Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kitty.dll, MIO.exe, WINSAP.dll malware keeps regenerating


  • Please log in to reply
5 replies to this topic

#1 juansb96

juansb96

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 03 May 2017 - 12:52 PM

Hello, in the last few weeks I've been having a problem with these viruses that keep regenerating along with their folders over and over again. I have already used MalwareBytes, Hitman Pro and I'm currently using BitDefender Internet Security, but no matter how many times I delete them (both using these softwares or manually deleting them) they just keep reappearing. How do I stop this? Below I provide my FRST logs.

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:54 AM

Posted 04 May 2017 - 08:09 AM

Hello

  •   Welcome to Bleeping Computer.
  •   My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  •   Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  •   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  •   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  •   In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  •   Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

1.

Download Malwarebytes Anti-Rootkit Supplement from here

Once you have downloaded the tool (contained in a .zip folder), you will need to extract the contents. We recommend extracting to your desktop.
 
To extract the files, locate the zipped folder that you want to unzip (extract) files or folders from. To unzip all the contents of the zipped folder, press and hold (or right-click) the folder, select Extract All, and then follow the instructions. Save them on your desktop

After the files are extracted, double-click the mbar.cmd file. If you are unsure which file this is, try double-clicking both files named mbar - only one of them will run.
 
Update the Database, then click on Next, then on Scan.

  • Let it completes its scan (this can take a while);
  • Once the scan is done, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Copy/paste the content of that log in your next reply;

 

2.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will start to update its database...please wait until complete.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a report (AdwCleaner[SX].txt) will open in Notepad (where the largest value of X represents the most recent report).
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.

 

3.

Please run FRST again and post the new FRST.txt

 

 

Things to include in your next reply::

MBAR log

ADWcleaner.txt

New FRST.txt

How is your computer running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 juansb96

juansb96
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 04 May 2017 - 09:27 PM

Hey there fireman4it, I did all you instructed me to do, I was amazed that in several hours the rootkit tool managed to detect and destroy 10000+ malware from my pc!! I was unaware that I had so much stuff installed there. Below I provide all the logs you requested after I finished this.

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:54 AM

Posted 19 May 2017 - 11:49 AM

Download attached fixlist.txt file and save it to  the Desktop

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   819bytes   2 downloads

 

 

ZN3USrZ.png Emsisoft Emergency Kit

  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

 

 

 

 

 

 

 

 

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 juansb96

juansb96
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 07 June 2017 - 10:55 AM

Ok, so I have completed the instructions. I know post the results from both files.

 

Fixlog:

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-06-2017
Ran by Juan Sebastian (07-06-2017 09:53:55) Run:1
Running from C:\Users\Juan Sebastian\Desktop
Loaded Profiles: Juan Sebastian (Available Profiles: Juan Sebastian)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
S1 p1976197462am; \??\C:\Users\JUANSE~1\AppData\Local\Temp\bkF6A7.tmp\p1976197462am.sys [X] <==== ATTENTION
S1 p3350589303am; \??\C:\Users\JUANSE~1\AppData\Local\Temp\bk4C41.tmp\p3350589303am.sys [X] <==== ATTENTION
S2 3DM; C:\Users\Juan Sebastian\AppData\Local\3DM\Kitty.dll [X]
C:\Windows\Tasks\{7BE14D78-9641-2BB9-6889-6967A0B67738}.job
Emptytemp:
Task: {780F8D51-34F6-4A3D-B6C9-B88F220BE1C0} - \{51F9A6A7-4BAF-4A8B-AAEB-5CDCB6A3D5A3} -> No File <==== ATTENTION
Task: {7DD8EF00-F748-4DBB-8D74-33E9F180C3DF} - \{7BE14D78-9641-2BB9-6889-6967A0B67738} -> No File <==== ATTENTION
Task: {1ED7080B-E9A5-4A01-9EA6-7ABE21910B95} - \Wufoshdiqether -> No File <==== ATTENTION
Task: C:\Windows\Tasks\{7BE14D78-9641-2BB9-6889-6967A0B67738}.job => C:\Users\JUANSE~1\AppData\Roaming\7BE14D~1\SYNCVE~1.EXE <==== ATTENTION
 
*****************
 
HKLM\System\CurrentControlSet\Services\p1976197462am => key removed successfully
p1976197462am => service removed successfully
HKLM\System\CurrentControlSet\Services\p3350589303am => key removed successfully
p3350589303am => service removed successfully
3DM => service not found.
"C:\Windows\Tasks\{7BE14D78-9641-2BB9-6889-6967A0B67738}.job" => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{780F8D51-34F6-4A3D-B6C9-B88F220BE1C0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{780F8D51-34F6-4A3D-B6C9-B88F220BE1C0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{51F9A6A7-4BAF-4A8B-AAEB-5CDCB6A3D5A3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7DD8EF00-F748-4DBB-8D74-33E9F180C3DF} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7BE14D78-9641-2BB9-6889-6967A0B67738} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1ED7080B-E9A5-4A01-9EA6-7ABE21910B95} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Wufoshdiqether => key not found. 
C:\Windows\Tasks\{7BE14D78-9641-2BB9-6889-6967A0B67738}.job => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 40367327 B
Java, Flash, Steam htmlcache => 570 B
Windows/system/drivers => 941441777 B
Edge => 0 B
Chrome => 1606469642 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 143 B
LocalService => 443598 B
NetworkService => 3924350 B
Juan Sebastian => 1445893938 B
 
RecycleBin => 0 B
EmptyTemp: => 3.8 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 09:58:02 ====
 
 
 
 
 
 
And now the Emisoft Scan log:
 
Emsisoft Emergency Kit - Version 2017.4
Scan log
 
Date Scan Method Objects Scanned  Objects Detected Duration Type Computer Name
07/06/2017 10:45:47 a. m. Malware   84065   0             0:05:37 Manual scan EQUIPO
 


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:54 AM

Posted 11 June 2017 - 03:28 PM

How is your computer running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users