|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
August 12th, 2009, 09:24 AM
|
||||
|
||||
|
System infected
Greetings,
My system got infected by some virus after running a suspicious file some days ago. HookShark showed over 400 hooks/memory patches. After successfully unhooking all malicious hooks/memory patches I started scanning with SUPERAntiSpyware and Malwarebytes' Anti-Malware. SAS detected some Trojan.Agent/Gen and a Trojan.Agent/Gen-SDRA, MAM detected some Trojans and Backdoor.Bot in the registry. Malwarebytes' Anti-Malware log: Quote:
SUPERAntiSpyware log: Quote:
-Avast 4.8 Professional didn't find anything at all. SAS and MAM managed to remove most of the virus but unfortunately HookShark still keeps showing 2 malicious hooks/memory patches every time I boot my system. I conclude that there still must be some malicious code being executed on system start up. Malicious hooks/memory patches detected by HookShark: Quote:
Determined that there must be some malicious code being executed on system start up I ran a HijackThis scan. HijackThis log: Quote:
Can you find anything suspicious in the HijackThis log? Thanks in advance, Yuri. 
|
|
#2
August 15th, 2009, 12:44 AM
|
||||
|
||||
|
Do you still need help Yuri? If so, I need to see some comprehensive logs. Before you provide them, you need to know that I have made a personal decision not to help anyone who has peer to peer software installed on their computers (and this includes Bit Torrent software) so if you still want my help, please uninstall any such programs now and reboot.
Go here and download DDS to your Desktop and doubleclick on DDs.scr to run it. If your security software includes script blocking features, please disable these before you run this utility. When the scan has finished, two logs will open. Copy and paste both reports in this topic. The logs will be reasonably large so you may have to divide them into sections and make several posts to post them. Please do not run any programs other than those that I suggest or install any new software while I am helping you.
|
|
#3
August 16th, 2009, 06:08 PM
|
|||
|
|||
|
Thanks for taking time to help me, AnnMarie.
As you requested I have uninstalled both uTorrent and SoulSeek, as far as I know the only peer to peer software on my system. Here are the logs from D.D.S. (DOS.txt): Quote:
|
|
#4
August 16th, 2009, 06:09 PM
|
|||
|
|||
|
And here is Attach.txt:
Quote:
|
|
#5
August 17th, 2009, 12:50 AM
|
||||
|
||||
|
Hi Yuri. Windows File Protection has been disabled so we will need to fix that and it looks like System Restore is no longer running. Can you please check that. Also did you put all of the below policies in place?
Quote:
Drivers Files Processes SSDT Stealth Objects Hidden Services You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread. Just out of curiosity, did your problems co-incide with the installation of ASProtect SKE 2.5 Demo?
|
|
#6
August 17th, 2009, 10:08 PM
|
|||
|
|||
|
Quote:
But the disk space to use for the C: drive shows 0% and the G: drive shows 12%. Quote:
Quote:
It did not change anything to my current situation and my problems already consisted before installing ASProtect. I tried to scan with RootRepeal multiple times but every time it scans for files on the C: drive my entire system freezes completely and the only thing RootRepeal displays on the Files tab is "Initializing, please wait...".
|
|
#7
August 17th, 2009, 10:26 PM
|
||||
|
||||
|
Ok, we will try another rootkit detector. Please reboot before running it. Download a randomly named version of Gmer from here to your Desktop. Once downloaded, doubleclick on downloaded file and unzip it to its own folder
When you have done this, close all running programs including those in your notification area (bottom righthand corner of your screen) and doubleclick on extracted.exe to run it. Click on the Rootkit tab and look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Save the file and copy the information and post it here please. Warning! Please do not select the "Show all" checkbox during the scan I'll address your other issues once I have a full picture of your situation.
|
|
#8
August 18th, 2009, 07:12 AM
|
|||
|
|||
|
GMER scan log:
Quote:
Last edited by Yuri; August 18th, 2009 at 07:16 AM.
|
|
#9
August 18th, 2009, 09:02 AM
|
||||
|
||||
|
That log is fine. Daemon Tools and your antivirus software are responsible for the rootkit like activity and hooks you have observed.
We will do some repairs shortly but first, I want to be sure that MBAM got rid of all malware. Download the latest version of Combofix.exe from here and save it to your Desktop. Doubleclick on combofix.exe and the scan will start (go ahead and install the Recovery Console if you are asked to do so). When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. NB Please disable your antivirus program as it may interfere with ComboFix's routines.
|
|
#10
August 18th, 2009, 09:42 AM
|
|||
|
|||
|
Quote:
Also spze.sys and ap2lvsy8.SYS look quite suspicious, they have different file names every time I boot my system. ComboFix scan log: (It did install Recovery Console before scanning) Quote:
|
|
#11
August 18th, 2009, 09:43 AM
|
|||
|
|||
|
ComboFix scan log part two:
Quote:
I also noticed that my default browser was changed to Internet Explorer after running ComboFix. Last edited by Yuri; August 18th, 2009 at 09:47 AM.
|
|
#12
August 18th, 2009, 11:01 PM
|
||||
|
||||
|
Quote:
Quote:
Combofix removed two malware files and has reported missing Windows files and there may be others missing that Combofix hasnt detected. A sig check of two files is also required. Yuri, there are missing files, registry entries have been added to compromise the security of computer and that is only what we can see. This may be the tip of the iceberg and I have no way of knowing the full extent of the damage. Personally, I would backup and reformat if this was my machine but it's up to you. Let me know what you want to do.
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| System error Your system has been infected | gclehman | Malware Removal | 11 | September 9th, 2008 04:39 AM |
| System Infected | matteey | Malware Removal | 23 | May 24th, 2007 03:06 AM |
| HJT Log System Infected Please HELP | PAUL99TMD | Malware Removal | 1 | March 14th, 2007 01:22 AM |
| My system is infected! The whole system is crashing! | bravesirrobin12 | Malware Removal | 1 | January 20th, 2006 07:24 AM |
| Infected XP System | r.mccullough | Malware Removal | 10 | July 5th, 2005 12:02 PM |
All times are GMT +1. The time now is 08:46 AM.