Avast WEBforum

Other => Viruses and worms => Topic started by: x2397 on August 30, 2012, 04:37:16 AM

Title: need assistance with malware
Post by: x2397 on August 30, 2012, 04:37:16 AM

Today malwarebytes detected something that avast did not and was able to remove it. I am wondering if someone could help me figure out if I am clean.
will upload otl files later

thanks in advance for any assistance

Title: Re: need assistance with malware
Post by: x2397 on August 30, 2012, 04:37:58 AM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.01.05

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Biohazard :: BIOHAZARD-PC [administrator]

8/29/2012 9:45:55 AM
mbam-log-2012-08-29 (09-45-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188179
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)
this is from a quick scan

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Biohazard\AppData\Local\Temp\services.exe.mui (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

Title: Re: need assistance with malware
Post by: x2397 on August 30, 2012, 04:38:40 AM

this is from a full scan

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Biohazard :: BIOHAZARD-PC [administrator]

8/29/2012 8:52:41 PM
mbam-log-2012-08-29 (20-52-41).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 317026
Time elapsed: 39 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Title: Re: need assistance with malware
Post by: x2397 on August 30, 2012, 05:10:25 AM

for some reason otl didn't generate the extras file so I ran it again to make sure but it still didn't create it, I attached the log that was created

Title: Re: need assistance with malware
Post by: x2397 on August 30, 2012, 05:19:50 AM

here is the asw log

Title: Re: need assistance with malware
Post by: Pondus on August 30, 2012, 04:09:02 PM

Quote from: x2397 on August 30, 2012, 05:10:25 AM

for some reason otl didn't generate the extras file so I ran it again to make sure but it still didn't create it, I attached the log that was created

that reason is that exrta.txt is only created first time OTL is run ....so i guess you have run it before
anyway that log is not important

Title: Re: need assistance with malware
Post by: essexboy on August 30, 2012, 04:13:10 PM

No apparent malware there are you experiencing any problems ?

Title: Re: need assistance with malware
Post by: x2397 on August 30, 2012, 06:07:51 PM

oh so extras only appears the first time? now it makes sense
 no malware in my system? sounds excellent.
The reason I ran a scan was because firefox blocked me from google saying it was untrusted and I read on the web that maybe my browser had been compromised, so I got concerned, I ran a scan with avast and nothing came up then I ran a scan with malwarebytes and it found that exploit.
thank you very much for taking the time to look into my problem. Appreciate your great work.

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 05:25:35 PM

the infection came back, what do I do? I am starting to think there might be something hidden on my system that bringing it back. Please help me figure out whats going on.
I scanned with malwarebytes today and it gave me this, nothing came up in avast:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.07.09

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Biohazard :: BIOHAZARD-PC [administrator]

9/7/2012 10:14:05 AM
mbam-log-2012-09-07 (10-14-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193193
Time elapsed: 2 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Biohazard\AppData\Local\Temp\services.exe.mui (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 05:42:12 PM

here is a new otl log

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 05:49:19 PM

here is the last log

Title: Re: need assistance with malware
Post by: Theo Peterbroers on September 07, 2012, 05:54:27 PM

On mui files

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/winlogonexemui-system-file-or-malware/d74bc560-d79e-4b10-8a26-5cdeff0382fc?msgId=8b7ca0ed-14a6-4257-ac04-66c867ac2c38

"Explanation:
Unlike previous versions of Windows, the code Binaries that are used to build Windows 7 are Language Neutral. This means that at least one Language Pack must be installed that defines the Base Language for that version of Windows 7. The base language cannot be uninstalled.
These .MUI files are the language pack files."

Seems to be a false positive by Malwarebytes. Such things do happen. Of course, there is no guarantee that your services.exe.mui is legit.

Title: Re: need assistance with malware
Post by: essexboy on September 07, 2012, 07:39:08 PM

OK lets empty the temporary files

Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 09:35:48 PM

ok will do

Title: Re: need assistance with malware
Post by: essexboy on September 07, 2012, 09:39:20 PM

Attach the logs in this thread

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 09:41:10 PM

I am not sure it it restarted but when it finished it went black and got me back to the windows log in screen does that mean it restarted? Also where are the logs? all I see in desktop are two desktop.ini files

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 10:04:17 PM

are these the logs? I had to convert the ini files to notepad before uploading them

Title: Re: need assistance with malware
Post by: essexboy on September 07, 2012, 10:27:08 PM

Sorry the previous reply was not meant for you it was another thread  :-[

How is the computer behaving now..  TFC will not generate a log

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 10:28:58 PM

 did the otl log and asw show that I am clean? my system seems fine but I am not really sure how to tell if it was an fp from malwarebytes

Title: Re: need assistance with malware
Post by: essexboy on September 07, 2012, 10:31:41 PM

I can see no sign of malware

Title: Re: need assistance with malware
Post by: x2397 on September 07, 2012, 10:35:42 PM

no malware? thats nice.
do you have any recommendation on how I should proceed from here. how do I know my mui files are legit as kwartet mentioned and what do I do in the event that malwarebytes detects it again?
also what were those ini files and are they important?

Title: Re: need assistance with malware
Post by: x2397 on September 08, 2012, 12:33:14 AM

I ran a quick scan with malwarebytes and it detected it again

Title: Re: need assistance with malware
Post by: Pondus on September 08, 2012, 12:36:28 AM

Quote from: x2397 on September 08, 2012, 12:33:14 AM

I ran a quick scan with malwarebytes and it detected it again

report in Malwarebytes forum as possible False Positive

http://forums.malwarebytes.org/index.php?s=9de53bb5a339ca946f8b905b6d3ff7eb&showforum=42

Title: Re: need assistance with malware
Post by: x2397 on September 08, 2012, 12:40:59 AM

just to be sure I restarted my pc to be sure I made a proper restart after using TFC. Will monitor and see if it comes back.

Thanks for your help guys.

Title: Re: need assistance with malware
Post by: essexboy on September 08, 2012, 12:42:43 AM

Keep me informed please

Title: Re: need assistance with malware
Post by: x2397 on September 08, 2012, 12:45:32 AM

i ran a scan again after reboot and nothing came up, will monitor too se if it comes back.