Jump to content
Token

Malware changing my files (permission, etc.)

Recommended Posts

Malware symptoms I have noticed thus far:

Blocks access to anything that scans for it, including Internet Explorer (I tried to run a Microsoft scan)

Blocked access to regedit

Takes my browsers to random websites when I click on links

Many popups on my desktop for fake anti-virus software

I prevented startup item "braviax," and it has blocked most of the popups that I would get on my desktop. Also, I deleted several Antispyware 2010 files that I found on my computer.

Whenever I run MBAM, regardless of its name, the scan quits after a couple seconds and the MBAM.exe (or other name) is changed so that I can not execute it again. This message displays: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I have the same problem with HijackThis.

Any help would be much appreciated.

Share this post


Link to post
Share on other sites

Hi,

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Share this post


Link to post
Share on other sites

I ran DDS, but it stayed open only long enough to display some text (a couple seconds) before shutting down. I gave it some time in case something new would occur. I then restarted my computer, but the same thing kept happening on subsequent attempts.

Share this post


Link to post
Share on other sites

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Then, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

-screen317

Share this post


Link to post
Share on other sites

My computer downloaded a new program on its own called Total Security Version 4.52. This is preventing me from opening several things, including mbam.

Share this post


Link to post
Share on other sites

I was able to get it going in Safe Mode.

Neither DDS report minimized, but I think this is the one you want. If I guessed incorrectly, please let me know so that I may post the appropriate one. Also, I only ran the scan for MBAM. I did not want to remove anything until you gave it the green light.

mbam_log_2009_09_07__14_26_40_.txt

DDS.txt

Share this post


Link to post
Share on other sites

Hi,

Your MBAM log indicates that no action was taken.

Please update MBAM, run another Quick Scan, remove everything found, and post its log.

After that, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Run it and post its log.

-screen317

Share this post


Link to post
Share on other sites

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=23625
Collect::
c:\program files\Common Files\osiwixabag.lib

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Share this post


Link to post
Share on other sites

Residual effects from the malware made my current version of IE unoperational. So I installed the newest version before following your most recent instructions. Microsoft required me to run a FixIt program that reset all the Windows security settings to their defaults.

I was able to run the CF script without a problem.

The F-Secure scan downloaded the files for a full scan, but gave me this error message before actually scanning: "An engine or a database file is corrupted. Restart F-Secure Online Scanner 4.1. If this error repeats, contact the support (error id: 14)." On further attempts, this error message appeared before downloading the scan files (perhaps those files remained from the first download?). I could not find any information about this error code on their website.

I continued with the Security Check even though the F-Secure scan did not work.

Other than the F-Secure scan not working, I have not been able to identify any continuing problems.

CF_log.txt

checkup.txt

Share this post


Link to post
Share on other sites

I was able to get the F-Secure scan to work. The results are below:

11 malware found

TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 39597

* System: 3312

* Not scanned: 6

Actions:

* Disinfected: 11

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Share this post


Link to post
Share on other sites

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Your antivirus is out of date and not doing a good job of protecting you.

Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Adobe Reader 7.0.8

SBC (or AT&T or Yahoo!) Antivirus

Restart your computer.

Get the latest version of Java and Adobe Reader.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!

AntiVir

AVG

Restart your computer and let me know what issues remain.

-screen317

Share this post


Link to post
Share on other sites

Great to hear! :unsure:

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.