USB Malware Creating Malware + other malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by barts0924, Oct 4, 2014.

  1. barts0924

    barts0924 Private E-2

    Hi.

    I'm helping a friend on her computer.

    And I noticed that in normal mode there are a lot of rundll.exe instances present in task manager, two crsss processes running, some browser issues and a malware that turns all the content in usb storage devices into shortcuts and put the files in a hidden system folder.

    Also I forgot to close the tdsskiller window when I open rouge killer.

    best regards.
     

    Attached Files:

    barts0924, Oct 4, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.


    Ask Toolbar <<< Uninstall this.




    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate this detection:

    • [PUM.SearchPage] HKEY_USERS\S-1-5-21-156910536-2921228982-575137410-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.searchamong.com/searchview.php?source=64020400f00960c0ef04052547b134b3&query={searchTerms}&cat=webs&bar=true -> FOUND

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for these entries on the Web Browsers tab.

    • [PUP][FIREFX:Addon] 0oc9jwrk.default : [toolbar@ask.com] -> FOUND
    • [PUP][FIREFX:Addon] 0oc9jwrk.default : Funmoods New Tab [{5ebdca98-43b3-45bb-87e0-716029fb42ab}] -> FOUND
    • [PUP][FIREFX:Addon] 0oc9jwrk.default : 7Go [7go@7go.com] -> FOUND
    • [PUP][FIREFX:Addon] 0oc9jwrk.default : Speed Analysis 3 [speedanalysis03@SpeedAnalysis.com] -> FOUND
    • [PUM.HomePage][FIREFX:Config] 0oc9jwrk.default : user_pref("browser.startup.homepage", "http://search.babylon.com/?babsrc=HP_ss_wls&mntrId=4E5A929FFA211ADA&affID=119523&tsp=5005"); -> FOUND
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Re run Hitman Pro and have it remove all that it finds except for your bible movie entries.



    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.searchamong.com/searchview.php?source=64020400f00960c0ef04052547b134b3&query={searchTerms}&cat=webs&bar=true
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchamong.com/searchview.php?source=64020400f00960c0ef04052547b134b3&query={searchTerms}&cat=webs&bar=true
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.searchamong.com/searchview.php?source=64020400f00960c0ef04052547b134b3&query={searchTerms}&cat=webs&bar=true
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchamong.com/searchview.php?source=64020400f00960c0ef04052547b134b3&query={searchTerms}&cat=webs&bar=true
    • R3 - URLSearchHook: SearchHook Class - {D8278076-BC68-4484-9233-6E7F1628B56C} - "C:\Program Files\AskPartnerNetwork\Toolbar\searchhook.dll" (file missing)
    • O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    • O2 - BHO: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    • O2 - BHO: Avira SearchFree Toolbar plus Web Protection BHO - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" (file missing)
    • O2 - BHO: HelloWorldBHO - {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - (no file)
    • O3 - Toolbar: Avira SearchFree Toolbar plus Web Protection - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" (file missing)
    • O4 - HKLM\..\Run: [msgbox] wscript.exe //B "C:\Users\Fely\AppData\Local\Temp\msgbox.vbe"
    • O4 - HKCU\..\Run: [msgbox] wscript.exe //B "C:\Users\Fely\AppData\Local\Temp\msgbox.vbe"
    • O4 - HKCU\..\Run: [SM?RT-Protection] C:\Program Files\Smadav\SM?RTP.exe rtp
    • O4 - Startup: msgbox.vbe
    • O23 - Service: Ask Update Service (APNMCP) - APN LLC. - C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe

    After clicking Fix exit HJT.





    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :Files
C:\Program Files\GUMC6E.tmp
C:\Users\Fely\AppData\Roaming\BabSolution
C:\Users\Fely\AppData\Roaming\Babylon
C:\Users\Fely\AppData\Roaming\satoolbar.exe
C:\Users\Fely\AppData\Roaming\Smadav
C:\Users\Fely\Desktop\Smadav
C:\Program Files\Smadav
C:\_SMAD-~1 
C:\Users\Fely\AppData\Local\Temp\msgbox.vbe
C:\Program Files\AskPartnerNetwork

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SMëRT-Protection"=-
"msgbox"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"msgbox"=-
[HKEY_USERS\S-1-5-21-156910536-2921228982-575137410-1000\Software\Microsoft\Windows\CurrentVersion\run]
"SMëRT-Protection"=-
"msgbox"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{154d339e-ccaa-49a5-9b38-6878ad4220bc}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{154d339e-ccaa-49a5-9b38-6878ad4220bc}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{15B9AB48-B5A6-48D8-A60A-3AE052684939}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D4080388-7C6D-4F7F-BB9D-1B8EF18E72AA}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Oct 4, 2014
    #2
  3. barts0924

    barts0924 Private E-2

    Hi there Kestrel13!

    Thanks for helping.

    In theuction for hitmanpro what do mean by

    "Re run Hitman Pro and have it remove all that it finds except for your bible movie entries."

    Best regards.
     
    barts0924, Oct 5, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi. :)

    I mean, you want to keep all of the below, correct?


    If so then have Hitman remove all except for that. ;)
     
    Kestrel13!, Oct 5, 2014
    #4
  5. barts0924

    barts0924 Private E-2

    Hi there Kestrel13!

    Yes I think she wants to keep those.

    so I'm going to apply to all -----> delete
    then Ignore to the file I want to keep?

    Best Regards

    PS. Here are the logs for some of them.
     

    Attached Files:

    barts0924, Oct 5, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yep. :)

    Also uninstall this >>> Speed Analysis 3

    Then explain what issues remain.
     
    Kestrel13!, Oct 6, 2014
    #6
  7. barts0924

    barts0924 Private E-2

    Hi there Kestrel13!

    Sorry I can't do that right now. But I do it sometime later

    But what I can tell you the msgbox.vbe can be still be found in the temp folder and computer infects removables devices with a a copy of msgbox.vbe and turns all folders and file into a .lnk and hides the said files and folders

    Also in safe mode the removable devices don't get infected

    and still there are two csrss.exe (is this normal?)

    also I changed the anti virus from avira to avast

    and avast deletes the said msgbox.vbe but it still keeps respawning

    Best Regards,
     
    barts0924, Oct 6, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 8, 2014
    #8
  9. barts0924

    barts0924 Private E-2

    Hi Kestrel13!

    Here are the logs you've requested

    and I can't seem to uninstall speed analysis 3 and it always shows a message when I try to uninstall it
    see attached a picture

    I used revo uninstaller by the way

    Best regards
     

    Attached Files:

    barts0924, Oct 9, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    • Please download Combofix to your desktop. Please refer to these instructions prior to running.
    • Attach log once done.
     
    Kestrel13!, Oct 9, 2014
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds