Jump to content

May have malware was directed here by advancedsetup


Recommended Posts

Hi Paul :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

I don't see any traces of malware with your logs. After reading them, and reading your thread, I suspect that there's a conflict between Malwarebytes and the security products you're using. COMODO Firewall being the one I suspect to cause this error, since it added ADS to all your drivers (Malwarebytes ones included) and that could cause the error you see in your Event Viewer. For testing purposes, please uninstall COMODO Firewall. Once done, run the FRST fix below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

Once that is completed, follow the procedure to do a clean reinstall of Malwarebytes Anti-Malware v2.x, restart your computer and follow the instructions below.

3Al62Pm.pngMiniToolBox

  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • List Last 10 Event Viewer Errors;
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

Your next reply(ies) should include:

  • Confirmation that you uninstalled COMODO Firewall from your system;
  • Copy/pasted content of the FRST fixlog.txt;
  • Confirmation that you did a clean uninstall and reinstall of Malwarebytes Anti-Malware;
  • Copy/pasted content of the MiniToolBox log;

fixlist.txt

Link to post
Share on other sites

Still there. Please uninstall WinPatrol and Avast Free Antivirus aswell, then do a clean reinstall of Malwarebytes once more. Once done, run MiniToolBox again and provide me a new log. I honestly suspect software conflict here unless... there's another theory I would like to test after if it still doesn't work.

Link to post
Share on other sites

Avast has been taking longer and longer to start and now and again mbam doesn't start at all.

I should have also said its the same on 2 machines but the other uses full version of trend micro but has all the same issues they dont use winpatrol either.

I have reinstalled the Os on both machines twice and reinstalled everything and each time either strait away or after a few days of internet use they end up the same it didn't used to.

I will uninstal and do as you say. Give me 10 mins

Thank you :)

Link to post
Share on other sites

That's fine :) The errors are still there... Alright, follow the instructions below please.

S8ANNnz.pngGSmartControl
Follow the instructions below to test your hard drive health with GSmartControl:

  • Download GSmartControl and save it on your Desktop;
  • Extract the content of the GSmartControl .zip archive and execute gsmartcontrol.exe;
  • Identify your drive in the list, and double-click on it to bring up it's window (usually you'll find your drive by it's size or it's brand name);
  • Go in the Perform Tests tab, then select Extended Self-test in the Test type drop-down list and click on Execute (this test can take a few hours to complete);
  • Once the test is over, the results will be displayed at the bottom of the window. Please copy and paste these results in your next reply;
  • Also, go in the Attributes tab and if you have any entries highlighted in red or pink, copy and paste their name in your next reply (or take a screenshot of the GSmartControl window and attach it in your next reply);
    info_failing.png

Link to post
Share on other sites

Problem it says unknown model and then has no options that you listed.

I try to enter a name manually and it says nothing found.

smartctl 5.43 2012-06-30 r3573 [i686-w64-mingw32-vista-sp2] (sf-5.43-1)
Copyright (C) 2002-12 by Bruce Allen, http://smartmontools.sourceforge.net

Short INQUIRY response, skip product id
A mandatory SMART command failed: exiting. To continue, add one or more '-T permissive' options.
 

Link to post
Share on other sites

Hum... I suspect that the HDD doesn't support SMART, though it would be unlikely if it's a newer one. Is the other computer old and running Windows Vista as well?

Next we'll run a CHKDSK on your drive and grab the log.

EndqYRa.pngCheck Disk (chkdsk)
Follow the instructions below to run a CHKDSK scan on your Windows partition;

  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Run as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command chkdsk /f (there's a space between "chkdsk" and "/f") and press on Enter;
  • A message will be returned, stating that the drive cannot be locked because it's already in use, and you'll be asked if you want to schedule the scan for the next restart. Enter y and press on Enter;
  • Restart your computer, and the chkdsk scan will be launched automatically;
  • Once the chkdsk scan is complete and you're back in Windows, find the log in the Event Viewer and copy/paste it in your next reply;


WARNING: Depending on your hard drive (specs, free space, fragmentation, etc.) this scan can be relatively long to complete. Give it all the time it needs to finish. Do not interrupt it for any reason there is, or you might be damaging your drive in the process and make your Windows unbootable. It's suggested to let this scan run overnight or when you leave the house for a few hours (when you go to work for example). If you are running this scan on a laptop, don't forget to leave it plugged in;

Link to post
Share on other sites

Thats wierd yesterday it was all clear today shows some odd readings. I have been doing a lot of scan disks to check and make sure all is ok and none have shown this till today. I marked the odd bits with +++ that I have never seen till today.

Thank you

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.                         
  114432 file records processed.                                     558 large file records processed.                               0 bad file records processed.                                 0 EA records processed.                                       44 reparse records processed.                                  147410 index entries processed.                                    0 unindexed files processed.                                  114432 security descriptors processed.                           Cleaning up 96 unused index entries from index $SII of file 0x9.
+++ Cleaning up 96 unused index entries from index $SDH of file 0x9. 
+++ Cleaning up 96 unused security descriptors. 
  16490 data files processed.                                     CHKDSK is verifying Usn Journal...
  33981056 USN bytes processed.                                      Usn Journal verification completed.
Windows has checked the file system and found no problems.

 460799999 KB total disk space.
  30591704 KB in 82858 files.
     50504 KB in 16491 indexes.
 +++       40 KB in bad sectors. 
    229887 KB in use by the system.
     65536 KB occupied by the log file.
 429927864 KB available on disk.

      4096 bytes in each allocation unit.
 115199999 total allocation units on disk.
 107481966 allocation units available on disk.

Internal Info:
00 bf 01 00 21 84 01 00 94 c2 02 00 00 00 00 00  ....!...........
53 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00  S...,...........
42 00 00 00 a2 74 bd 77 60 4f 47 00 78 47 47 00  B....t.w`OG.xGG.

Windows has finished checking your disk.
Please wait while your computer restarts.

Link to post
Share on other sites

+++       40 KB in bad sectors. 

This could explain the error message you're getting on that machine at least.

I don't think your system is infected to be honest, though I'm sure since it's old, there's corruption or software conflict that create these errors. Apparently, Microsoft suggests running a Startup Repair to fix that issue, though I doubt it'll work. You can still give it a try.

https://technet.microsoft.com/en-us/library/cc734001(v=ws.10).aspx

Link to post
Share on other sites

No change at all in the results.

The thing that made me suspect something unscrupulous was the fact that both machines went on the same day both became 100% unresponsive and have similar issues I found that result's very odd that they both had exact same issue in the event viewer as well. I would understand if just one went but both with exactly the same issue seemed to rare an event, both using different av's and only malware bytes in common and the os seemed a tad to convenient. 

Link to post
Share on other sites

So I just installed Malwarebytes on a fresh Windows Vista SP2 x86 install (inside a VM) and guess what? I'm getting the same error messages as you. The issue probably comes from Malwarebytes under Windows Vista SP2 x86 (and maybe x64). Looks like the issue really comes from the mwac.sys file too. I just uploaded it to VirusTotal.

https://virustotal.com/en/file/e95c8487127bb037665dba9d8d2d0dd49f13cf0a5390a2bc98595f859c44541d/analysis/1475343985/

It seems like the Malwarebytes Corporation certificate on it is expired (expired this summer, on June 20th), and it could be causing that error message.

@AdvancedSetup, @msherwood, @AlexSmith, can any of you look into it with the dev. team?

Edit: Point being, there might be something wrong with Malwarebytes under Windows Vista, and it's not something I can verify by myself sadly.

Edited by Aura
Link to post
Share on other sites

What do you mean by "go funny"? It might be a coincidence for all we know. It happens. You are using an old, outdated OS on old, outdated software, so these things can happen from time to time. Wouldn't be the first time I see that happen.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.