Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im under Heavy DeepWeb attack, apache 0day?


  • Please log in to reply
7 replies to this topic

#1 Kalasznikov

Kalasznikov

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 25 July 2015 - 08:04 PM

Hello, i visited wrong site on the deep web, and i need help.Specification: Windows 8.1, Tor Browser + Noscript.
 
I have entered site then i saw it need login and password to enter, there was log in button but it was inactive (i can give you this site adress but you need tor and some secure thing... like gentoo in the virtual box) my malwarebytes anti-malvare instantly crashed and in the same time windows defender turned off, then i was some 2 process small black process windows with white text, after this i turned off my pc.I already knowed im in heavy troubles, i started wiping my hard drives from bios with 1 pass method.When the wiping proces was runing out, i wanted to find some solution so i turned on my phone with the acces to my wifi network and i spooted something weird, like 1 year ago i installed snapchat on my phone but didnt use it much, and just like 5 minutes after my pc was attacked some one with weird name added me on snapchat.I turned off my phone instantly and rolled it with aluminum foil.
 
After disk wipeout i installed windows, landriver from the system cd, chrome, and ClamW.I scanned my pc, this is 
 
 
WARNING: Can't open file C:\hiberfil.sys: Permission denied
WARNING: Can't open file C:\pagefile.sys: Permission denied
WARNING: Can't open file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb: Permission denied
WARNING: Can't open file C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpScanCache-1.bin: Permission denied
WARNING: Can't open file C:\ProgramData\Microsoft\Windows Defender\Scans\MpDiag.bin: Permission denied
WARNING: Can't open file C:\ProgramData\Microsoft\Windows Defender\Scans\PersistedStore\MpPersistedStore.bin: Permission denied
WARNING: Can't open file C:\swapfile.sys: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\MpScanCache-1.bin: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Windows Defender\Scans\MpDiag.bin: Permission denied
WARNING: Can't open file C:\Users\All Users\Microsoft\Windows Defender\Scans\PersistedStore\MpPersistedStore.bin: Permission denied
WARNING: Can't open file C:\Users\Mesjasz\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Permission denied
WARNING: Can't open file C:\Users\Mesjasz\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2: Permission denied
WARNING: Can't open file C:\Users\Mesjasz\ntuser.dat.LOG1: Permission denied
WARNING: Can't open file C:\Users\Mesjasz\ntuser.dat.LOG2: Permission denied
WARNING: Can't open file C:\Windows\AppCompat\Programs\Amcache.hve: Permission denied
WARNING: Can't open file C:\Windows\AppCompat\Programs\Amcache.hve.LOG1: Permission denied
WARNING: Can't open file C:\Windows\AppCompat\Programs\Amcache.hve.LOG2: Permission denied
WARNING: Can't open file C:\Windows\Resources\Themes\aero\VSCache\Aero.msstyles_1033_96.mss: Permission denied
WARNING: Can't open file C:\Windows\security\database\secedit.sdb: Permission denied
WARNING: Can't open file C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1: Permission denied
WARNING: Can't open file C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2: Permission denied
WARNING: Can't open file C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1: Permission denied
WARNING: Can't open file C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2: Permission denied
WARNING: Can't open file C:\Windows\System32\catroot2\127D0A1D-4EF2-11D1-8608-00C04FC295EE\catdb: Permission denied
WARNING: Can't open file C:\Windows\System32\catroot2\F750E6C3-38EE-11D1-85E5-00C04FC295EE\catdb: Permission denied
WARNING: Can't open file C:\Windows\System32\config\BBI: Permission denied
WARNING: Can't open file C:\Windows\System32\config\BBI.LOG1: Permission denied
WARNING: Can't open file C:\Windows\System32\config\BBI.LOG2: Permission denied
WARNING: Can't open file C:\Windows\System32\config\DEFAULT: Permission denied
WARNING: Can't open file C:\Windows\System32\config\DEFAULT.LOG1: Permission denied
WARNING: Can't open file C:\Windows\System32\config\DEFAULT.LOG2: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SAM: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SAM.LOG1: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SAM.LOG2: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SECURITY: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SECURITY.LOG1: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SOFTWARE: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SOFTWARE.LOG1: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SOFTWARE.LOG2: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SYSTEM: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SYSTEM.LOG1: Permission denied
WARNING: Can't open file C:\Windows\System32\config\SYSTEM.LOG2: Permission denied
 
Is it ok? So much permission denied on fresh install?  And the second funny thing i installed some additonal scanner called Yet Another Scanner and.... its has found ADWARE/Mutabaha.863506/ASP inside own instalation filles lol....
 
I really need your help

Edited by Kalasznikov, 25 July 2015 - 08:09 PM.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:50 AM

Posted 26 July 2015 - 02:06 AM

Hi there,

Those "permission denied" files are normal, as they are files being used by Windows and thus locked to antivirus scanners.

I assume you meant YAC (Yet Another Cleaner)... it is a very poor scanner and is known for its poor business practices.

There is probably nothing to worry about. You can run these and see if they picked up anything.


Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
===

Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


===

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex

#3 Kalasznikov

Kalasznikov
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 26 July 2015 - 08:11 AM

Thank you Alexstrasza for defending the Azeroth you are my favorite mount.

 

Emergeny Emission Kit found nothing just KMSspico that is not a virus ;P, i guess you are supported of EMSISOFT.

 

MBAM have susceptibility and virus can just crush its as process.

 

Eset signature base is very default, heuristic analysis is shallow, Eset code is leaked.

 

 

But anyway i will try it all


Edited by Kalasznikov, 26 July 2015 - 08:14 AM.


#4 Kalasznikov

Kalasznikov
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 26 July 2015 - 08:20 AM

C:\Program Files\KMSpico\AutoPico.exe MSIL/HackTool.IdleKMS.C potentially unsafe application cleaned by deleting - quarantined
C:\Program Files\KMSpico\KMSELDI.exe a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application cleaned by deleting - quarantined
C:\Program Files\KMSpico\Service_KMS.exe a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application cleaned by deleting - quarantined
C:\Users\Mesjasz\AppData\Local\Temp\_@C347.tmp a variant of Win32/ELEX.DB potentially unwanted application cleaned by deleting - quarantined
C:\Users\Mesjasz\AppData\Local\Temp\_@C35A.tmp a variant of Win32/ELEX.BP potentially unwanted application cleaned by deleting - quarantined
C:\Users\Mesjasz\AppData\Local\Temp\_@C35B.tmp a variant of Win32/ELEX.CC potentially unwanted application cleaned by deleting - quarantined
C:\Users\Mesjasz\AppData\Local\Temp\_@C35D.tmp a variant of Win32/ELEX.CC potentially unwanted application cleaned by deleting - quarantined
C:\Users\Mesjasz\AppData\Local\Temp\_@C35E.tmp a variant of Win32/ELEX.CR potentially unwanted application cleaned by deleting - quarantined


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:50 AM

Posted 26 July 2015 - 09:48 AM

MBAM have susceptibility and virus can just crush its as process.
 
Eset signature base is very default, heuristic analysis is shallow, Eset code is leaked.

Those are pretty baseless assumptions.

ESET's source code has never been leaked... the only thing I've heard of was a vulnerability in their virtualization engine, which was quickly patched.

As ESET Online Scanner's detections are all from YAC and KMSpico, I must give you this warning.

Pirated software

Bleeping Computer does not allow the use of pirated software.

The practice of using keygenshacking toolscracking toolswareztorrents or any pirated software is not only considered illegal activity, but it is a serious security risk which can turn a computer into a virus honeypot or zombie.
 
When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible, and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.
 
If you want to read on then the full post is here.

This is a one-time deal. If you get infected again as a result of using pirated software, you are on your own.

Regards,
Alex

#6 Kalasznikov

Kalasznikov
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 26 July 2015 - 05:38 PM

I cant use orginal version because it need my personal information 


Edited by Kalasznikov, 26 July 2015 - 05:38 PM.


#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:50 AM

Posted 27 July 2015 - 01:45 AM

In that case, then there is nothing I can do.

You can delete Emsisoft Emergency Kit manually, and uninstall Malwarebytes and ESET Online Scanner from Programs and Features.

Safe computing practices

Best Practices for Safe Computing - Prevention of Malware Infection
How Malware Spreads - How did I get infected
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

Regards,
Alex

#8 Dualcomm

Dualcomm

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 05 August 2015 - 04:47 PM

Honestly it's your fault for going on the Deep Web (where tons of virus infected sites reside). Why were you on it on the first place?  :blink:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users