione: 09:46:25
File di log: 
Amministratore: Si
 
Versione: 2.00.4.1028
Database malware: v2015.03.22.06
Database rootkit: v2015.02.25.01
Licenza: Premium
Protezione da malware: Attivata
Protezione da siti web nocivi: Attivata
Autoprotezione: Disattivata
 
SO: Windows 8.1
CPU: x64
File system: NTFS
Utente: Francesco
 
Tipo di scansione: Scansione elementi nocivi
Risultati: Completata
Elementi analizzati: 420760
Tempo impiegato: 32 min, 12 sec
 
Memoria: Attivata
Esecuzioni automatiche: Attivata
File system: Attivata
Archivi compressi: Attivata
Rootkit: Disattivata
Euristica: Attivata
PUP: Attivata
PUM: Attivata
 
Processi: 0
(Nessun elemento malevolo rilevato)
 
Moduli: 0
(Nessun elemento malevolo rilevato)
 
Chiavi di registro: 0
(Nessun elemento malevolo rilevato)
 
Valori di registro: 0
(Nessun elemento malevolo rilevato)
 
Dati di registro: 0
(Nessun elemento malevolo rilevato)
 
Cartelle: 0
(Nessun elemento malevolo rilevato)
 
File: 0
(Nessun elemento malevolo rilevato)
 
Settori fisici: 0
(Nessun elemento malevolo rilevato)
 
 
(end)
 
 
(Sorry, I can see it's in italian!)
 
F.


#4 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 23 March 2015 - 08:17 AM

There is evidence of illegal software on your machine. As a result I can't help you further.

 

S2 Service KMSELDI; C:\Program Files\Microsoft Office\KMSpico\Service_KMS.exe [1069248 2014-02-06] () [File not signed]

Task: {9D8253B6-9E2C-4B63-AE35-18AECDC8532F} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\Microsoft Office\KMSpico\AutoPico.exe [2014-02-06] ()

 

 

This service is provided to you, without charge, by people who volunteer their own time to help.
There is an implied trust that you will respect that donated time, and provide all the information possible to bring the dialog to a successful conclusion.
If false information is provided, that trust is violated, and no further help will be given.
This thread will be closed.
 


Edited by BrianDrab, 23 March 2015 - 01:17 PM.
Add reason why I can't assist


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:42 PM

Posted 23 March 2015 - 01:48 PM

Greetings,

I will be taking over the Topic as BrianDrab is not available to continue on.

Your logs indicate the presence of pirated software on your computer. If you are willing to remove Microsoft Office please let me know when you have done so and we will see if we can address your issues.

Edited by Oh My!, 23 March 2015 - 02:11 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 francescoboc

francescoboc
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 23 March 2015 - 06:23 PM

Hello Oh My! and thank you for answering.

Sorry for the waste of time, but I cannot uninstall Microsoft Office right now because I need it fo tinish my university thesis. I know that I shouldn't use it cracked, and there are free alternatives like Openoffice and so on.

 

I have just a question. I deliberately removed from the CKscanner log the line that was talking about KMSpico.exe, because I know that software and I trust that it isn't the cause of the infection: how and where did BrianDrab found that line of log that he quoted?

 

Anyhow, sorry again for the waste of time and keep up the good work.

 

F.



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:42 PM

Posted 23 March 2015 - 06:28 PM

I don't know but I would assume there is additional information you did not delete.

Thanks for touching base, I will close this Topic.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:42 PM

Posted 23 March 2015 - 06:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users