Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wujq.pif Trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 Sensator

Sensator

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 18 June 2015 - 12:21 PM

I appear to have contracted some sort of trojan that I think is trying to infect every .exe on my computer.

 

Right now my antiviruses are going nuts, I've added screenshots of it. No matter how many times I remove the infected files they keep coming back.

 

My dropbox is telling me that .exe files are mismatched to what is backed up on the cloud, meaning that they've changed in some way, probably infected but who knows.

 

I first saw this after running a malware antibytes scan and it showed up. After that I downloaded and ran RKill, which told me that it ended a certain 3dg4me.exe process and restored the firewall permissions in the registry. After that my pc restarted and I downloaded and ran ComboFix. Combofix also removed a bunch of stuff, I've added that log. After that I restarted again and it seems like it is infecting more stuff, spotify no longer works and a bunch of other stuff has stopped working.

 

I'm probably going to format all my harddrives to nuke this thing, I've tried googling around and I can't find anything that specific on what I've got.

 

Thanks for any help I'll check in the morning.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:11 PM

Posted 21 June 2015 - 01:38 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

Trojan.Malpack.Gen is usually a sign for Sality... Usually we recommend the users to format all drives and reinstall from scratch but if that is not possible I can try to clean the infection for you.

Let me check how bad the situation is.

 

 

STEP 1

 

Download and run the following MSFixIt tool Button_FixIt_Silver.jpg and follow the prompts (reboot if asked) to disable Autorun.

 

 

STEP 2

 

 

Next please go ahead and disable System Restore temporary. See the link below for more information:

Disable System Restore in Windows 7

 

 

 

STEP 3

 

 

Download SalityKiller and save it to your desktop.

Next click Start > All Programs > Accessories, right click on Command Prompt and select "Run administrator".

Copy/paste the following text at the command prompt and press enter after it:

"%userprofile%\desktop\salitykiller.exe" -n -r -x -a -j -k -l c:\report.txt

A report file should be created in the root directory of drive C:\ => C:\report.txt

Please post the content of the log in your next reply.

 

 

STEP 4

 

 

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link => Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Windows\system32\drivers\aepsfoil.sys

Note, if VT says the file have already been analysed, make sure you click Reanalyse.

Please post back the link with the results of the scan in your next post.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 Sensator

Sensator
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 21 June 2015 - 01:43 AM

Thanks for the help but I just blew everything away by deleting all my partitions and reinstalling windows. I now realise it was Sality though, so that's a bonus.



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:11 PM

Posted 21 June 2015 - 02:46 AM

Thanks for letting me know. You did the right thing. And yes, I can assure you, it was Sality.

Check your PM for more info. :)

Now I am going to close the topic.

Take care!

 

 

Regards,

Georgi


cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:11 PM

Posted 21 June 2015 - 02:47 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users