Jump to content

Possible problem with malware

Nikilet
 Share

Recommended Posts

Nikilet

Nikilet

Posted
Posted

I had posted in the General Forum and was advised by "daledoc1" that I should post in the Malware Forum and have one of your experts help me check out my system.

"daledoc1" advised that something on my computer is trying to reach out to the Czech Republic. That is alarming because my use of the computer is pretty simple and I am very security conscious. If I have something on my system that is trying to make an outbound connection with the Czech Republic, then I would say I have a problem.

The window advising of a block by Malwarebytes Anti Malware first appeared on April 3; then it appeared again yesterday. Please see the screenshots I provided under the General Forum at the link below.

All of my programs are the paid versions, not the free versions.

I have Avast Internet Security 8.0 -- Malwarebytes Pro 1.75.0.1300 -- SuperAntiSpyware 5.6.1014 -- WinPatrol 2013 Plus v. 26 -- KeyScrambler Professional 3.1.0.0.

I refer you to the following link to see what I had already posted in the General Forum:

http://forums.malwarebytes.org/index.php?showtopic=124642&view=findpost&p=664595

I did go to the instruction link provided by daledoc1. I ran a scan yesterday with MBAM but am going to run another one now. Please advise what you would like me to do from here. I'm not sure what to do next because it states "If you're still experiencing issues after running the above procedures then please follow the instructions below."

I don't know if I'm still having the issue. As I said, it first appeared on April 3, and then nothing again until yesterday, April 13.

Link to post
Share on other sites
  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

  • Staff
CatByte

CatByte

Posted
  • Staff
Posted

Hello and welcome to MalwareBytes

We will need a set of diagnostic logs so I can check for the source of the issue, please run the following:

Please download DDS from either of these links

LINK 1

LINK 2

and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt.

NEXT

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

Before I proceed, you say to disable any script blocking protection. Do I have that? I don't know. I listed the programs I have, including MBAM PRO. I'm sorry to have such a lack of knowledge but will have to ask you to help me with this. No sense in running everything and then finding out I didn't get an accurate report. If there is script blocking on my browser, I assume that would not interfere as long as I have the browser closed???

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

I disabled my DSL connection and then disabled all my avast shields; then ran the two scans. The instruction page did not say to zip the Dds scan files, but a window within the scan said to do this. Do I need to zip the two files from the Dds scan before attaching?

Link to post
Share on other sites
  • Staff
CatByte

CatByte

Posted
  • Staff
Posted

If you hit the 'More reply Options" at the bottom of the bottom of the quick reply window another reply window will open with more options.

At the bottom right of that reply window you will find the "Attach Files" button

click on "choose files" and browse to the location where you saved the logs > click 'open" to upload the files

once complete the uploaded file will appear just above the Attach Files button

place your curser into the reply window, then click on "Add to Post"

The attachment will then be added to your reply, then click on the "add reply" button to post.

Link to post
Share on other sites
  • Staff
CatByte

CatByte

Posted
  • Staff
Posted

Please run the following

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

CatByte, we have a major problem. I left ComboFix to run on my computer and did some chores. When I came back it was in the process of restarting. After that was complete I can't do a thing on my computer, not a thing. Everything I click on I get a window telling me "Illegal operation attempted on a registry key that has been marked for deletion."

I can't open System Restore. I can't even restart.

Please Help!!!

Good thing I have my laptop so I can get through to you.

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

I just discovered that I can open Avast, MBAM and SuperAntiSpyware, but I couldn't open WinPatrol. KeyScrambler didn't even start with the reboot. I was hoping there was some way I could use System Restore to get me back to where I was, but it won't open. I just get the same illegal operation message.

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

I got it to restart and chose safe mode. I can get things to open in safe mode and have my system restore screen open right now. I wish I knew whether to run it or not. I don't know what ComboFix did to my system so I don't know which way to turn. I hope you will be able to answer soon.

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

Here I am again. I decided to restart normally from Safe Mode and see what happened. Everything came back, but I got the very window that brought about all this again. I am going to attach the ComboFix log and a screenshot of the window.

I notice that the IP address on this block warning is different than the last one.

ComboFixLog.txt

post-22338-0-93182600-1366002156.jpg

Link to post
Share on other sites
  • Staff
CatByte

CatByte

Posted
  • Staff
Posted

Hello Nikilet

I did mention to reboot if you encountered that error message in my instructions for running combofix.

That IP address is in the Netherlands, is that where you are situated?

http://whois.domaintools.com/188.95.50.114

Please run the following:

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

Yes,you did warn about that deal and I see now that I did not read far enough down. I'll try not to make that mistake again. I caused myself a lot of worry! :wacko:

Could you please advise me if you found anything suspicious in any of the reports?

When I typed that IP address from the warning I got last night into one of the sites that traces these things, that site said this address was also from the Czech Republic. I am from the United States. I will use the link you gave for the IP addresses and bookmark it. Thanks!

I see the instructions you sent this time are quite lengthy so I will try to accomplish all this correctly.

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

I still have to run the online ESET scanner, but I am going to give you what I have so far. Following is the log info from the scan I just ran with MBAM:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.15.11

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Cindy :: CINDY-PC [administrator]

Protection: Enabled

4/15/2013 3:57:03 PM

mbam-log-2013-04-15 (15-57-03).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 303923

Time elapsed: 11 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Right after this MBAM scan finished I got a threat (rootkit) notification from Avast. This very same thing happened 4-13 after MBAM had run a scan. I went to Avast forum and was told the following:

"As for the avast alert on MBAM SwissArmy had you just run an mbam scan as this may only be present during or shortly after a scan and why nothing was found in subsequent scans.

Because these scans (including avast) have to operate at a low level they have drivers control the scans these are often hidden making them look suspect to other security software. In the avast scan results window you should choose Ignore."

I am attaching screenshot of the Avast window. I have been running Avast and MBAM together for a while now and this rootkit warning is just a new deal. Yesterday after it happened, I removed the item using Avast and then did a boot scan with Avast. The warning box today gave me the option of removing the item, which I selected to do. It also wanted to know if I wanted to run a boot scan but I didn't do that for now. I wanted to advise you, and then I will run the ESET scan you requested.

AdwCleanerS1.txt

JRT.txt

post-22338-0-62543700-1366065307.jpg

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

HELP! Things are getting progressively worse. After I made the previous post another warning popped up from Malwarebytes saying it had blocked and quarantined C\Program Files\Acronis\DriveMonitor\adm.exe

Trojan.Downloader.ED

(That is something that I never got rid of ages ago when I uninstalled Acronis.)

But then everything started going haywire. I'm getting pop ups all over the place and can't take a picture and send you because I can't use my snipping tool; t can't be found. I've restarted twice. Everything disappeared off my desktop for quite a while and it stayed that way. So I finally forced a shutdown with the power button. I'm getting errors like:

Logon process has failed to create the security options box.

The application failed to initialize properly 0c000007b. Click ok to terminate the application. I know this one popped up for WinPatrol and IE, which I don't even use.

Error Loading NVCPL.DLL Specified module can't be found.

Error loading C\Windows\System32\NVCPL.DLLt

Unable to locate SUPERAntiSpyware files. (This didn't start with restart like it's supposed to. Neither did KeyScrambler, Secunia PSI.)

It looks like there are a whole bunch of DLLs missing. My Windows Mail won't even open. Looks to me like a bunch of stuff got deleted that shouldn't have been. I don't know what to do now.

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

I made a post a few minutes ago and it doesn't appear to have registered. Nothing on my computer is working. Everything is missing dlls. Even Malwarebytes won't run. It looks like the only thing that is running is Avast. It is open and running right now but I don't think an infection is the problem right now. I think it's a whole slew of missing dlls.

I started clicking on programs and they all give me the same thing. Either can't find it or some dll is missing. I restarted in Safe Mode and tried last known good configuration, but that didn't work.

I can't figure out why Avast is running because nothing else will. I won't even be able to receive an email from you on this machine so guess I'd better go get my laptop.

Link to post
Share on other sites
Nikilet

Nikilet

Posted
  • Author
Posted

This isn't working. After installing it won't launch. Window says "This application has failed to start because MSVBVM60.DLL was not found. Re-installing the application may fix this problem."

I tried it again and no deal. So what, MBAM quarantined a bunch of working files and now I can't get to them because I can't even get it reinstalled?

Link to post
Share on other sites
  • Staff
CatByte

CatByte

Posted
  • Staff
Posted

are you able to run system restore

  • type system restore into the search box in the Start menu and hit Enter.
  • the System Restore wizard will open
  • choose the recommended restore point, which is usually the most recent one..... (prior to updating MBAM)
    Or you can choose a different restore point, which for our situation we need to do.
  • Select the radio button next to Choose a different restore point then click Next.
  • Now a list of different restore points and the description of what was taking place when it was created will populate.
  • click on the box next to Show more restore points.
  • Now scroll through and determine which restore point you want. (which should be prior to the onset of the infection if possible)
  • Confirm the restore point and click Finish
  • Click Yes to the message saying that it can’t be undone until it has completed, or cannot be undone if running it from Safe Mode.
  • The System Restore process will begin
  • several messages should display during the process.
  • your system should now function how it was during the time it was restored to

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept