Pages:
Author

Topic: [Solved] Windows infection: please help a security newbie - page 2. (Read 6546 times)

legendary
Activity: 1246
Merit: 1077
edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
None of these services exist anymore:

  • BITS
  • Microsoft Antimalware
  • Windows Firewall
  • Windows Update

Are you using a device from Midiman called M-Audio or some such via firewire?
The file has definately been renamed and corrupted. Here are some suspicious traits:

Code:
No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.

Code:
Original filename: mafwcpl.exe
hero member
Activity: 504
Merit: 500
Are you using a device from Midiman called M-Audio or some such via firewire?


edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
legendary
Activity: 1246
Merit: 1077

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep


Nothing else stands out to me atleast.
Do I "fix" it?

Most definitely!  Before you go wiping it though, let's make sure it did not make any way to copy itself again.

First kill all the iexplorer.exe running in taskmanager, that's scary. ;p  And the Flash_util_activex after.

Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll   What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com  (remove spaces).
Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions.  Please share if you find anything. At this point also run the fix for that one file atleast.

Let us know if your date modified/created search returns anything unusual.

cheers


Here's the file in base64 encoding (I also sent an email, but this is more public).
Code:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAADRDTOwlWxd45VsXeOVbF3j93NO45dsXePucFHjl2xd431zV+OQbF3jlWxc
46FsXeMtalvjlGxd431zVuOebF3jfXNZ45FsXeNSaWNolWxd4wAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAFBFAABMAQUAxoGeSwAAAAAAAAAA4AACIQsBCAAARgEAAJIFAAAAAACKmAAAABAAAABgAQAA
AAAQABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAAAHAAAEAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQ
AAAAAAAAEAAAAMSdAgCQAAAAtJICAHgAAAAA4AUAnv8AAAAAAAAAAAAAAAAAAAAAAAAA4AYA1BUA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAQAUAgAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADQRQEAABAAAABGAQAABAAAAAAAAAAAAAAA
AAAAIAAAYC5yZGF0YQAAY10DAABgAQAAXgMAAEoBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAHwd
AQAAwAQAABgBAACoBAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADJ/wAAAOAFAAAAAQAAwAUAAAAA
AAAAAAAAAAAAQAAAQC5yZWxvYwAA/BUAAADgBgAAFgAAAMAGAAAAAAAAAAAAAAAAAEAAAEAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGr/
aGoDABBS/xVAYAEQkJCQkJCQkJCLRCQQgexRUFLoxekAAIPEHIXAdQzDkJCQkJCQkJBWi3QkAQAA
x0QkFAIAAACNRCSDyf+L+jPA8q730Y1EJMQcX15dW8OLD4tBFIXA6OmQAACDxBCFwHUJV+j/FXBh
ARCFwIlEJCgPhQDoihQAAIPEFF9eXVuDJCRQaLAEABBqAP/Ti9AEi0gUiQqLTCQIi0AYiRhfXl1b
g8QQw4tEJBSLXl1bg8QQw5CQkJCQkJB+HFOZ938EjVQkHIlEJAEQUv8VxGEBEIXAdQyJ//9Q6Foc
AQCDxAiFwHX3fwSNVCQciUQkGItPJDcNAQCDxBCFwA+FcQEA//+DxBzDkJCQkJCQkJBQVeif0///
g8QMhcAPhRBqAeg6fQAAg8QQhcAPi0wkaKQEABBAUYlEJCToe/j//4PEEIXAD4W1ACQcVlHoEOz/
/4PEDIXAUlCLRCQQUP9RGIPEEMNMJHxR6KdAAACDxAQ78O7//4tMJCyDxAiJQQiLAIXtD4RaAwAA
hfYPhFIkKOgmtP//g8QUhcAPhYtICIXJdStomQUAEGhWBAAQkJCQkJCQkJBTVYvonbwAAIPEFF9e
XVtZwwsAAACDxAxfXl1bw5CQD4UBBQAAi0QkYItUJFAAg8QUX16BxKABAADDi1LoWuH//4lFBItE
JCiDAACNTCQkUFHo+sj//4MQVmjXAgAQaKYEABCNRACDxBRfXl1bw5CQkJCQJARQUehR/f//g8QI
w5CQkJCQkJCQkJCQkJCQkMOQi0QkBItICIXJdBCLEMdDEAAAAADp4AEAAIsQ6EB3AACLB1BorAUA
EFuDxAjDaLkFABDrBWieAgAQAACDxBRfXl1bw5CQkItUJBCLRCQIUotUJOgh7P//g8QUhcAPhQQB
99iJRiyLRCQcaGMEABABEOh9+QAAaFQEABBqAJCQkJBRi0QkEFNViy1k86qAOy90CMYCL70BAAD6
AXZbgzgBdVaLTwRWUYoQih6KyjrTdR6EyXQWSIs7i1sIUFBo3gQAEFMkDIlOEItEJAiLVhCJEFSJ
TCRQi0wkXBvBiUQkMIXAfBt/BIXJdhVQUWj0AgAQuL0CABB1BbhYBQAQ6NMDAACLVCREg8QcUItH
BGgYAwAQUFbozc+QkJCQkJCD7GhQAgAQUyQQU1aLdCQUi95XwesDbCQg6OMCAACDxBCFwA+QkJCQ
kJCQkItEJAhqAYtNBFdSi1QkGFCLhCSIARBQVeh8LwAAg8QchcCQkFaLdCQgV4t8JBCNRF9ew4tM
JBCLdCQUagBRRCQoUo1OGFBR6BfK//8AagBoTwQAEFBW/xWAYQEQVhhS6GdFAACDxASFUmhhBAAQ
UIlEJBDo/m2ceAAAg8QIi/CLRCQYUAUAAIPEDIXAdStXVuiwwA+FrwAAAItMJCBXUeg46J2FAACD
xCSJRCQQV8QMUFZTV+hNAAAAg8QMFFFoUAMAEFP/FehhARBdW8OQkJBXi3wkDGoBV10zwFvDaPoD
ABBoSQMAEBRfXsOQkJCQkJCQkJABEFBWiQH/FbBhARCLVxBS6AcAAACDxBDDkJCQCItMJARQUehR
/f//g8QhRQyDfQwAdBGhDwUAEPwKAHUsVujqGAEAV2gMBgAQi1QkEItIGFJQi0T5AnQkgfmC/AoA
dByB+RWAUAEQi0QkFF9eiShdAABo9QMAEOjotAAAVmiWBQAQAIPEBItHHGoAalX/FdhgARCLTCQU
i3wkdS07Pn8FXzPAXsNorwIAEMQEhcB1JmjOAgAQaLoFABCKUAGKyjpWAXUOVCQQUVJQ6OSpAACL
RCSDyf9XUVCLRCQkUOhiAxhSARD/JdBgARD/JYhhARBfXl1bw4t8JCSLRCSNTCQcjVQkEFFSUOjk
qVb/FdBgARCL+DPAi/e52L///4PEFIXAD4WNAAA0g8QEX16JAV0zwFuDxP/Tg8QQUItHBGgOBgAQ
EIEBEGoAaFMCABDoBzUGi1cEUlP/1YlGBItHCCQUg8QEi/iKGYrTOh91i04oUVX/04tWBIlGGFL3
i1QkCCvGUItEJBRWUBiD+f91DVeL+gvJM8DyAABoUgQAEOjVDgAAaOECABBRARD/JcBhARD/JeBh
ARAAAMdBKAAAAACLATPAw5CQkJCLRCQEi0C/oI8BEIvNigGK0DoHdRCLTCQUVlBVUWoA6MIAxBTD
kJCQkJCQkJCQkJAAAGipBAAQ6NR0AACLTgBoigIAEGhcAgAQ6HtTagBoZQUAEOg8HgAAg8QIw5CQ
kJCQkJCQkIPsDPCLRCQYUFf/FQBiARCLXoPEEMONRCQIVlD/FVhhARAEUItHBFNVUOhU7sYAAACL
fiSLFkdTiX4kfH8AAIPEKF9eXVvDi1SLRCQggzgAdHGLSASFyXQMi04ggXkIANAHAHY0xBBQVlfo
oTsFABBLFIOQkJCQkJCLRCQQi0wkDHQcgfmD/AoAdBSB+e78HnUchMl0FIpYAYrLOl5Q6HTX//+D
xBiFwHVUiwyFwA+FkwEAAItUJBCL2A+OQv///4tsJDBXaOACABABEFeJEMdABAAAAIPECDP/hcAP
jK8AAABWdBSKQQGK0DpGAXUOg8EAAItEJFBQ6LQbAACLTGooU/8VGGABEItsJCSLAIPEEIXAdRmL
TCQYUeiLTCQIiUIEiQqLwl/DkFNVi2wkEFaLdCQYVzluAABqMFP/FchhARCLdCQVWFABEItUJDCL
KotUJOidNgAAg8QMhcB1VotGAAC4awUAEOsFuDIFABBXUeg63///iUYIi0YcgwEQi0wkLIPEEFBq
/2iYAwAQOFeNTCRsUFHoTjv/g8QMhcAPhaMCAACLVIPEGIXAD4VpAQAAi0QkJAxXi3wkFI1UJBCL
BosQhcB0OFZQi0QkKFONTAzDkJCQkJCQkJCLRCQQX15dM8BbgcQMEQAAw42HDwAAaP4FABDoM9EA
AIlFAItEJBRQV/8VqGABEAAAD46bAAAAVb8BAACQkItUJBCLRCQIUotUJDiFwHQni1ZAiweLDlJQ
bFABEIsdxFABEI1MJCQoUAEQi1QkaGwCABABECQMi1QkBItIHDPAiQrDJAiLTCQEUFHoUf3//4MQ
hcCJRCQcD4Xz+///iy

Edit: There was something here, but I realized that was the quarantine. Never mind.
hero member
Activity: 504
Merit: 500

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep


Nothing else stands out to me atleast.
Do I "fix" it?

Most definitely!  Before you go wiping it though, let's make sure it did not make any way to copy itself again.

First kill all the iexplorer.exe running in taskmanager, that's scary. ;p  And the Flash_util_activex after.

Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll   What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com  (remove spaces).
Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions.  Please share if you find anything. At this point also run the fix for that one file atleast.

Let us know if your date modified/created search returns anything unusual.

cheers

legendary
Activity: 1246
Merit: 1077
hero member
Activity: 504
Merit: 500
If you do feel the need to move your coins, be sure to do it from a clean computer.

Did you mention the spec on your machine?

What processor, ram, vid card?
hero member
Activity: 504
Merit: 500
hero member
Activity: 504
Merit: 500
Do them all in safe mode first.
Some infections run even in safe mode, so this is not a solution.

It is not a solution. it's the right way to do it..

Sorry, I also did not realize this thread was supposed to be a tech support 'wang off'. ;p
legendary
Activity: 1246
Merit: 1077
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.

Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.

After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.

Cheers
Noted. Malwarebytes is running fine.

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer.  I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first.

If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders.

If all else fails, post us a copy of your Hijack This log.

cheers
Rootkit revealer doesn't work on Windows 7.

Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect).

I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.
full member
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician

Have you tried running rootkit revealer?
Really!! Mark still keeps this tool up to date, I thought he stopped developing it in 2008?
Do them all in safe mode first.
Some infections run even in safe mode, so this is not a solution.
hero member
Activity: 504
Merit: 500
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer.  I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first.

If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders.

If all else fails, post us a copy of your Hijack This log.

cheers
full member
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.

Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.

After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.

Cheers
legendary
Activity: 1246
Merit: 1077
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through.  I'd recommend in the future running a browser with the no-script plugin running.  This way no script is run without your consent and knowledge.

As for your current infection Malwarebytes and combofix are a good start.  The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
Thanks.

The hosts file is normal. The computer recently bluescreened, bringing Malwarebytes down with it (it's running again). Combofix isn't working (can't write "iexplore.exe").

I'm backing up the other important things now, in case worse goes to worse and a fresh install is necessary.
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through.  I'd recommend in the future running a browser with the no-script plugin running.  This way no script is run without your consent and knowledge.

This^

Ever since I switched to Firefox+Noscript, the only experiences I've had with malware of any sort is clearing it off my friends' computers.
sr. member
Activity: 336
Merit: 250
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security Smiley.

I consider myself lucky that they didn't get into my wallet or private keys (ditched those). The VISA refund was nice, too.

Good luck!
sr. member
Activity: 410
Merit: 250
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through.  I'd recommend in the future running a browser with the no-script plugin running.  This way no script is run without your consent and knowledge.

As for your current infection Malwarebytes and combofix are a good start.  The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
legendary
Activity: 1246
Merit: 1077
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security Smiley.

Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
Running GMER right now. Meanwhile, I'm copying the files I mentioned to a USB key. Hopefully this works.
member
Activity: 98
Merit: 10
(:firstbits => "1mantis")
I really need to get around to just biting the bullet and run nothing but linux
sr. member
Activity: 336
Merit: 250
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
legendary
Activity: 1358
Merit: 1002
Run this http://www.surfright.nl/en/hitmanpro/

No installation is needed so it may save your day
Pages:
Jump to: