Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by speedygonzales, Jan 31, 2011.

  1. speedygonzales

    speedygonzales Private E-2

    I am having an array of problems that I cannot easily track to the source, as this is a windows installation that I've gradually updated over time, etc.

    Some things I've noticed:

    - excessive hard drive activity
    - suspicious processes
    - windows becoming active/inactive
    - windows key and ctrl esc sometimes fail to trigger start menu
    - pidgin seemed to open on its own (i deleted pidgin then)
    - conhost.exe open sometimes (i.e. I think someone is logged on, etc.)

    Note that I can't run RootRepeal because i'm on win 7 64-bit

    I have followed the 'read this first' removal instructions *very* carefully--please let me know what I should do next :)
     

    Attached Files:

    speedygonzales, Jan 31, 2011
    #1
  2. speedygonzales

    speedygonzales Private E-2

    Oh, and also, it looks like the infection was interfering with ppt files but only along some routes--here's a message I already sent kaspersky (my regular virus scanner) about it:

    "There is a ppt file that when I "open" it in firefox I"m fine, but when I "save" it in firefox, and then open it, I receive "Powerpoint found an error that it can"t correct. You should save presentations, quit, and then restart Powerpoint" The problem file is around 2kb larger so I suspect a virus has edited it, although kaspersky catches nothing!"
     
    speedygonzales, Jan 31, 2011
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please also attach the C:\MGlogs.zip and then I can begin to review logs.
     
    Kestrel13!, Jan 31, 2011
    #3
  4. speedygonzales

    speedygonzales Private E-2

    Oops, my mistake--here it is as well
     

    Attached Files:

    speedygonzales, Jan 31, 2011
    #4
  5. speedygonzales

    speedygonzales Private E-2

    Oh, some other things

    - the is some 'unpatitioned space' that I didn't expect to see in Drive Management.
    - services.exe seems to launch most of the 'bad' processes, based on what I see in process explorer
    - services.exe is visible in the system32 folder of windows, but without a proper icon
    - when I try to upload the file to virustotal, neither firefox nor ie sees any services.exe in windows\system32
    - i copied services.exe to the desktop, and then firefox can see it to upload it, but the result comes out clean on virus total:

    http://www.virustotal.com/file-scan...4978d6ee3db52388d885f668cf42c5e7e2-1296529246


    So it looks like something is slipping a fake file in place of services.exe for execution, but passing a 'good' file for copying--hopefully someone knows the mechanism by which that would happen..
     
    speedygonzales, Jan 31, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Java(TM) 6 Update 22 <--- Uninstall outdated Java

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Fcopy::
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | C:\Windows\system32\services.exe
C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedit.exe | c:\windows\regedit.exe
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    What are you using for antivirus?
     
    Kestrel13!, Feb 1, 2011
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds