Jump to content

Recommended Posts

Hello, I am having difficulties removing a virus that snuck past my Malware protection. I attempted to follow the steps for a log and received an error on the dos prompt scan. This scan gave me an error "PEV.DAT has stopped working" when I tried to run it. I also got an error running the Rootkit "Application Error" click ok to terminate the program... I clicked ok but it kept running then I was left with just 1 file to save, its attached named "rootkit". I'm pretty distressed even more so now that I cannot even run the logs that you are requesting. =(

I attached a log of my infected files and a screenshot of my errors

~Pixelle

mbam-log-2012-01-31 (13-05-12).txt

rootkit.log

post-107707-0-74924900-1328126084.jpg

Link to post
Share on other sites

I know we arn't supposed to bump our posts but its been over 2 days with no response. Please help, I want my computer back!!! Malware scan shows no known infections currently... But, yesterday, it started playing multiple audio files for no reason.. Help it is possessed! Its spamming many IP being blocked continuously and will not let me open more than one browser window or tab at a time.

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

<div id="yiv1476584628">

<div id="yui_3_2_0_1_132830745953388">

<div id="yui_3_2_0_1_132830745953387" style="background-color: #fff; font-family: times new roman, new york, times, serif; color: #000; font-size: 10pt">

<div id="yui_3_2_0_1_132830745953386">Thank you so much. I am currently running the full scan unless a flash or quick scan will suffice. Upon booting my computer it went to the dos type looking screen that asked me if I wanted to Repair windows, start Windows in safe mode or normally. I just started normally since prior attempts to "Repair" did nothing. Once I open a browser window I get reports that Marlwarebytes has blocked a potentially malicious website. It started out as just one IP but the longer the computer runs the more IPs it blocks and more frequently. Sometimes it says the process is svchost.exe and other times it says process iexplorer. I uninstalled <span class="yshortcuts" id="lw_1328307480_0">Firefox</span> when it first happened and thought it was coming through Firefox. Yesterday it was playing overlapping audio files through my headset for no reason. I was able to detect malware the first day it happened but it has not been detectable since. Here is what it found:</div>

<div> </div>

<div><span style="color: #ff0000"><strong>Please note this is not the current scan!! This was 2 days ago:</strong></span></div>

<div> </div>

<div>

<p>Scan options disabled: P2P<br />

Objects scanned: 326067<br />

Time elapsed: 42 minute(s),</p>

<p>Memory Processes Detected: 0<br />

(No malicious items detected)</p>

<p>Memory Modules Detected: 0<br />

(No malicious items detected)</p>

<p>Registry Keys Detected: 0<br />

(No malicious items detected)</p>

<p>Registry Values Detected: 0<br />

(No malicious items detected)</p>

<p>Registry Data Items Detected: 0<br />

(No malicious items detected)</p>

<p>Folders Detected: 0<br />

(No malicious items detected)</p>

<p>Files Detected: 3<br />

C:\Users\Owner\AppData\Local\Temp\001dbe5f.tmp (Backdoor.IRCBot) -> Quarantined and deleted successfully.<br />

C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\61a107c0-4310c566 (Rogue.FakeHDD) -> Quarantined and deleted successfully.<br />

C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\6110149c-1b464b0b (Rogue.FakeHDD) -> Quarantined and deleted successfully.</p>

<p>(end)</p>

</div>

<div> </div>

<div> </div>

<div>Please let me know if you want me to continue the full scan or if you want a quick/flash scan instead. Thanks for all your help!!!</div>

<div> </div>

</div>

</div>

</div>

<p> </p>

Link to post
Share on other sites

Quick will be fine.

I need you to read this as the scan shows a BackDoor infection

Backdoor.Win32.IRCBot (also known as W32/Checkout (McAfee), W32.Mubla (Symantec), W32/IRCBot-WB (Sophos), and Backdoor.Win32.IRCBot.aaq (Kaspersky)[1]) is a backdoor computer worm that is spread through MSN Messenger and Windows Live Messenger. Once installed on a PC the worm copies itself into a Windows system folder, creates a new file displayed as "Windows Genuine Advantage Validation Notification" and becomes part of the computer's automatic startup.[2] and in addition it attempts to send itself to all MSN contacts by offering an attachment names 'photos.zip'. Executing this file will install the worm onto the local PC. The Win32.IRCBot worm provides a backdoor server and allows a remote intruder to gain access and control over the computer via an Internet Relay Chat channel.[1] This allows for confidential information to be transmitted to a hacker.

Link to post
Share on other sites

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Thanks for the info. I did suspect my yahoo and uninstalled it yesterday. Here is my current log:

Malwarebytes Anti-Malware (PRO) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.03.10

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Owner :: OWNER-PC [administrator]

Protection: Enabled

2/3/2012 4:31:10 PM

mbam-log-2012-02-03 (16-31-10).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 185021

Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

OK.

If you want to continue, do this next:

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.