Jump to content

Bad rootkit and/or other things won't go away


Recommended Posts

Hi Team,

 

Since March of this year, I've seen that my Trend Micro has picked up a rootkit called harbinger.A and while I have already attempted to remove it, it keeps coming back (logs keep saying it's there).

I downloaded MalwareBytes last night, and it found 23 registry files that were malcious. I didn't seen anything about the harbinger, though. Now for some reason, MalwareBytes keeps poping up a box in my lower right hand corner that says Trend Micro's Coreserviceshell.exe has been blocked as Malicous activity. I don't know if that's a big deal or not, but how can I be sure that my registry is free of any bad stuff?? Thanks in advance!

 

I can't download the Farbar recovery file.. This rootkit or virus or whatever it is, is so annoying that I can't download and open ANY EXE files.It says "The remote call procedure failed"

 

Please help!

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Which windows version is running?

Link to post
Share on other sites

  • 2 weeks later...

Hi Psychotic,

The initial post above has passed the 3 days but I thought I would ride on it (since it does not seem closed yet and my problem is somewhat similar).

Here goes:

 

I am not sure what I installed or downloaded about 2 weeks ago but my Trend Micro Titanium Maximum Security 2014 program ( C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe) is complaining about something and Malwarebytes is blocking the outbound traffic as malicious:

 
Detection, 08-Jul-14 10:57:50 AM, SYSTEM, AMPANGCLANPC-WS, Protection, Malicious Website Protection, IP, 199.2.137.201, f7a5dmi6yy2dyam.co.cc, 50023, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe, Detection, 08-Jul-14 10:58:34 AM, SYSTEM, AMPANGCLANPC-WS, Protection, Malicious Website Protection, IP, 199.2.137.201, j0lluegw7jruqonuw.co.cc, 50027, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe, Detection, 08-Jul-14 10:58:34 AM, SYSTEM, AMPANGCLANPC-WS, Protection, Malicious Website Protection, IP, 199.2.137.201, j0lluegw7jruqonuw.co.cc, 50027, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe, Detection, 08-Jul-14 10:59:16 AM, SYSTEM, AMPANGCLANPC-WS, Protection, Malicious Website Protection, IP, 199.2.137.201, muw0b5emg3hd.co.cc, 50091, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe, 

As you can see, it is all OUTBOUND and trying to reach out to 199.2.137.201 (which is a MS site or something called Sprint?).

Everything else seems to work fine, except the pop-ups are annoying....and something might be hidden inside my PC, which I would like to get rid of.

 

Please help. Thank you.

Link to post
Share on other sites

Ooops, sorry for using CODEs - saw another post where the ruling may be "Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text". There is no way to edit my post above, so hope you can accept it as is this time around.

 

Also, a small donation via Paypal has been made for your tireless effort in helping others like me - Confirmation number: 05C65220CU679035D.

Link to post
Share on other sites

Thank you very much! :)

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • If any threats are found, don´t click the Cleanup button - rather save the log and post it up in your topic.

Link to post
Share on other sites

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.

Link to post
Share on other sites

Hi Psychotic,

Thank you for the feedback and I fully understand my position (and predicament). Have sent you a PM with explanation and am resigned to find the solution myself, since I have put myself in this position. I will strive to remove what should not be there and I do thank you for your time and effort and wish you the best.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.