Jump to content

Recommended Posts

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.


 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
  
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please attach this file to your next reply.
 

Link to post
Share on other sites

I can attach the doc file but don't want people to get infected with it.

 

Place the DOC in a ZIP or RAR and upload the file to;  Newest Malware Threats   referencing this thread and my request.

 

I will obtain the payload.  If it is not detected by MBAM I will submit it.

 

 

Submission References:

Malware hunters please read

Purpose of this forum

Malware Hunters group

Link to post
Share on other sites

Hello

 

Just short story. I run Malware bytes and it found noting today I was trying to figureout what that script does. I find out it connect to a server and not sure if it download file or generate file. Once I found name of the file 324234234.exe the file was located in a temp folder I forgot the path.. possibly was c:/programdata/microsoft or something like that. The anntivirus macafee found it and delete the file. For some reason it was crashing when I was trying to scan for malware...

I also run malware scanners first choise was malware bytes but it did not find above file... I also used rogueKiller, JRT, HitmanPro and Adwcleaner

 

I feel like the sucker might be in the system.. and my suspicion is due that GMER suspect that i have a rootkit

Logs.zip

Link to post
Share on other sites

Unfortunately, the TELEFÔNICA BRASIL DSL host is no longer serving up the malware ( payload ).

 

Thank you, it was worth the effort.

 

I have quarantee files from antivirus with bup extension. I am not sure if files modified or just renamed.

Link to post
Share on other sites

Update:

 

My Computer crashed and I re run GMER and got this:

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-01-21 13:55:04
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1  rev. 0.00MB
Running: 0v4s16mh.exe; Driver: C:\Users\usd22614\AppData\Local\Temp\aftdipoc.sys

---- Threads - GMER 2.1 ----

Thread  C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe [2240:2364]  0000000071945224
Thread  C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe [2240:2384]  00000000717b2f43

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                           unknown MBR code
Disk    \Device\Harddisk0\DR0                                                                                           sector 0: rootkit-like behavior

---- EOF - GMER 2.1 ----

Link to post
Share on other sites

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

     

     

  • also, a MBRDUMP.TXT is made in the same location - please ATTACH this file to your reply (don´t post its content!)

 

fixlist.txt

Link to post
Share on other sites

 

ProxyServer: [s-1-5-21-2052111302-790525478-839522115-697429] => 149.59.192.5:8080

AutoConfigURL: [s-1-5-21-2052111302-790525478-839522115-697429] => http://pac.zscalertw.../global-pac.pac

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKU\S-1-5-21-2052111302-790525478-839522115-697429\Software\Microsoft\Internet Explorer\Main,Start Page = http://pww.healthcare.philips.com

HKU\S-1-5-21-2052111302-790525478-839522115-697429\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pww.philips.com

Is this an enterprise machine?

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.