Bitcoin Forum
December 09, 2016, 05:54:14 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: [Solved] Windows infection: please help a security newbie  (Read 5702 times)
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 23, 2012, 01:18:45 AM
 #21

edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
None of these services exist anymore:

  • BITS
  • Microsoft Antimalware
  • Windows Firewall
  • Windows Update

Are you using a device from Midiman called M-Audio or some such via firewire?
The file has definately been renamed and corrupted. Here are some suspicious traits:

Code:
No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.

Code:
Original filename: mafwcpl.exe
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481306054
Hero Member
*
Offline Offline

Posts: 1481306054

View Profile Personal Message (Offline)

Ignore
1481306054
Reply with quote  #2

1481306054
Report to moderator
1481306054
Hero Member
*
Offline Offline

Posts: 1481306054

View Profile Personal Message (Offline)

Ignore
1481306054
Reply with quote  #2

1481306054
Report to moderator
1481306054
Hero Member
*
Offline Offline

Posts: 1481306054

View Profile Personal Message (Offline)

Ignore
1481306054
Reply with quote  #2

1481306054
Report to moderator
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 23, 2012, 01:24:32 AM
 #22

edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
None of these services exist anymore:

  • BITS
  • Microsoft Antimalware
  • Windows Firewall
  • Windows Update

Are you using a device from Midiman called M-Audio or some such via firewire?
The file has definately been renamed and corrupted. Here are some suspicious traits:

Code:
No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.

Code:
Original filename: mafwcpl.exe

aye, that file we have now is not the orginal. Did you find anything else modified aorund the same time?

As far as the missing services. OUCH. you are likely going to need to at the very least run a repair install of Win 7

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 23, 2012, 01:40:46 AM
 #23

I have a restore point from the last Windows update. Will that restore the missing services?
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 23, 2012, 01:41:51 AM
 #24

I have a restore point from the last Windows update. Will that restore the missing services?

Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 23, 2012, 01:43:57 AM
 #25

I have a restore point from the last Windows update. Will that restore the missing services?

Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.
Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install.

Thanks for your help! It saved me a lot of grief and was greatly appreciated.

BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects.
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
July 23, 2012, 02:19:59 AM
 #26

Probably installed javascript into the profile of Firefox, you may need to create a new profile.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
finkleshnorts
Sr. Member
****
Offline Offline

Activity: 336



View Profile
July 23, 2012, 04:07:04 AM
 #27

I have a restore point from the last Windows update. Will that restore the missing services?

Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.
Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install.

Thanks for your help! It saved me a lot of grief and was greatly appreciated.

BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects.

restore points can be infected.
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 23, 2012, 04:39:24 AM
 #28

Probably installed javascript into the profile of Firefox, you may need to create a new profile.

aye, not a bad idea at all. 

I take it you were able to remove it in safemode?  Was firefox the only browser that was redicreting on you? Probably will not hurt to reinstall any other browsers you were using as well.


And now you got me curious as to the source or that thing. I hadn't bothered to decompile that dll to see the actual script in it as I figured you had it whipped. But it could not hurt to.


Another handy trick is to find a compiled piece of the malicious code to use to search for inside of all the files on your comp. I've been able to find quite a few left over 'dormant' pieces of nasties that would have otherwise went undected that way.


Let us know if you still have issues removing that file. Or skip ahead of posting again and use; http://www.scanwith.com/Pocket_KillBox_download.htm
  Add the file path to the box, check the 'delete on reboot' option and then if you ae ready to reboot, hit the lil red x tot he right of the file location input. That should have no issues removing it. If so, let us know.

cheers

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 23, 2012, 11:37:29 PM
 #29

It was ZeroAccess.

I'll update soon: I'm running some scans to make sure the rootkit is completely gone.

Firefox redirected the worst (on load and nearly every search result). IE also redirected. Chromium refused to work until recently (it wouldn't connect to anything).

Update:

ZeroAccess is apparently a rootkit that uses a variety of techniques to circumvent UAC by injecting code into UAC exceptions. I had not realized the dangers of keeping UAC at the "recommended" level, believing it to be sufficient in preventing malware. UAC is now set at the highest level.

ZeroAccess also downloaded a Bitcoin-related trojan (this is what most worries me). At this point, all my bitcoin is still present and remains encrypted. This was the cause of the slow computer; the bitcoin trojan converted it into a botnet.

ZeroAccess deleted some important services. Most importantly, Windows Update and Windows Firewall have been deleted. I will probably do a repair install, as a system restore seems too risky (what if it restores the rootkit?).

At this point, ZeroAccess should have been removed. At the very least, its symptoms are no longer present.

Edit: Windows Update has been restored (I needed to reregister the services, but the dlls were not deleted). I have reinstalled MSE and the computer should be much safer now. Now, I'm trying to fix Windows firewall, which isn't as crucial as the other two.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
July 24, 2012, 03:07:07 AM
 #30

Personally, I never trust an infected computer ever again. All kinds of shit happens that's easy to miss and will cause future problems. If you hold any significant amount of bitcoins, it would be a good idea to move tem to a known secure computer. And I mean move the encrypted wallet without first decrypting it, since you can't be sure there isn't a lingering keylogger or some shit like that.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 24, 2012, 03:12:43 AM
 #31

I have rediscovered an even more serious infection. This time, some core Windows system files were damaged.

"Windows has encountered a critical problem and will restart in one minute".

Yes, even in safe mode.

I have resorted to system restore, which has fixed the critical problem (additionally, all services have been restored). MSE is currently running, but only so I can gain some experience on how to deal with a severe infection.

At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.
myrkul
Hero Member
*****
Offline Offline

Activity: 532


FIAT LIBERTAS RVAT CAELVM


View Profile WWW
July 24, 2012, 03:17:30 AM
 #32

At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.

Windows, your days are numbered!

http://www.youtube.com/watch?v=CWsJcg-g1pg

That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS.

BTC1MYRkuLv4XPBa6bGnYAronz55grPAGcxja
Need Dispute resolution? Public Key ID: 0x11D341CF
No person has the right to initiate force, threat of force, or fraud against another person or their property. VIM VI REPELLERE LICET
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 24, 2012, 03:21:34 AM
 #33

Sirefef is the trojan's name. I think it's currently under control (quarentined by MSE, which is saved by the system restore).

At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.

Windows, your days are numbered!

http://www.youtube.com/watch?v=CWsJcg-g1pg

That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS.
I wish there was audio in safe mode now.

Ubuntu is good enough for me, because I've actually used it before.

Edit: Wow, these viruses are good. They just deleted the Windows Security Centre service... in Safe Mode. The reason this is so significant is that that is not a service that can even start in Safe Mode.
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
July 24, 2012, 05:03:38 AM
 #34

Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities. The benefits of Linux are that the majority of the malware attacks always start in user space, the disadvantage is tools are not well discussed so newbies can acquire improved security. Often, security questions are met with responses like, "Your on Linux now, stop worrying, there is no malware here, just move along...". Little do they know, there question was being answered by a Blackhat, who isn't interested in helping to reduce his ability to pwn your box. Because of this atmosphere that "Linux is immune", it makes detecting an infection or security threat much harder for a newb than it is in Windows.
Ask yourself this, If a rootkit/worm/trojan/keylogger were running in your Linux system, how would I find it? Now see how many people will teach you how to look for the signs.
While Linux is better at default security than Windows, the length of time an infection will go undiscovered by a newb on Linux will be much longer, if infected.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
myrkul
Hero Member
*****
Offline Offline

Activity: 532


FIAT LIBERTAS RVAT CAELVM


View Profile WWW
July 24, 2012, 05:16:05 AM
 #35

Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities.

Yes, and Ubuntu is starting to get big enough to be a targetable audience. (ie, it's worth the hacker's time).

But the very nature of the Linux ecosystem makes it harder to program a single bug that will infect everyone, and the open-source nature and upstream fixes makes any holes shorter-lived.

No system is 100% secure. But compared to Windows, Linux might as well be. (Especially if, like me, you use some off-brand Linux, and keep everything updated.)

BTC1MYRkuLv4XPBa6bGnYAronz55grPAGcxja
Need Dispute resolution? Public Key ID: 0x11D341CF
No person has the right to initiate force, threat of force, or fraud against another person or their property. VIM VI REPELLERE LICET
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 24, 2012, 05:16:59 AM
 #36

Whether you like it or not, wipe all and reinstall is what you need to do.

-
01BTC10
VIP
Hero Member
*
Offline Offline

Activity: 742



View Profile
July 24, 2012, 05:37:25 AM
 #37

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 24, 2012, 04:48:19 PM
 #38

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html
If I'm going to be switching OS's, should I still worry about this?
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 24, 2012, 05:21:32 PM
 #39

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html
If I'm going to be switching OS's, should I still worry about this?

def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios.  Also, when you do format the drive to reinstall make sure to format /MBR  and format /S as well from a known clean disk. 

nasty stuff there, m8

If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved.

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
dree12
Legendary
*
Offline Offline

Activity: 1232



View Profile
July 24, 2012, 05:34:12 PM
 #40

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html
If I'm going to be switching OS's, should I still worry about this?

def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios.  Also, when you do format the drive to reinstall make sure to format /MBR  and format /S as well from a known clean disk. 

nasty stuff there, m8

If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved.
I'd rather not risk killing the BIOS to remove something that a) probably isn't there and b) probably doesn't matter.

Why should I format the MBR? Won't that destroy the partition table?
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!