Infected computer - please help

Status
Not open for further replies.

marygg

Posts: 123   +0
I have cleaned up this computer so it now connects to the internet. It had much malware. I tried to clean up as much as I could. Could someone please help me with the enclosed scan logs. Thanks.
 
You’re about done with this. - -Continue with procedure
Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scan program​
  • Update both MBAM & SAS. Rerun them both.

  • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
    • Typically extra repeat scans are not needed
    .
  • Posts logs. Report progress & what changes are observed. Include logs that found infections.
 
The two scans are now clean. I think I see some potential problems on Hijack This but I will wait to hear from you. Thank you so much for your help.
 
... I think I see some potential problems on Hijack
Adding some specifics helps with performing the analysis. Symptoms and observations add to the technical picture. Having said that 'winrpcmx.exe' is toxic.

Here is some reading for you: Trojan - online banking credentials

ComboFix is used for the next scan. ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
  • Uninstall old copy of ComboFix

  • Follow ComboFix instructions referenced below.

  • Restart the computer.

  • Scan with HJT. (part of instructions for ComboFix)

  • Posts logs. Report progress & what changes are observed.


Please see this for instructions:
Temporarily Disable Real Time Monitoring Programs:


  • 1 Spybot S&D (Teatimer)
  • 2 Ad-Aware Ad-Watch
  • 3 Spywareguard
  • 4 Windows Defender
  • 5 TrojanHunter Guard
  • 6 Disable SpySweeper
  • 7 WinPatrol
  • 8 CounterSpy
  • 9 AVG Anti-Spyware (formerly ewido)
  • 10 Spyware Doctor
  • 11 Prevx
  • 12 ProcessGuard
  • 13 ZoneAlarm's OS Firewall
  • 14 Ad-Aware 2007 Service

Notes from HJT log
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe >> legit
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) >>legit ; netframework 2.0
O17 - HKLM\System\CCS\Services\Tcpip\..\{71C0CF67-E26B-47B3-B376-093FFAC27E67}: NameServer = 192.168.1.0

O4 - HKUS\S-1-5-21-625304501-3128334838-1852361277-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'QBDataServiceUser18')
O4 - HKUS\S-1-5-18\..\Run: [WinRPCX] C:\WINDOWS\system32\winrpcmx.exe (User 'SYSTEM') >> X
O4 - HKUS\.DEFAULT\..\Run: [WinRPCX] C:\WINDOWS\system32\winrpcmx.exe (User 'Default user') >> X
 
I had trouble downloading ComboFix so I ran it from a cd. The two scans are enclosed. Thanks for your help.
 
SDBot Trojan extremely dangerous

I will ask another specialist to assist with removing this infection. You will see me add technical details to this reply to expose more of the infection.

Please indicate that you understand that this infection threatens your identity, your accounts, and your passwords if this computer is used for online banking and commerce.

.... Having said that 'winrpcmx.exe' is toxic.
Here is some reading for you: Trojan - online banking credentials
  1. This can give intruders complete control of your computer, logging key strokes, stealing information.

  2. You are strongly advised to disconnect infected computer immediately from any networked computers until the computer can be cleaned.

  3. If this computer is used for banking or commercial transactions online, take measures to protect your identity
    • While using the infected computer, Do NOT change passwords or do any transactions because the attacker will get the new passwords and transaction information.

Script file is not complete.
Code:
File:: 
c:\windows\system32\4scj05bs.exe
c:\windows\system32\72NE7O0l.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job


Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
c:\windows\system32\lsasss.exe [N/A]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe [N/A]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRPC]
winrpcmx.exe [N/A]
 
HJT is part of the solution. I am studying other cases as I pick through the combofix log. Another specialist will construct the script file and recommend a stronger scan tool.
 
(please read) Is your system infected? Read this before Cleaning or Formatting

Re-Open HJT
Place a tick next to the following entries, and then select fix
O4 - HKUS\S-1-5-18\..\Run: [WinRPCX] C:\WINDOWS\system32\winrpcmx.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinRPCX] C:\WINDOWS\system32\winrpcmx.exe (User 'Default user')


You still have Symantec (Norton) AntiVirus, running with Windows startup
Please run the Norton Removal Tool from going here: https://www.techspot.com/vb/post586483-2.html

Once Restarted, please do the following:

Download and run CCleaner, then continue below

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to
Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply

After Restarting your computer, please run a fresh HJT scan and attach that to a new reply.
Also please report on the status of the running of your computer :)
 
Sorry it took so long. The computer seems to be running fine. I had trouble with downloading Norton removal tool and the Kaspersky took several hours to run. The two logs are attached. Thanks.
 
Please re-open HJT, tick and fix the following:
R3 - URLSearchHook: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
O2 - BHO: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
 
I originally started out with a conflict between sp3 and a dlink wireless adapter driver so I uninstalled sp3 to try to install the dlink. I plan to verify the driver works and reinstall sp3. Should I remove superantispyware and malwarebytes? Also hjt and combofix were already on this computer when I started working on it. Should I remove them?
 
Status
Not open for further replies.
Back