Hi - need a little Malware advice please :)

Sandman70 · May 1, 2010

Hey folks - Sandi & kinda new around here - I Have half of a Windows 7 (64bit) OS, so suspect I may become a fairly regular visitor to the Windows 7 area (since I spent the last 5 weeks chasing my tail removing Badware from this infernal machine - now I have a list of driver and app compatability issues to contend with!) :huh: Nevermind, sure I'll get there - but it's not actually my Laptop I'm here about today...

~~~~

I mentioned 'badware' - What started out yesterday as an excercise in trying to speed up and reduce a friends painfully long lap-top re-start time :zip:

got me a little worried and my concience has bought me here in search of a little assistance. Would like to ensure we're not re-infecting each other after seeing (what looks to me like) an awful lot of 'Groovey' thingys going on, would like a 2nd opinion. (my browser is being an Ass again today and I'm struggling to get to any of the trusted malware helpsites i have used in the past) guess I'm not out the woods yet

His system - Vista home prem 32bit on a Toshiba Satelite laptop, unsure of exact spec, pretty sure it's a 2gig pentium duel core with 2gig of installed RAM

Although he's not currently having any major hassles with it, it's slow, gets a little overheated - a fair amount of petty glitchy things going on - and the re-boot time is painful! Managed to get several things disabled from running at start yesterday and removed some superfluous software installations - no problems, in fact there wasn't much left checked at all in msconfig list by time we finished - so was rather surprised by the volume of things Silent runners found afterwards.

- my reasons for worrying -

Norton had quarantined a file a long ago, which was apparently 'allowed' to run at start - I wasn't aware at 1st, so got him to run the Norton removal tool after spying a little Norton/Symantic residue. I would assume the tool should have removed the vault and the file too? Or no, maybe it was unable? Well anyway it was 'VMware - Virus Trigger'? something like that - none of the listed known registry entries associated with that malware were present so went ahead and deleted the file - all good, although his laptop did abruptly re-boot - I read somewhere that usually comes bundled with other things - I'm unsure exactly what Norton found back then.

Other concerns - unknowly had defender running alongside AVG for ... erm ... unknown amount of time. Not sure, but when I was running AVG free - was given the immpression that isn't wise? and AVG auto switches that off? So he's potentially had compromised AV protection?

He wasn't able to download HJT for a while system wouldn't allow it, even with re-naming - pointed him to a standalone downloader link and we got in the end.

Live messenger (Grrr) - advised him a link to Bleeping Computers site I sent was a reported attack site :sarc:

and a couple of times Windows Live crashed (both ends mine & his but not simultaneous) when I attempted sending links to MW resources and MW removal info - don't think that can be a good sign ... ? Windows live sharing folder WAS resposible for some of my laptop issues...

'Groove monitor' ? I am aware there's a valid reason for that with MSO installed - but sooo many instances of running thingys?? Erm yer, well spotted .. I'm hoping to get his office software removed and replaced, as soon as I'm sure it's safe to do so - Along with IE browser probably, I also think a fresh AVG and Windows Live install wouldn't go amiss? Please feel free to tell me if I'm being paranoid - my laptop has made me that way lately - yes I am aware :geek:

I have nothing to loose on my laptop for now - yet another new install is no bother for me, but he has months of Uni work and stuff I'd prefer he didn't loose on account of something I may have given him :cry:

Attached silent runners and HJT log if anyone 'in the know' could please take a look and see for me and maybe offer a little guidance?

Thanks in advance
Sandi

mitchell · May 2, 2010

Hallo Sandman, i was hoping someone else would pick up on this as i do not know how to interpret HJT logs :confused:

Cross contamination is an issue via removable media & email also any system restore points created while infected can reinfect if you restore to them.

All i can suggest is cleanse both machines independently rather than me doing a whole lot of key tapping have a look through this old thread as a general guide;

http://www.vistax64.com/system-security/270516-malware-files-will-not-removed.html

As far as performance you may like this tutorial;

http://www.vistax64.com/tutorials/81176-speed-up-performance-vista.html

I hope this gives you something to work with

niemiro · May 3, 2010

Hello,

Your HiJackThis log shows nothing particularly nasty. There are however a few empty entries that should be removed. This is just housework and does not indicate the presence of a virus. Please download the latest version of HiJackThis (you are using 2.0.2 and the latest is 2.0.4) and run a scan without generating a log file. Carefully put a check next to the following entries and click "Fix Checked".

Code:

O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?DK (file missing)

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: TOSHIBA Bluetooth Service - Unknown owner - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (file missing)

Please then immediately restart your computer. If any of these entries reappear, just ignore them, this is normal. I will have a look at your Silent Runners log when I get round to it.

Richard

niemiro · May 3, 2010

Hello,

There are three more things you should do on both computers. Please make sure that I know which logs came from the same computer, and that you know which logs come from which computer.

Please press the Windows Key + R to open the Run dialogue. Type cmd and press enter. In Prompt, type "ipconfig /flushdns" without the quotes, noting the space. Press enter and make sure that the DNS flushes correctly. Immediately reboot your computer.

NOTE: This was not originally written by me, but still applies.

Download GMER Antirootkit from here.
Mirror location: here. This version will download a zip. If you use this mirror, please unzip it to a folder that you create such as C:\Gmer\.

Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. a1afk10a.exe) and allow the gmer.sys driver to load if asked.
For mirror version, double-click Gmer.exe to run the program.
When the program opens, click the ">>>" Tab
Click the "Rootkit/Malware" Tab.
Select all drives that are connected to your system to be scanned.
Click the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into a text file by clicking Edit -> Paste or Ctrl + V
Save the gmer scan log to your desktop.
Close Gmer.

Download RSIT by random/random from here and save it to your desktop.
* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open. If it does not automatically open, then these logs can be found at %systemdrive%\rsit folder (typically C:\rsit)

Post back with GMER log + both RSIT logs. Post each log in separate post, or ideally upload them rather than posting them in-line.

Thanks!

Richard

niemiro · May 3, 2010

Hello,

Have looked at your Silent Runners log. One interesting thing has popped up.

Here is a reason why he might have a virus. You need to find out if it worked, because one of these things that I can't mention not executing an installer etc. means that a virus has just been installed (and usually a very nasty one at that)

Code:

{64A1D39C-8140-42E5-8234-14C0B92AD16E}" ->  launches: "C:\Windows\system32\pcalua.exe -a "C:\Users\Jens\Desktop\Programmer\HyperCam ver. 2.14.01 all laguages plus cracks(w___olf.inc)\english\HC2Setup.exe" -d "C:\Users\Jens\Desktop\Programmer\HyperCam ver. 2.14.01 all laguages plus cracks(w___olf.inc)\english"" [MS]

Please scan that file (HC2Setup.exe NOT pcalua.exe) with VirusTotal - Free Online Virus and Malware Scan and tell me if anything shows up.

Richard

l)ark_Scorpion · May 5, 2010

Malwarebytes, Microsoft Security Essentials, and PC Tools Firewall is all you need

Sandman70 · May 16, 2010

Thank you all for replying. Apologies for the delay getting back here, not total ignorance, a few hours later everything went very wrong again with my laptop. Think I'm sorted now though *stable laptop since the 12th *touches wood* plucked up the courage to get it online yesterday and so far so good!!

*stable - provided I dont need the soundcard & wlan card to work at the same time AND expect my battery to charge. I found out the hard way that my ac adapter was doing Jack....! :mad:

Nevermind it's working right now, I'll sort it - another time - had enough fixing this thing for now - I have surfing, games and a rather fine new os to catch up with!

......

Snow(conFed) Thank you - Sound advice, much appreciated

Have been using Security Essentials for a while. I think it's great and very unobtrusive. Seems to be working well with new 64bit OS too, so will continue to use - Malwarebytes is probably the only other malware software I've ever actually installed - Never really had any virus/malware problems until this recent issue, and from reading around the net, a lot of which possibly self inflicted, my bad :huh:

Not tried the PCtools firewall, I'll check it out. Am a bit naïve about these matters - Should I use that in prefererance to the MS wall? I am behind a router at home, configured to ignore pings, disabled upnp etc and of course I TRY to practice 'safe-surf'.

Was hoping that the wall bundled with Win7 would suffice - maybe not? Although I don't want overkill and potentially make problems with software the whole time. My recent Malware research seems to indicate Windows 7 is a bit 'holey' and hackable? You Tube is bursting at the seems with Windows 7 hacks in fact :confused:

Guess I should up the ante with net protection, not sure what's best for me really. Java plug-ins and such are a necessary evil for me, but I'm told they can be exploited easily? Will a firewall prevent those kind of things?

Neimero
Very much appreciate you taking a look at that for me

Found a bit more out about the software there, knowing him as I do - was surprised to see myself, student-ness and Internet security ignorance to blame me finks.... the group he studies with use VMware to 'share' at Uni - the file Norton had quarantined was called 'VMware' total guess, but I would imagine that means the VMware is also :zip:

... and Norton found the crack as a virus?

Time difference means I'll have to him to run gmer later today or as soon poss this week, will get a log posted soonest - and make sure those empty entries get tidied up too. Thanks once again for your time.

And thanks too to mitchell for the links and info - will look at those further right now.

Sandi

niemiro · May 17, 2010

Hello,

Do not worry about your late reply, and thanks for giving us such a good update. The experts do agree that you should avoid the Windows Firewall, however, due to its convenience (exceptions ae easy to add, installers often add them anyway, and the Unblock/Block window is really useful) I always use it. I have been very happy with it and have only had one massive virus (and no other viruses have even disturbed me) With a good router, antivirus, and a bit of sense, I am very happy to use this very convenient Firewall, but be aware that it is not quite as good (apparently) It is your choice. Its main fall down point is all the exceptions that have been created and its hackability, viruses can get through most Firewalls on http://.

When it comes to cracks, be very careful. A lot of them contain very nasty viruses. Also note that they are illegal and this forum does not endorse them in any way. Anyone admitting the use of, asking for, or publishing cracks will be banned permanently. Some things you should be aware of:

If the crack comes out to be less than 1 megabyte, it is almost certainly a virus (and a very nasty one at that)
If a website is offering you a "Full Version", a "Fast Version", a "Full Speed" version etc. and they all come out to less than 1 megabyte, they are all a virus and should be deleted immediately. In particular if they are all exactly the same size.
Any crack without an icon is quite possibly a virus.
If you run a crack and nothing happens, a virus has just been installed

As I have said earlier, they are illegal and should not be used (and even cracks that work sometimes have viruses in them)

I would assume you are right that VMWare is a virus in this case and I will do my best to help you to remove it.

Richard

Sandman70 · May 17, 2010

Am no angel :devil:

but rest assured it's been many years, and several computers since I had any illegal software. Had routers for like 7 years now, never could get my head around the port forwarding etc - so I'm a very good girl these days - no worries - recent hours of trawling forums for advise about malware has opened my eyes A LOT - seems nobody's really 100% safe from online nastys nowadays

The last 10 weeks - I have had trojans, many! Only Microsoft software has been able to tell me about - Onecare Scan was the 1st to detect anything, ran it overnight - half acknowledged the message in the morning saying I had a 'win32.agent' - ASSUMED it had cleaned it, turned laptop off, went to work and forgot about it ..... been removing - re-formatting and re-installing ever since...

Guess my AV got broke somehow, it was finding bad stuff, it just never told me :confused:

What can you do if you can't rely on your software to let you know? How do I keep getting re-infected in spite of trying some of the most sopsticated AV software recently to try and stop this damn thing - it's cost me a fortune!

Suspected Windows Live is the culprit since I found (see attached) Hate the thing - meh, if 80% of my friends and family weren't overseas, I would NEVER install that software again. Although I suspect Jens never obtained any of the software himself - doubt he would even know how to - I have suspected a connection somehow almost since day 1.

the only other way I can think of would be *shudders* the terminal server at work, eek? I used to regularly use RD to work at home evenings........

I'll get those scans run on my laptop as soon as I get 5 mins - and try to get hold of Jens, I'll be very certain to keep things seperate too and let you know what's what.

Again, thanks for your time

ps. attachment's a .jpg - took a screenshot of one particular file I found hidden a few formats back...was mostly encrypted, at least any useful info was - I removed all those bits to try and see between the lines. Onecare appeared to do nothing but freeze everything.

Ok - never mind the attachment *sigh* that button stopped working for me now

hmm I'll think on another way...[EDIT] Nevermind - re-start fixed my screen.

niemiro · May 17, 2010

Don't worry. It was to protect me (I do not endorse cracks in any way) than to be constructive.

Richard

Sandman70 · May 17, 2010

My laptop

ok - Flushdns - confirmed that was sucessfull

Re-booted and ran GMER - didn't go well (attached: gmerwarnings) ran program compatibility It did run eventually in XP (SP2) mode though and produced a report (of sorts) also attached.

RSIT - fail fail fail fail fail - didn't work in any mode (attached: rsitwarnings)

My screen has been acting strange again today, 1st I noticed was the button before. Had that often lately with buttons, even swapped mouse it got so bad at one point, wasnt mouse.

Virus total found no problem with the Hcfile - apparently it installed ok, but is very bugged, wont handle files over a certain size or something, crashes. I'll attempt getting some logs from over there shortly.

niemiro · May 17, 2010

Hello,

I am getting a bit out of my depth here. I will do my best, and will analyse any logs you can get, but I have no qualifications in malware removal. What I would strongly recommend is copying those excellent descriptions and any logs to a special malware removal forum. I have one good recommendation: Index page | My Antispyware Forums

The admin of this website @patric has a degree in malware removal and is truly incredible. I have worked with him several times before, and I can guarantee that he will be able to solve your problems. Be aware that due to the complexity and length of the answers, and his very, very tight work schedule, that it may take up to 24 hours to get a reply from him each time, but be patient. If you can copy in your first question everything you have told me, then he will not have to prompt for it and he will be able to quickly and easily get an answer to your problems.

Also, do include all logs including HiJackThis and silent runners, because I may have missed something and he will need to see them. Ideally get new copies of these logs.

Sorry I was not of more help

Richard

Sandman70 · May 17, 2010

No problem at all - I appreciate you taking a look for me

I'll try the other place, I had problems navigating to a couple of malware forums before, but 2 of my browsers at least seem ok for now - so thank you also for the referral.

Attempting to run gmer & rsit right now on the other laptop - hopefully he'll have more luck than me, you wanted me to post those logs here still then? Or should I just wait to hear from Malware place?

It would be ok to link to this thread on that forum I assume?

many thanks again

[edit] wont be any logs forthcoming from DK so ignore previous question :P gmer BSOD'd the machine, twice - so erm .....

niemiro · May 18, 2010

Sorry again about that. There is no need to post any logs here, but what I meant was that if you had any questions, you may of course still ask me and I will do my best. You may of course link, bit it may be easier for @patric for you to just copy the descriptions.

Sorry again,

Richard

Hi - need a little Malware advice please :)

New Member

Attachments

My Computer

Ngai Tahu/Tau Iwi

My Computer

Banned

My Computer

Banned

My Computer

Banned

My Computer

Real SN AT99Scorpion

My Computer

New Member

My Computer

Banned

My Computer

New Member

Attachments

My Computer

Banned

My Computer

New Member

Attachments

My Computer

Banned

My Computer

New Member

My Computer

Banned

My Computer