PDA

View Full Version : Continuation - Infection Cleanout



Redfefnir
2013-05-22, 01:01
Well, I get pulled away for a few days and the thread gets archived! Understandable, but hopefully we can continue, and if not, well. That's that then. I finally had the time to sit down and run the requested scanner, which I really didn't want to leave on overnight, but had too.

Quote from what I was to-do:

0k. thanks for the info. Not sure why Roguekiller is flagging those .exe on your desktop. They dont appear to be cracks or keygens.

In any case we can remove the proxy setting. Run Rougekiller again, after the prescan is done click the scan button. Once thats done click on the Registry tab and uncheck everything but this one:

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (203.232.208.116:8080
Then click the delete button to remove the checked item.

You can get a copy of the free version of malwarebytes which you can use as another antimalware app: Let see if it digs anything up.

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually and a scan started manually.

http://forums.spybot.info/showthread.php?68481-Infected-Computer-Hacked-Account

So I ran Roguekill a few nights ago when I could and didn't find any sort of Proxy or HKCU in the results, nothing that looked close unfortunately. Then I went on a trip and had to take care of the house (that pesky lawn) with some fire department and ambulance corp events respectfully and finally ran Malwarebytes overnight last night. It didn't find anything, which hopefully means I'm on the up and up and won't be having any account theft issues.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.20.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Cameron :: CAMERON-PC [administrator]

5/20/2013 10:00:10 PM
mbam-log-2013-05-20 (22-00-10).txt

Scan type: Full scan (C:\|D:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 812763
Time elapsed: 3 hour(s), 25 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

shelf life
2013-05-22, 03:03
I just archived the thread due to a lack of a response. I gave you the wrong directions. After you re-ran Rougekiller the proxy item would have been found under the proxy tab in Rougekiller, not under the registry tab. Then you would click the Fix Proxy tab not the delete button like I posted. So lets repeat that step; run Rougekiller again and after the prescan is done click the scan button. When the scan is all done click the Fix Proxy button.

Malwarebytes coming up clean is a encouraging sign.

Redfefnir
2013-05-25, 07:40
Augh I wasn't subscribed to this thread. I was wondering what the delay was. Also of note ERUNT is now having some loadup error stating it's unable to create a file, then clicking okay will give error saving files, with a [Reg create key Ex:5-Access is denied]. This has happened every startup since.

Roguekiller ran, re-scanned

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Cameron [Admin rights]
Mode : Scan -- Date : 05/25/2013 00:39:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A0 ATA Device +++++
--- User ---
[MBR] 1495d3cceb4d408ba06c10a94c13b18a
[BSP] 56e966093cb69f5ecb480a7eb91de987 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD10EALS-00Z8A0 ATA Device +++++
--- User ---
[MBR] 09621e6451cbcafbe2b357fbbe04136d
[BSP] 8d706a39d597c5b0abbd2f15bf51f35e : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_S_05252013_02d0039.txt >>
RKreport[1]_PR_05252013_02d0037.txt ; RKreport[2]_S_05252013_02d0039.txt


Then the Roguekill 'Fix Proxies' Ran;
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Cameron [Admin rights]
Mode : ProxyFix -- Date : 05/25/2013 00:39:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

Finished : << RKreport[3]_PR_05252013_02d0039.txt >>
RKreport[1]_PR_05252013_02d0037.txt ; RKreport[2]_S_05252013_02d0039.txt ; RKreport[3]_PR_05252013_02d0039.txt

shelf life
2013-05-25, 15:36
You can remove ERUNT via the add/remove programs panel. Just a FYI, Battle.net has some info here. (https://us.battle.net/support/en/article/account-compromise-what-to-do)
A proxy can capture account info, login credentials, passwords, etc. You should change all your passwords as a precaution.

Redfefnir
2013-05-27, 06:27
Alrighty, uninstalled Erunt and I had already changed Passwords and Logins and such. Hopefully everything's all set!

If that's everything I hope this can get closed and I can sleep soundly with a safe computer!

shelf life
2013-05-27, 16:12
You are good to go. You can delete the Roguekiller icon from your desktop. To remove combofix click on the start button icon and in the search window type in combofix /uninstall then click enter. Note the space after the x and before the /. Note that the free version of Malwarebytes must be updated manually and a scan started manually. Always check for updates before running a scan.
Some tips;

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. ( http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software are installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing tricks. (http://www.fraud.org/tips/internet/phishing.htm)

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista, Windows 7 and Windows 8 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) Your browser risks: The why and how (http://www.cert.org/tech_tips/securing_browser/) to secure your browser for safer surfing. For added protection disable Java (http://disablejava.com/) in your browser.

10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Do you really trust the source of the file?
More info/tips with pictures, links below

Happy Safe Surfing.