InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : Huge Malware/Spyware problem, cannot run anything except web browser.? |
|
Answer» I did the pre-requisite readings before posting this, but I can't seem to figure anything out.
I was able to get both Rkill and exeHelper to generate logs just before I got hit with the "application is infected..." popup, but the logs were basically blank. It appears the malware stopped them in their tracks. This is what Rkill said: Quote from: Rkill This log file is located at C:\rkill.log. And exeHelper: Quote from: exeHelper exeHelper by Raktor That's it. And I have tried to install Malwarebytes several times with no success. Sometimes it won't complete the install, other times it does complete the install, but when I try to launch the program, it says something like "Cannot locate mbam.exe...". I installed Malwarebytes once in safe mode and it looked like things were going well, but the program shut down by itself in the middle of the full scan. I read on another help forum about how malware/spyware can be used for identity theft/credit card fraud so now I'm afraid to even have the infected computer logged on to the internet (I'm on a different PC right now). Is this true? and how can I MAKE sure I am not putting myself at risk when I try to fix that computer? I will be sending you a Private Message with some instructions to follow. We are doing this privately to keep the info out of the hands of the malware creators. Please do not mention the name of utility we will be giving you or where you are getting it from. Just try to do what we ask you to do and then post back here with any problems you had. Again in mentioning your problems, please don't refer to the program by name. Just call it "the utility" or "the program". For example, your response could be: The program ran OK. Or the program would not run, I received the following error message...(put your error message here). I was able to get "the program" to run in Safe Mode and it detected like 93 objects, but after I quarantined them it prompted me to restart (which I immediately did) and I was not able to make a log because it restarted into normal mode and it was like "the program" was never installed on my computer. The good news is after the restart, things started returning back to normal. I was able to double click on install files so I proceeded to install "the program" in normal boot mode. I ran it again and it detected 23 objects this time. Here is the log from that run (2nd run): Quote Memory items scanned : 385 I then installed Malwarebytes and ran that: Quote Malwarebytes' Anti-Malware 1.43 I then ran a quick scan using "the program" one more time just to see if it would catch anything else: Quote Memory items scanned : 370 And finally a quick scan using Malwarebytes: Quote Malwarebytes' Anti-Malware 1.43 I then decided to run a virus scan with my Avira Antivir. It detected 15 objects, but I'm not sure if I should go ahead and quarantine/delete them. I believe some of them are false positives so I am cautious to proceed. This is not a log, but a copy of what it says after the scan, but before I take any action: Quote Object Detection Should I click on "Repair All" or no? Also, it appears there are a few cookies in my internet explorer that I am now unable to delete using the internet options in the control panel. Are these the quarantined cookies? I'd appreciate any more help to make sure everything is okay. But your help so far is greatly appreciated. I thought for sure I was going to have to reformat. Generally cookies are not a problem. All websites use them, even this one. If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixHere is the log [Saving space, attachment deleted by admin] 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: DDS:: uInternet Settings,ProxyServer = http=127.0.0.1:5555 FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll Folder:: c:\documents and settings\NetworkService\Local Settings\Application Data\miqmxq File:: c:\windows\Tqezewapa.bin c:\windows\Wmaciseciyo.dat 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it ASKS to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- Download GMER Rootkit Detector and save it your desktop. * Extract it to your desktop and double-click GMER.exe * Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All". * Click the Rootkit tab and then Scan. * Don't check the Show All box while scanning in progress! * When scanning is finished click Copy. * This copies the log to clipboard * Post the log in your reply.Attached is the CFScripted ComboFix log. Unfortunately, I tried running the GMER program twice and both times it froze up my computer (my computer is pretty old) shortly after beginning the scan. Any ideas? Thanks again for everything. [Saving space, attachment deleted by admin]Try this one. RootRepeal - Rootkit Detector * Download the following tool: RootRepeal - Rootkit Detector * Direct download link is here: RootRepeal.zip * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan. * Click this link to see a list of such programs and how to disable them. * Extract the program file to a new folder such as C:\RootRepeal * Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button. * Select ALL of the checkboxes and then click OK and it will start scanning your system. * If you have multiple drives you only need to check the C: drive or the one Windows is installed on. * When done, click on Save Report * Save it to the same location where you ran it from, such as C:RootRepeal * Save it as rootrepeal.txt * Then open that log and select all and copy/paste it back on your next reply please. * Close RootRepeal.ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/02/28 17:52 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA5229000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: Volume C:\ Status: MBR Rootkit Detected! Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\DVDVideoSoft\FEIST-~4.MP4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-113\1:5-9 Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-115\1:5-9 Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-141\1:5-9 Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-143\1:5-9 Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-146\1:5-9 Status: Visible to the Windows API, but not on disk. SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "" at address 0xa6e61166 #: 053 Function Name: NtCreateThread Status: Hooked by "" at address 0xa6e6115c #: 063 Function Name: NtDeleteKey Status: Hooked by "" at address 0xa6e6116b #: 065 Function Name: NtDeleteValueKey Status: Hooked by "" at address 0xa6e61175 #: 098 Function Name: NtLoadKey Status: Hooked by "" at address 0xa6e6117a #: 122 Function Name: NtOpenProcess Status: Hooked by "" at address 0xa6e61148 #: 128 Function Name: NtOpenThread Status: Hooked by "" at address 0xa6e6114d #: 193 Function Name: NtReplaceKey Status: Hooked by "" at address 0xa6e61184 #: 204 Function Name: NtRestoreKey Status: Hooked by "" at address 0xa6e6117f #: 247 Function Name: NtSetValueKey Status: Hooked by "" at address 0xa6e61170 #: 257 Function Name: NtTerminateProcess Status: Hooked by "" at address 0xa6e61157 ==EOF==Download the MBR Rootkit Detector to your desktop. Go to Start > Run then copy and paste the following red text into the Open field then click OK: "%userprofile%\desktop\mbr.exe" -f Next, double click on the mbr.exe file and post the contents of the new mbr.log Also let me know how the computer is running now.I hope I did this right. Quote Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net The computer is running a bit slower than normal, although it is pretty slow normally. However, I feel that my hard drive is working a bit harder than before as it is noticeably noisier. But that may also just be the age of my computer. I'm probably going to have to purchase a new notebook anyway, but there are a few important files on this computer so I really appreciate your help in getting it back to normal again. Yes that looks good. I would like to run one more scan to make sure we didn't miss anything. First a little cleanup. * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click Finish. In your next reply please include the ESET Online Scan Log |
|