Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HANCITOR MALSPAM infection on 5/31/2017


  • Please log in to reply
53 replies to this topic

#46 clemente2

clemente2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 21 June 2017 - 12:20 PM

No luck using Chameleon.

 

I tried various options without success.

 

Although the internet was connected and working, all attempts to download the setup file or updates failed.



BC AdBot (Login to Remove)

 


#47 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 21 June 2017 - 05:13 PM

HI clemente2 :)
 
Leave your internet connection on and please boot to Safe mode with Networking Now try the Malwarebytes program again and see what happens.

 

Copy and paste the MBAM log into your next reply to me.
 
Failing that try running ComboFix with this slight twist.

  • Boot to normal mode
  • Download ComboFix if you don't have it on your desktop
  • DO NOT RUN IT YET
  • Open Notepad
  • Copy and paste the text below in its entirety into Notepad
KILLALL::

Save the file as: CFScript.txt in the same location as ComboFix.exe

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

 

In summary and if successful:

  • Please copy and paste either the MBAM or ComboFix log

 Let me know if you have any questions.
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#48 clemente2

clemente2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 21 June 2017 - 07:49 PM

Hi polskamachina

 

Still no luck with either of your instructions.

 

Malwarebytes failed to download the setup file.

 

Combofix hung execution after stage 50 without creating combofix.txt



#49 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 22 June 2017 - 12:08 AM

Hi clemente2 :)

 

Note: The directions below are only intended to be carried out by the person that started this topic.

 

Ok, it's time to try out something that we usually don't have to try out.

I can install the infected hard drive on another system and run malwarebytes.

I'd like you to try this option. Make sure you are disconnected from any network drives, printers, external storage media, etc. It would also be very smart to back up the drive in your clean computer before beginning this procedure.

 

If you have any doubts or questions about how to do the following procedure safely, STOP and let me know. There are hazardous voltages inside a computer. Make sure you're alert and in not in any hurry.

  • If you can connect your infected drive to a working computer via a USB adapter, that would be the preferred method.
  • If you are connecting the drive to the internal cables of a desktop system, make sure you shut it down first and remove the power cord.
  • Secure the drive in place and connect the appropriate cables,
  • Double-check your connections.
  • Make sure that none of the internal wiring is strained or pinched by any drive bays or other chassis components.
  • Make sure the cables aren't interfering with any cooling fans.
  • It sounds like you have done this a few times already and that's why I'm suggesting this method. It's not something for a novice to try.
  • Start your working PC
  • Download and run Malwarebytes Anti-Mailware
  • Let it update the database but it's not necessary to update the program itself.
  • If using an external USB adapter, connect the drive to your working computer now.
  • Do not attempt to open any files or folders on the infected drive.
  • In the Malwarebytes options menu at the top of the screen, click on Scan -> Custom Scan -> Configure Scan
  • Check the box for the infected external USB drive as one of the scan choices
  • Begin the scan process.
  • After the scan has completed, please copy and paste the log into your next reply to me
  • Power off your computer and SAFELY remove your infected drive after the scan has finished.

Let me know if you have any questions!

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#50 clemente2

clemente2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 22 June 2017 - 07:40 AM

Hi polskamachina

 

I went rogue two days ago and already performed the Malwarebytes scan with the infected hard drive attached to another system.

 

The scan was clean...no infected files were reported.

 

I think we are both approaching the same conclusion that whatever damage this system has sustained is not likely to be repaired.

 

In any case, I am extremely grateful for all of your support.

 

Thanks

clemente2



#51 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 23 June 2017 - 12:27 PM

Hi clemente2 :)

 

You're welcome for the support. If it's ok with you, I would still like to troubleshoot what's going on with your system.

 

Please let me know.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#52 clemente2

clemente2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 23 June 2017 - 01:36 PM

Hi polskamachina

 

I would be delighted to have your continued involvement.

 

I have some thoughts along the lines of doing a Windows XP in-place upgrade or upgrading to Windows 7.  My concern regarding the latter is potential incompatibility with applications that my wife still uses on this system.

 

For the time being, I have allowed her to use the system OFFLINE only for the purpose of retrieving older email and other data.  She has been accessing her email accounts online from her laptop since May 31 and seems to be getting used to the new interface.

 

Because of the security risks and potential for hardware failure, I am actually pleased that she might be willing to gradually phase out of this XP system.

 

It would be fun and educational to solve the mystery surrounding the failure of multiple security tools to function normally, but our expectations are realistic and we are preparing for a future without Windows XP.  Fortunately, all of the applications that she uses have functioned without any problems even though I suspect the infection may have occurred ten years ago.  I am not aware that the system has been hacked and our identities and online activities seem to be secure.

 

I also have an XP system that I continue using for email and other applications.  I virtualized the system under Vmware three years ago and It has performed flawlessly.  Backups of this system are easy since I only have to copy the vmware folder from my laptop to a USB memory stick.

 

Thanks again for sharing your time and expertise.



#53 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 24 June 2017 - 08:35 PM

Hi clemente2 :)
 
I am curious to know:

  • Are the only programs that are crashing your computer anti-malware in nature?
  • Are you able to download other types of data and programs without a problem?
  • Your  initial FRST scan showed the following drive listing:

Drive c: () (Fixed) (Total:10.42 GB) (Free:2.41 GB) FAT32 ==>[drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:4.31 GB) (Free:0.14 GB) FAT32
Drive e: () (Fixed) (Total:3.23 GB) (Free:0.38 GB) FAT32
Drive f: () (Fixed) (Total:3.23 GB) (Free:0.14 GB) FAT32
Drive g: () (Fixed) (Total:3.23 GB) (Free:0.36 GB) FAT32
Drive h: () (Fixed) (Total:3.23 GB) (Free:0.35 GB) FAT32
Drive i: () (Fixed) (Total:3.23 GB) (Free:0.33 GB) FAT32
Drive j: () (Fixed) (Total:3.23 GB) (Free:0.31 GB) FAT32
Drive k: () (Fixed) (Total:3.23 GB) (Free:0.88 GB) FAT32
Drive l: () (Fixed) (Total:3.23 GB) (Free:0.2 GB) FAT32
Drive m: () (Fixed) (Total:3.23 GB) (Free:0.02 GB) FAT32
Drive n: () (Fixed) (Total:3.24 GB) (Free:0.23 GB) FAT32
Drive o: () (Fixed) (Total:3.24 GB) (Free:0.61 GB) FAT32
Drive p: () (Fixed) (Total:3.24 GB) (Free:0.31 GB) FAT32
Drive q: () (Fixed) (Total:3.25 GB) (Free:2.37 GB) FAT32
Drive r: () (Fixed) (Total:3.25 GB) (Free:1.12 GB) FAT32
Drive s: () (Fixed) (Total:3.23 GB) (Free:0.18 GB) FAT32
Drive v: () (Fixed) (Total:54.52 GB) (Free:11.43 GB) NTFS
Drive w: () (Fixed) (Total:72.03 GB) (Free:10.52 GB) NTFS

  • Did you know all these drives existed and what their functions are?
  • Please list any other malfunctions that you can think of

Let's have a look at an updated FRST scan.

  • From your working computer, download the 32-bit version of FRST to a flash drive.
  • Put the flash drive into your infected computer and run FRST from your flash drive
  • Click on Scan
  • When the scan completes, FRST.txt and Addition.txt will open and also be written to your flash drive into the same folder as FRST
  • Insert the flash drive back into your working computer
  • Please copy and paste those logs into your next reply to me

In summary I will need from you:

  • Answers to my questions about the current state of your computer
  • FRST log
  • Addition log

Let me know if you have any questions.
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#54 clemente2

clemente2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted Yesterday, 11:12 PM

Hi polskamachina

 

It will be a few days before I can reply to your recent post.

 

Thanks

clemente2






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users