Jump to content

HitmanPro finds trojans and malicious software that MBAM missed


Recommended Posts

Hi,

I have MSE active full time and run MBAM (free) at least once a week (as needed). No problems found.

I ran a one time only scan by HitmanPro as a "double check" for verification purposes and much to my surprise HitmanPro found a whole list of trojans and other malicious software that MBAM supposedly missed(?).

I cannot copy and paste the list of trojans and other stuff from the HitmanPro 3.7.3 - Build 194 results display but I can retype them if needed on the next post.

See attached files as requested: attach.txtdds.txt

Thanks for any assistance

Link to post
Share on other sites

  • Replies 139
  • Created
  • Last Reply

Top Posters In This Topic

Hello vhende2000 and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you. :)

For now you can hold off on re-typing the list of malware that Hitman detected. I'd like to get a few logs from TDSSKiller and ComboFix to give me an idea of what may still be on your computer.

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------

In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Hi, D-FRED-BROWN,

Thanks for jumping in and helping me.

This is my first visit/problem on the MBAM site.

Question 1:

Whenever I first enter the MBAM site, is there a quick way to pull up my postings/problems for updates without searching the entire site, forum by forum? I've been on other technical help sites that have this feature but have not yet hit upon it here.

Question 2:

I am using the free version of MBAM in a "as needed" mode, usually once a week. It does not run concurrently with my MSE. Same thing with ESET, which is the online quick download one shot version. Could this be a contributing factor in HitmanPro finding things not obviously caught by MBAM which, of late, says "nothing found" on a full scan? Mind you, I don't really "know" that I have these viruses/trojans, only that HitmanPro quick scan says so.

Well, on to the problem at hand. I will report back as soon as possible with the results of the scans you've requested.

Link to post
Share on other sites

Whenever I first enter the MBAM site, is there a quick way to pull up my postings/problems for updates without searching the entire site, forum by forum? I've been on other technical help sites that have this feature but have not yet hit upon it here.

On the right hand side, there's a tab that says "View New Content".

When you're there, look under Other. Make sure that the option "Just Items I Follow" is the only one with a checkmark by it.

Hope that helps. :)

I am using the free version of MBAM in a "as needed" mode, usually once a week. It does not run concurrently with my MSE. Same thing with ESET, which is the online quick download one shot version. Could this be a contributing factor in HitmanPro finding things not obviously caught by MBAM which, of late, says "nothing found" on a full scan? Mind you, I don't really "know" that I have these viruses/trojans, only that HitmanPro quick scan says so.

It shouldn't be a contributing factor. It also depends on the type of malware that you may have on your system. For example, malware that may be designed to evade Malwarebytes only would probably be detected by several other antivirus applications. The scans I requested you run should give us a clearer picture of what you may be facing.

Link to post
Share on other sites

Hi, D-FRED-BROWN,

I got the goods, but not without a hassle.

Step 1 - TDSS Rootkit Removing Tool - nothing found - See "TDSSKiller.2.8.17..._log" below.

Step 2 - ComboFix.exe - started OK, completed Stage 50 OK, deleted files OK, deleted folders OK, down to "C:\Windows\System32\URTTemp" and then hung up (blinking cursor) then nothing, stayed there for over one hour.

I pulled up Windows Task Manager - found process "REGT.3XE" hogging 97% CPU time and process "Taskmgr.exe" using the other 3% CPU time for total 100% CPU useage.

Ended the process on "REGT.3XE" and ComboFix continued, finished, rebooted, and created log file - See "ComboFix.txt" below.

Step 3 - Security Check - Completed OK -See "checkup.txt" below.

TDSSKiller.2.8.17.0_16.05.2013_20.03.02_log.txt

ComboFix.txt

checkup.txt

Link to post
Share on other sites

OK, ComboFix 2nd run - didn't take as long this time, about 1/2 hour.

Did not hang like first time. Had no files or folders to delete.

However (and I perhaps should have mentioned this the first time), on almost every Stage 1-50, I kept getting a Data Execution Prevention error.

Got a window saying "Windows has to close program: 'Commandline Standard Stream Splitter', please close message".

This was almost every time followed by another message box saying "mtee.3XE has encountered a problem and needs to close" -- and "Send error report to MS".

So each time I had to close both messages before it could go to the next Stage.

The first time I ran ComboFix I didn't think much about it, believing it to be part of the process. Of course now, in retrospect, the Task Manager problem with 'REGT.3XT' might be related. No CPU Run Time problem this time, though.

And I will tell you that I have had a "lot" of times previously that I had to run a Microsoft FixIt to correct "slow IE" problems. The Data Execute Prevention always had to be turned BACK on for the fix. Always kept getting turned off. See file below:

I haven't had time to really check out the system as yet because it is after 1am here. Gotta get up and "make the donuts" in a short while. See ya later.

[before I logged off my Yahoo widgets analog clock had a problem and had to close - send report to Microsoft. Oh, well.]

ComboFix-2.txt

Link to post
Share on other sites

We'll worry about the Data Execution Prevention issues later on. For now, I'd like to get a deeper look at your system.

Please do the following:

  1. Please download OTL from one of the following mirrors:

  • Save it to your desktop.
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Link to post
Share on other sites

Hi, I'm back, 9:35pm Chicago time, Friday 5/17.

The OTL.txt file and the Extras.txt file are attached.

Can you give me an idea of what we've accomplished so far?

Have we already cleaned up some of the problem stuff on the computer or in the register by running these programs? Or are we just gathering info for later attack?

My pc does seem to be behaving better and page loading seems faster, but it could be just my hoping that it's so.

I do realize that I've been pushing my 8 (?) year old Gateway 510s and Windows XP Home to their limits. But they've been pretty good considering everything. But I'm really out of touch, anymore.

Before I retired from the government in 2006 I was a network administrator for the Veterans Affairs hospital system at a site with 1300+ computers and a staff of only 16 people including management, programmers, administrators, and technicians. Kept us busy.

Most of the stuff you're using now I've never heard of and certainly have never used. I don't dabble as much as I used to.

I really appreciate your help. This is very intriguing and educational for me. Thanks.

Vernon

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Can you give me an idea of what we've accomplished so far?

So far, we had some success with ComboFix removing a few pieces of malware, but I'm still trying to get a deeper and deeper look to find anything that would have been detected by Hitman.

Have we already cleaned up some of the problem stuff on the computer or in the register by running these programs? Or are we just gathering info for later attack?

Combofix cleaned up some junk. The latter applies as well, if we can find anything that is suspicious.

I really appreciate your help. This is very intriguing and educational for me. Thanks.

No problem :).

Please Launch Malwarebytes' Anti-Malware.

  • Please click Check for Updates to see if any updates are found. If so, please allow MBAM to download and install them.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK for either of the prompts and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

Link to post
Share on other sites

Looking good. We're nearly in the clear. How is your computer running now?

Please run the following two scans to check for any leftovers we may have missed.

Please download RogueKiller to your desktop

  1. Quit all running programs
  2. For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  3. When prompted, type 1 and validate
  4. The RKreport.txt shall be generated next to the executable.
  5. If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

-------

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Hi, major problem here.

Everything was going fine and I ran RogueKiller and got logs.

I was set to run the ESET when it indicated that I had 2 antivirus programs on my machine which was a surprise to me.

One was MSE of course and the other was Avast, which I had removed (I thought) a long time ago.

I decided to find and remove any Avast files and programs. I did a search and there were a lot of them.

I downloaded the Avast Uninstaller off their site with a zip file and removed the program files and folders (no registry entries).

I removed the Uninstaller with Revo Uninstaller OK and was going to remove the zip file likewise.

And then the bottom of the bucket fell out.

Revo Uninstaller froze up, not completing the uninstall and I lost my network capabilities, not being able to use IE at all.

And I lost my Yahoo Widgets, an analog clock and the weather from my Desktop and could not restore these either..

I tried to do a system restore from System Tools and could do nothing.

I then repeatedly tried to do a system restore from Safe Mode again without success.

So I'm currently stuck. I can't get online and I can't restore to an earlier point.

I'm using (poorly) my daughter's laptop for this.

Any suggestions would be helpfull. In all my years in computers, I've never seen this type of problem before.

And everything was going so well.

Link to post
Share on other sites

Hi,again, forgot something.

After the system failed I noticed something peculiar.

When the startup or reboot takes place, on the Desktop the tray icons (lower right) for MSE and Microsoft Security Center indicate two different things.

The MSE icon indicates that MSE is in PC protection mode with real time protection enabled, but the Security Center indicates that Virus Protection is Off at the same time. Since MSE is the ONLY antivirus program running, this situation can't be right.

Link to post
Share on other sites

Hmmm. That's really odd. I suspect a system file got corrupted/deleted.

You said you tried to run System Restore from Safe Mode. If you're still able to boot into Safe Mode, please do the following (once you're in Safe Mode):

Instructions

We are going to run System File Checker to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start

Select Run

At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:


  • My Computer
    Tools
    Folder Options
    View
    "Uncheck" Hide protected operating system files.

Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Link to post
Share on other sites

Good News (with a small hitch)

I tried to run the sfc /scannow in Safe Mode but it wouldn't play, The screen "flashed" for a sec, then nothing happened.

However, I saw that I had previously run some other utilities and had a list for selecton, such as regedit, devmgmt.msc, cmd, taskmgr, and msconfig. [clap here]

I had forgotten about msconfig (I was tired and it was late) so I gave it a shot to see if it was working, it was!

So I ran Launch System Restore and, thankfully, it was working! I had forgotten that I could get to System Restore this way.

I selected the Revo Uninstaller's restore point and went for it,

Got everything back successfully!

I reran sfc /scannow and it completed with no messages.

I also ran Microsoft Updates. Only had two, one for MSE Definitions and one for XP Root Certificates. Just normal stuff.

I have the RogueKiller files that I'll send from my own computer in a moment, which had completed before the Avast removal stuff happened.

I had also rerun RogueKiller after the crash, just trying anything, so there will be a few extra files there also.

I'll start running the ESET again now and then post the results later today.

So, at least for now, we seem to be back to *Square One* again.

Thanks

Link to post
Share on other sites

Hi D-FRED-BROWN,

Back on my own computer now.

See the RogueKiller files below.

Running ESET, will report later.

Vernon

RKreport_S_05182013_02d2156.txt

RKreport1_S_05192013_02d0001.txt

RKreport2_D_05192013_02d0002.txt

RKreport_S_05182013_02d2156.txt

Link to post
Share on other sites

Sounds good. I'll wait for the ESET scan before we proceed.

One quick question- do you recognize the program BrowserProtect? It looks like RK is detecting it as suspicious, so I just wanted to get your clarification on that.

Link to post
Share on other sites

Hi,

I am not sure what BrowserProtect is. It sounds only vaguely familiar. Doesn't sound like anything I purposely downloaded.

On another note, I'm having problems running ESET on line.

I turned MSE real time protection OFF and started ESET now twice.

It ran for 1 1/2 hours first time and now ran 2 1/2 hours 2nd time and in both cases just quit.

In both cases it started and indicated 7% complete and never changed % value.

In both cases it was very slowly counting through files before stopping. I've lost 4 hours scan time.

Should I get rid of it and redownload new?

Also here on the reply section, all the extra options like bold, font, size, etc are shown but greyed out, unavailable.

Not sure why.

Link to post
Share on other sites

Also here on the reply section, all the extra options like bold, font, size, etc are shown but greyed out, unavailable.

Just click the button in the top-left corner titled "Toggle Editing Mode" ;).

As for ESET, try using the download option for the online scan, available here: http://download.eset.com/special/eos/esetsmartinstaller_enu.exe

Let me know how things go.

Link to post
Share on other sites

Well, I downloaded the ESET online again and am currently running it to see what happens this time.

It's 10:45pm so I don't know how long it will take to run. BTW, it's still sitting at 7% completed.

One more thing, previously whenever I had tried to use Revo Uninstaller to remove the 7-zip v9.20 file which had come with the Avast Uninstaller, my system crashed and I had to eventually restore the system to the point just before the removal attempt.

I have tried to remove it again with Revo and got the same results and, of course, had to restore the system again. I just can't win. Something's must be up with Revo and 7-zip.

Besides, I already had 7-zip 9.21 but have not tried removing it before.

It also had come with some other downloaded program as a requirement.

So, what would you suggest as to how I can get rid of this stupid file?

And do you have any idea as to why it crashed my system in the first place?

Revo Uninstaller has always worked great before with no residual problems.

This is a first for me.

Catch you later.

Link to post
Share on other sites

It's 10:45pm so I don't know how long it will take to run. BTW, it's still sitting at 7% completed.

No worries. If it doesn't show any more progress by tomorrow, we'll just move on to something else. I think we're on the right track, though. The RogueKiller log provided us with some good info :).

I have tried to remove it again with Revo and got the same results and, of course, had to restore the system again. I just can't win. Something's must be up with Revo and 7-zip.

Besides, I already had 7-zip 9.21 but have not tried removing it before.

It also had come with some other downloaded program as a requirement.

So, what would you suggest as to how I can get rid of this stupid file?

And do you have any idea as to why it crashed my system in the first place?

Revo Uninstaller has always worked great before with no residual problems.

This is a first for me.

Try uninstalling it through Add or Remove Programs (found in the Control Panel) instead. That's really strange, though- I've never seen Revo choke like that before.

If it's just a file you'd like to delete, I can cook up a script to delete it through either ComboFix or OTL. Just provide me the name of the file and we can get rid of it.

I suspect the reason it crashed is because the program may have overwritten a system file when it was installed, though that's only a guess. If you used Revo, that system file may have been accidentally deleted (due to its association with the program), which would probably cause the issues you've described. At this point, I wouldn't worry about it- let's remove the malware first, and then we can move on to the fine-tunings. ;)

Link to post
Share on other sites

Well, I'm finally back online after a long night and long day.

I've had all kinds of trouble after the ESET ran, mostly with being unable to log online or even to restore the system to a restore point. I've spent hours and hours and hours just going in circles trying to get the PC to play at all.

Here's a list of what happened:

ESET finally finished at about midnight Chicago time. I saved the ESET.txt file. See below.

ESET reported finding 4 trojans and quarentined them. I chose remove files and exited ESET.

I found that I could not open any files including IE to go online, Everything was blocked.

Ran SFC and retried ---> could not open anything.

Tried going to Run - msconfig ---> would not open/"could not find".

Rebooted into Safe Mode ---> Still could not open anything.

Rebooted into Debug Mode ---> Could not open anything.

Rebooted into Normal Mode ---> No surprise, could not open anything.

Rebooted into Last known good configuration ---> Still could not open anything.

Rebooted back into Normal Mode ---> Still could not open anything.

Reran SFC ---> Still could not run anything.

Tried to Run - msconfig again ---> No go.

Rebooted into Safe Mode ---> Restored to before Revo Uninstall of Protected Search 1.1.

Removed 7-zip V9.20 via Add/Remove program --> Tried to open files ---> No go, no IE connection.

Rebooted into Safe Mode ---> It indicated that it was back in Debug Mode(?) which I had not selected.

Rebooted into Normal Mode ---> Still cannot open anything.

Rebooted into Safe Mode/Restore Mode only after several attempts without Restore option availability.

Restored to before removal of 7-zip V9.21 (and 7-zip V9.20) via Add/Remove program.

The restore took an exceptionally long time to complete ---> Everything back to normal (hopefully).

Downloaded MS Updates OK.

And here we are. I'm back online again and everything I've checked seems to be OK.

I was so frustrated at my PC that I almost threw my coffee cup at it.

I have no idea why the reboots above would not work, especially not being able to get the Restore option.

And, of course I still have the (2) 7-zip files that I can't get rid of.

Question: after all these restores, do the deleted trojans found come back to haunt me?

What's next?

ESET.txt

Link to post
Share on other sites

Question: after all these restores, do the deleted trojans found come back to haunt me?

For now, please hold off on completing using System Restore. Please run ComboFix and RogueKiller one more time and post each of their logs. We'll move onto the next step after that.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.