Help
Got nailed this morning with doozy...
Malware-Bytes got most of it with a standard scan, but required a reboot...
Memory Processes Detected: 4
C:\Users\Gee\AppData\Local\Temp\~!#AD22.tmp (Trojan.Dropper.PE4) -> 1828 -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\4CBA8\05CE7.exe (Trojan.Dropper.PE4) -> 5016 -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe (Trojan.Dropper.PE4) -> 4684 -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\firefox.exe (Trojan.Dropper.PE4) -> 5800 -> Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\AFD (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Backdoor.CycBot) -> Data: C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell.Gen) -> Data: explorer.exe,C:\Users\Gee\AppData\Roaming\4CBA8\05CE7.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|D7D.exe (Backdoor.CycBot) -> Data: C:\Program Files\LP\E724\D7D.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Dropper.PE4) -> Bad: (C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe) Good: () -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 7
C:\Users\Gee\AppData\Local\Temp\~!#AD22.tmp (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\4CBA8\05CE7.exe (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\A87EC\lvvm.exe (Trojan.Dropper.PE4) -> Delete on reboot.
C:\Users\Gee\AppData\Roaming\firefox.exe (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Users\Gee\AppData\Roaming\Microsoft\E724\4904.tmp (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\afd.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\LP\E724\D7D.exe (Backdoor.CycBot) -> Quarantined and deleted successfully.
After reboot, I cannot find AVG (system restore says it was uninstalled)and cannot get on the internet to complete the reinstall. All system restore options have failed due to a 'corrupt' restore file.
I have done a reset of all Winsock files and even a sfc scan/rebuild which included some repairs to system repair processes
I have noticed my network adapter trying to connect as an IP that is not supported inside the range of my router. Manual IP addressing allows access only to home network, but not out to internet.
Farbar report below. Please help
Farbar Service Scanner Version: 18-01-2012 01
Ran by Gee (administrator) on 30-01-2012 at 14:34:47
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
Firewall Disabled Policy:
==================
System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.
System Restore Disabled Policy:
========================
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
- You cannot start a new topic
-
This topic is locked
No internet after Trojan.Dropper.PE4 cleaned!!!
Back to top
#2
- Just Curious
-
- Group: Malware Response Instructor
- Posts: 17,817
- Joined: 08-December 07
- Gender:Male
- Location:The Netherlands
Posted 31 January 2012 - 04:35 PM
Hello kgbadger,
Do you still have the issues you are describing? If no please update me about the current issues.
If you still have the same issues please delete your copy of Farbar Service Scanner and download Farbar Service Scanner and run it on the computer with the issue.
Do you still have the issues you are describing? If no please update me about the current issues.
If you still have the same issues please delete your copy of Farbar Service Scanner and download Farbar Service Scanner and run it on the computer with the issue.
- Check all the boxes.
- Press "Scan".
- It will create a log (FSS.txt) in the same directory the tool is run.
- Please copy and paste the log to your reply.
#3
- Just Curious
-
- Group: Malware Response Instructor
- Posts: 17,817
- Joined: 08-December 07
- Gender:Male
- Location:The Netherlands
Posted 04 February 2012 - 08:31 AM
This thread will now be closed due to lack of activity.
If you need this topic reopened, please send me a Private Message and I will reopen it for you.
If you should have a new issue, please start a new topic.
Every one else should start a new topic.
If you need this topic reopened, please send me a Private Message and I will reopen it for you.
If you should have a new issue, please start a new topic.
Every one else should start a new topic.
Share this topic:
Page 1 of 1
- You cannot start a new topic
-
This topic is locked