Jump to content

Recommended Posts

Hi,

Recently a process called PING.exe has been running in the background and has been using a significant amount of processing power. Ending it with task manager only stops it for awhile, as the process starts itself again.

In addition, when I open up Mozilla firefox, another tab will open with a webpage about some fishy looking news website or a weird facebook survery page. In all cases, the pages try to resist being closed with popup windows that say things like "Are you sure you want to leave this page."

Any help, advice, or insight would be much appreciated. Thanks!

I saw another topic similar to mine and the first step it had in solving the problem was to run ComboFix. I've attached the log from ComboFix.

ComboFix.txt

Link to post
Share on other sites

Hello and :welcome:

You have a nasty rootkit on your computer. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Click the NONE button.

[*]Copy and Paste the following code into the customscanfix.png textbox.

netsvcs

[*]Push runscan.png

[*]A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Hi, thanks for helping me

Here is the log from running OTL:

OTL logfile created on: 2/13/2012 10:38:01 AM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Soulever\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.74 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 29.37% Memory free

7.48 Gb Paging File | 5.04 Gb Available in Paging File | 67.47% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 421.81 Gb Total Space | 146.15 Gb Free Space | 34.65% Space Free | Partition Type: NTFS

Drive D: | 29.00 Gb Total Space | 27.30 Gb Free Space | 94.17% Space Free | Partition Type: NTFS

Computer Name: NAVI-MOBILE | User Name: Soulever | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs:64bit: epfwtdi - C:\Windows\SysNative\omsad.dll (Oak Technology Inc.)

< End of report >

Link to post
Share on other sites

Hello again,

CF-SCRIPT

-------------

Open notepad and copy/paste the text in the quotebox below into it:

<http://forums.malwarebytes.org/index.php?showtopic=106122&view=findpost&p=526464>

Collect::
C:\Windows\System32\omsad.dll

netsvc::
epfwtdi

driver::
epfwtdi

atjob::

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

  • 1 month later...
  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.