Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Animan.class - Pc Almost Unusable


  • Please log in to reply
15 replies to this topic

#1 Johannes1961

Johannes1961

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 31 August 2008 - 02:54 PM

HI, I'm new to the forum. And no my name isn't really Johannes. It's David and I'd welcome some feedback on my problem:


System Dell5150/XP Home SP2 - running windows firewall and AVG 7.5.

Symptoms:

Wife reported PC hanging. And a 'wierd msg' bottom right stating 'VIRUS ALERT!' (big clue that.. :thumbsup: ...)

Further investigation, new icons on desktop 'Advanced Cleaner' etc. Checked AVG virus reports - identified krnlwrap.exe and animan.class as threats.

Krnlwrap.exe appears on many posts on many forums very recently as a result of a signature file update from AVG and this threat may not be a real threat as it may be associated with some installation programs. I'd welcome a view on this, but in the meantime I'm working on the animan.class problem.

I noticed a similar problem (i.e. animan) posted on this website as 'Administrative Rights Gone'; and have tried to follow the process of resolution in that post, but whilst I come from a techy background, I'm not familiar with these utilities and how to read the logs...


I have run the following utilities in this order:

1. Malwarebytes - mbam - this found a huge number of threats. I have the log file from this.
This made the PC more stable to use in normal mode, and the damage looks quite severe - cannot access c: drive (it's simply not there via the windows desktop but accessible via the dos window. The majority of the programs under the 'Start' menu have vanished. If I try to lauch the system control panel (ctrl alt del) I told that this function has been denied by the administrator. I get an error on logging into each user of "Windows Internet Explorer - ! 2146697208 - THe download of the specified resource has failed. (OK)"

I can launch Safari on the machine and connect to the Internet reliably now. It appears quite stable if rather incomplete!

2. Currently running SUperantispyware (had to install this via the dos window - I would have done this b4 running mbam if I'd have thought on - whilst this is churning away I thought I'd get a post sorted to ask advice on what you think I should do next..

Do I need to post the output from the mbam & Superantispy. If so where to as I note from the moderators postings there is etiquete relating to posting log files.

Thanks, David

BC AdBot (Login to Remove)

 


#2 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 31 August 2008 - 03:32 PM

I should have added I have tried to run SDFIX in Safe Mode with A option to report only. This hangs having reports it was at 25%. I left it for 1.5 hours - no disk activity. Ended up having to do a hard reset on the PC as having ended the SDFIX via the system control panel (accessible in Safe Mode) the system hung!

Any clues???

Thanks, David

#3 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 31 August 2008 - 05:12 PM

Do you move posts to categorise them? Is the msg ref. Combofix in the banner generic as I haven't posted any logs?

Welcome your feedback on my problem and moved post...

:thumbsup:

PS. the issue with not being able to see the C drive via the conventional windows desktop... Aslo, it looks like certain folder/hierarchies are unavailable via he windows desktop, yet accessible via the DOS window.

I recall that there is some configuration capability that enables the adminstrator to restrict availability to users to aspects of the system via the desktop. , although usually when your IT guys do this they also remove the DOS access. So perhaps this aspect of the problem maybe caused by interference in this area by the malware.

Also, ran a Virus check last night and it identified a number of threats related to the Superantispyware & Mbam that I put on the machine yesterday. Is this normal?

Thanks, David

Edited by Johannes1961, 01 September 2008 - 01:58 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 01 September 2008 - 08:40 AM

Please post the results of your SAS and MBAM scans for review.

Launch MBAM.
Click the Logs Tab at the top.
mbam-log-7-18-2008(09-52-04).txt should show in the list. <- your dates will be different from this exampe
Click on the log name to highlight it.
Go to the bottom and click on Open.
The log should automatically open in notepad as a text file.
Go to Edit and choose Select all.
Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
Come back to this thread, click Add Reply, then right-click and choose Paste.

To retrieve the SAS scan log information, launch SAS.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by quietman7, 01 September 2008 - 08:41 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 01 September 2008 - 12:08 PM

Thanks, for your involvement.

Mbam log as follows:
Malwarebytes' Anti-Malware 1.25
Database version: 1101
Windows 5.1.2600 Service Pack 2

18:05:32 31/08/2008
mbam-log-08-31-2008 (18-05-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 159424
Time elapsed: 49 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\qalkfxor.btls (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{543c6090-cd1e-48f3-8814-aa3a42404e47} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{799a506e-49e6-4ce5-b1aa-7443abf39354} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{beb6b37a-bc8b-46b6-b59d-bf83429c7fc7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2bb89980-ccf8-4d24-9745-332d348d217e} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6fa7926-488d-4ead-a71e-8c848d867e07} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf454f7a-8ab4-4f50-88c6-f22086662770} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{14e1f47e-33ae-4a87-877c-91b58b3a2ce5} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf454f7a-8ab4-4f50-88c6-f22086662770} (Adware.Vapsup) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7638711c-72e0-4c54-9480-8e7c3824f7e4} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{280869b4-b072-41ff-b764-74e34c012284} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{beb6b37a-bc8b-46b6-b59d-bf83429c7fc7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pdoskegl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rqbmvpso (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0011903-00102) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\qalkfxor.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\rodqgpvlvnp.dll (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\ebtg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\pdoskegl.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\rvoelbxt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rqbmvpso.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin.MR_NUMPTY\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin.MR_NUMPTY\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin.MR_NUMPTY\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Hamer\Local Settings\Temp\lwpwer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Hamer\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Hamer\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Hamer\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Hamer\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Hamer\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Hamer\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Hamer\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Hamer\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin.MR_NUMPTY\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Hamer\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Hamer\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin.MR_NUMPTY\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Hamer\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Hamer\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin.MR_NUMPTY\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


SAS log to follow.

#6 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 01 September 2008 - 12:12 PM

SAS Log as follows:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/31/2008 at 09:18 PM

Application Version : 4.20.1046

Core Rules Database Version : 3552
Trace Rules Database Version: 1540

Scan type : Complete Scan
Total Scan Time : 01:11:53

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 5326
Registry threats detected : 0
File items scanned : 101987
File threats detected : 41

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@iacas.adbureau[1].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@ads.techguy[1].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@bannersng.yell[1].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@maxserving[2].txt
C:\Documents and Settings\Admin.MR_NUMPTY\Cookies\admin@specificclick[2].txt
C:\Documents and Settings\Ava Hamer\Cookies\ava_hamer@apmebf[2].txt
C:\Documents and Settings\Ava Hamer\Cookies\ava_hamer@popularscreensavers[2].txt
C:\Documents and Settings\Ava Hamer\Cookies\ava_hamer@specificclick[2].txt
C:\Documents and Settings\Ava Hamer\Cookies\ava_hamer@www3.addfreestats[1].txt
C:\Documents and Settings\Carrie Hamer\Cookies\carrie_hamer@www.safewebnavigate2008[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@a.websponsors[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@a.websponsors[3].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@adecn[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@ads.contactmusic[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@ads.revsci[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@adserveuk[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@apmebf[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@azjmp[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@boardgamesexpress[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@collective-media[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@hc2.humanclick[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@imrworldwide[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@media.adrevolver[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@media.bmgonline[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@media.mtvnservices[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@parentingteens.about[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@popularscreensavers[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@precisionclick[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@richmedia.yahoo[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@smileycentral[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@specificclick[2].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@test.koadserver[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@track.adform[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@www.eastsussex.gov[1].txt
C:\Documents and Settings\Gracie Hamer\Cookies\gracie_hamer@www6.addfreestats[1].txt
C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt
C:\Documents and Settings\Guest\Cookies\guest@postclicktracking[1].txt
C:\Documents and Settings\Guest\Cookies\guest@tracker.netklix[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt

Thanks again in advance. I'll watch the post.

Regs, David

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 01 September 2008 - 01:18 PM

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 01 September 2008 - 01:20 PM

IMPORTANT NOTE: One or more of the identified infections (tdssserv.sys) was related to a nasty rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 01 September 2008 - 02:23 PM

Yikes! You got my attention now!

The machine is a Dell 5150 - I believe that there is a partition on the hard drive with the installation CD contents on it. Given the nature of the malware found, would you consider this as an option or would it have to be a reformat and install from media?

Also, I have a lot of data on the machine. Is it possible to verify the data for malware before I back it off onto an external hard drive (which by the way I've backed onto previously, so I guess I ought to virus check and malware check this drive using mbam and SAS as well?

I can cope with reinstalling from media (although not overjoyed), it's potential data loss that's my major concern.

Bah! My normal mode Admin account has lost internet access. And my regular user account through which I'm now accessing the internet can't read the location of mbam log file in Admin/My documents ...

So I'll have to log back to my admin account and copy the txt file to another location.

!!!! Back soon.

Edited by Johannes1961, 01 September 2008 - 02:34 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 01 September 2008 - 02:29 PM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you should back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some malware may disguise itself by adding and hiding its extension to the existing extension of other files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific recovery disk or recovery partition for performing a clean factory restore.

A Recovery Partition is used by some OEM manufacturers (Dell, HP, IBM, Gateway) instead of a recovery disk to store a complete copy of the hard disk's factory default contents for easy restoration. This consists of a hidden bootable partition containing various system recovery tools, including full recovery of the preinstalled Windows XP partition that will allow you to restore the computer to the state it was in when you first purchased it. The recovery software will then re-hide its own partition after creating a new partition and installing the software to it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

Recovery partitions may only work with a start-up floppy disk or the user may be prompted immediately after the "Out Of Box Experience" (OOBE) to create backup CD-R disks for the software on the hard drive image for future use. Once the CD's are made, the Operating System, Drivers, or Applications can be reinstalled using the files on the hard drive or the backup CDs. Before using a recovery partition make sure you back up all your data, photos, etc to another source such as a CD or external hard drive.

Some built in recovery partitions can be accessed by hitting Ctrl+F11, just F11 or F10 during bios startup. Others like those used by IBM Thinkpads will display a message at bootup instructing you to press F11 to boot from the recovery partition. For more information, see Understanding Partition recovery.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 01 September 2008 - 02:32 PM

mbam logfile:

Malwarebytes' Anti-Malware 1.25
Database version: 1101
Windows 5.1.2600 Service Pack 2

20:04:32 01/09/2008
mbam-log-09-01-2008 (20-04-18).txt

Scan type: Quick Scan
Objects scanned: 70314
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 15
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> No action taken.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I guess my plan would to reinstall. To do this I need as much safe access to the file structure as possible to ensure that I pick up all the data from the machine i.e. no silly hidden folder structures etc. So I need to get the machine to a safe and reliable state to back up onto my external drive. I don't think I'm quite there yet though.

Regards, David

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 01 September 2008 - 02:41 PM

That's the decision I would have made if this were my system.

For a Dell computer, see:
PC Restore.
Inside the Dell PC Restore Partition: DSR.
Restoring Your Computer's Software to the Factory Settings.

If you need additional assistance with this, you can start a new topic in the Windows XP Home and Professional forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 01 September 2008 - 02:51 PM

I use the machine for my business as does my wife. And it has been left on connected to the internet for long periods of time during the day over the last year. Given the type of malware it seems the only sensible thing to do.

Is there anything in the last mbam log that suggests I might do something more to create a more stable system. Or do you think, I'm better off spending time preparing to back off the data etc..

Also, this whole malware thing has completely surprised me; I thought that with a firewall running (OK it's microsoft!) and anitvirus I was covered. What sort of product should I be looking to install on my PC following this 'episode' to help prevent this happening again. Something like SAS or Malwarebytes running in realtime or with a scheduler?

Also, will the dell factory restore process be good enough! earlier you mentioned the need to reformat the hard disk...

Thanks, David

Edited by Johannes1961, 01 September 2008 - 03:02 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:52 AM

Posted 01 September 2008 - 03:02 PM

We can do more thorough investigation and the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

While waiting you can read these Tips to protect yourself against malware and reduce the potential for re-infection:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Johannes1961

Johannes1961
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:52 PM

Posted 01 September 2008 - 04:33 PM

Thanks for your help on this, it's been an education.

Will read and post Hijack log tomorrow evening... it's getting late here in the UK.

By the way, it looks like I have to mbam on quick scan on every user. Is this the case?

Cheers. David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users