Author Topic: Re-occuring Infection  (Read 29743 times)

0 Members and 1 Guest are viewing this topic.

tweaker

  • Guest
Re: Re-occuring Infection
« Reply #15 on: September 17, 2012, 07:57:43 PM »
avast! blocked the virus:
hxxp://c.mclarenz.net/click/?s

yup still getting it D:

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Re-occuring Infection
« Reply #16 on: September 17, 2012, 08:41:21 PM »
I will need you to access the recovery console now

Please download the following tool to a USB drive

Listparts

Reboot the computer and immediately press and hold F8
When the safe mode menu appears select Repair my computer
  • Insert the USB
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • A Notepad window will open. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and then close Notepad.
  • In the command window type  e:\listparts64 (64bit)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.

tweaker

  • Guest
Re: Re-occuring Infection
« Reply #17 on: September 17, 2012, 08:48:27 PM »
ok, i do not have a usb drive, will have to borrow one from a friend. will re-post when i have done this

tweaker

  • Guest
Re: Re-occuring Infection
« Reply #18 on: September 21, 2012, 08:42:49 PM »
Hello,

   Here is the results from the afformentioned. Update: Still getting a lot of random alerts, just completed full scan with malwarebytes, no infections. Some random audio advertisements while not using browser. Sometimes firefox will refuse to load any page and i have to restart it a few times until it works. Sometimes when clicking on results from google searches i am brought to a clicktogetresults page which is not the corect address i am trying for, and then the browser fails to contact any sites and i must restart firefox.

Thank you for the help

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Re-occuring Infection
« Reply #19 on: September 21, 2012, 08:48:00 PM »
Did you run that from the recovery console (repair my computer command prompt) ?

Could you download a fresh copy of TDSSKiller to your desktop but do not delete the old copy

Then try TDSSKiller again (New copy)


tweaker

  • Guest
Re: Re-occuring Infection
« Reply #20 on: September 21, 2012, 08:55:21 PM »
it was run from safe mode with command prompt using the F8 menu. I just tried downloading a new version of TDSSKiller and ran it, it would not run. Also tried running it from dos promp (cmd.exe). It appears to run momentarily and then kill itself.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Re-occuring Infection
« Reply #21 on: September 21, 2012, 09:10:47 PM »
OK that explains it..  You need to run it from the command prompt after selecting repair my computer running from safe mode means that the partition will be hidden

Do you have the repair my computer option ?

tweaker

  • Guest
Re: Re-occuring Infection
« Reply #22 on: September 21, 2012, 09:30:45 PM »
actually yes i do. i selected this option, then it came up with a screen saying windows is loading files. immediatly after it says this, disk activity stops (ie: the disk activity light on my pc does nothing). I waiting for some time, nothing happened and i had to hard reboot. Tried it again, same thing. Could i use the windows repair disc (dvd) that i made using windows some time ago to accomplish this task?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Re-occuring Infection
« Reply #23 on: September 21, 2012, 10:54:32 PM »
Yes boot from the disc ..  Details on what to expect below

I just realised that you have a 64bit system use this version of list parts instead of the one you have now


 Listparts64


When you reboot you will  see this, yours wil say wiindows 7.
 Click repair my computer

 
Select your operating system

 
Select Command prompt

 
At the command prompt type the following  :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\listparts64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

tweaker

  • Guest
Re: Re-occuring Infection
« Reply #24 on: September 21, 2012, 11:13:42 PM »
Actually i got the 64bit version to start with ;p Ran from repair cd, ran the program, log file attached.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Re-occuring Infection
« Reply #25 on: September 21, 2012, 11:30:05 PM »
OK we are looking at something new here, my second new one today.  So I will run a different scan to the other case and work you in tandem.  He got Dr Web

The analysis zip produced from this programme is the main one I am after, so if you could upload the zip file to a file sharing site for me to collect   

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
 
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 


 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload and attach to your next post 
 


tweaker

  • Guest
Re: Re-occuring Infection
« Reply #26 on: September 21, 2012, 11:40:38 PM »
ok i will try this now. upon searching on majorgeeks forum i saw all these steps listed in which we have done but someone said to try using a program called hitmanpro. i grabed the 64 bit version and gave it a one time run without install, and i think it may have found some things surprisingly. attached is a file i copy/passted the details to. I did not choose to repair, only to scan, not sure if the repair would do damage so i held off. I will try the afformentioned now :)
« Last Edit: September 22, 2012, 12:12:14 AM by tweaker »

tweaker

  • Guest
Re: Re-occuring Infection
« Reply #27 on: September 21, 2012, 11:55:21 PM »
also the scan says it will take some 23 hours with kapersky virus removal so it will be tomorrow before i can share the zip.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Re-occuring Infection
« Reply #28 on: September 22, 2012, 01:31:31 PM »
Quote
Properties
Name   cisvc.exe
Location   C:\Program Files (x86)\RapidBIT
Size   41.0 KB
Time   167.1 days ago (2012-04-07 14:52:06)
Entropy   5.8
Product   BitMicro RapidPLUS Services
Publisher   BitMicro Software Corporation
Description   Network Services
Version   2.1.0.0
Copyright   Copyright© 2009-2012 BitMicro Software Corporation
Service   FlexService
SHA-256   5351BC7580EAF47682E2DD286089190A4953238C7E9A49B8A1163EEA8A25B448

Detection Names
Ikarus   Trojan-Dropper!IK

Scoring (100.0)
One or more antivirus vendors have indicated that the file is malicious.
Program is impersonating a common Windows system file. This is typical for malware.
Starts automatically as a service during system bootup.
Program starts automatically without user intervention.
The file appears to be part of an installation package or setup program. This is typical for most programs.

This relates to this service in OTL
SRV - [2009/05/17 05:16:24 | 000,041,984 | --S- | M] (BitMicro Software Corporation) [Auto | Stopped] -- C:\Program Files (x86)\RapidBIT\cisvc.exe -- (FlexService)

Which is not running and has been on your system since 2009 however I can remove it if you no longer need it, I would not recommend using Hitmanpro to remove it
 

tweaker

  • Guest
Re: Re-occuring Infection
« Reply #29 on: September 22, 2012, 09:25:04 PM »
okay i will just leave it alone as i am not entirely sure what it is i will take your advice. what about the root kit it discovered, should that be left as well?

Thank You Sir!

P.S. Sorry no kapersky zip, still scanning