Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj_wimad.at How Do I Remove This?


  • Please log in to reply
13 replies to this topic

#1 johnnybravoo77

johnnybravoo77

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 09 September 2008 - 03:15 PM

I had a ton of viruses and trojans on my computer and started having some major issues. Long story short, I ran spybot, mbam, and housecall. Seems that most of problems are gone, but housecall still shows this trojan, and it says it cant delete it. I could see what folder it was in, but not which file. I re-scanned the folder with spybot and mbam but they detected nothing. My computer is running really slow, is this the cause ,does housecall quarantine the trojan? Any help is appreciated. Also, I am running IE 7, XP media center edition with sp2, I have not updated to sp3 for fear of making things worse.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:53 PM

Posted 09 September 2008 - 07:03 PM

Hello and welcome. Would you post the Malwarebytes scan log please.

I'm going with you have an Xp computer

Next run these 2 tools.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 johnnybravoo77

johnnybravoo77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 09 September 2008 - 07:40 PM

Here is the mbam log. I will now download and run the other programs.



Malwarebytes' Anti-Malware 1.27
Database version: 1134
Windows 5.1.2600 Service Pack 2

9/9/2008 8:38:41 PM
mbam-log-2008-09-09 (20-38-41).txt

Scan type: Quick Scan
Objects scanned: 54852
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:53 PM

Posted 09 September 2008 - 08:29 PM

Ok thanks I wanted to see if you had the latest version and actually to see if you had any very serious malware. Will await the SAS scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 johnnybravoo77

johnnybravoo77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 09 September 2008 - 09:18 PM

THANK YOU! Ok, ran ATF and SAS per instructions; computer is faster than new(so far)! Just a few questions, what free anti spyware, virus, everything should I keep running? Teatimer is running and windows firewall, thats it. It took three days to get rid of everything on my computer, and some programs seem to make it worse! Here is the SAS log, thanks again! Please recommend anything else that may be necessary to keep out the bad stuff.

Edit: One more thing, is it safe to go ahead with Service pack 3?



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/09/2008 at 09:57 PM

Application Version : 4.21.1004

Core Rules Database Version : 3561
Trace Rules Database Version: 1549

Scan type : Complete Scan
Total Scan Time : 00:53:46

Memory items scanned : 177
Memory threats detected : 0
Registry items scanned : 6669
Registry threats detected : 3
File items scanned : 100650
File threats detected : 4

Trojan.DNSChanger-Codec
HKU\S-1-5-21-2762561686-3659489523-95602663-1006\Software\uninstall

Trojan.Unclassified/BraviaX
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]

Adware.MyWebSearch
C:\PROGRAM FILES\NETSPY PROTECTOR\QUARANTIE\3-27-2007-4-02-23-AM\6E4486A2-393D-472D-8F03-194EADE369B2\MWSOEMON.EXE

Rootkit.Buritos/Beep-Fake
C:\SDFIX\BACKUPS\BEEP.SYS
C:\SDFIX\BACKUPS_OLD2\BEEP.SYS

Trojan.Rootkit-Murka
C:\WINDOWS\MEDICHI2.EXE

Edited by johnnybravoo77, 09 September 2008 - 09:24 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:53 PM

Posted 09 September 2008 - 09:39 PM

Hey looking pretty good. Have you run SDFix?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 johnnybravoo77

johnnybravoo77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 09 September 2008 - 11:41 PM

I ran sdfix before, but it didnt seem to be working properly. I just ran again, heres the the log:


SDFix: Version 1.222
Run by Keri

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
WINWH85
lanmandrv
WINGG54

Path :

WINWH85 - Deleted
lanmandrv - Deleted
WINGG54 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 27648 09/06/2008 02:29 PM
"C:\WINDOWS\system32\drivers\beep.sys" 27648 09/06/2008 02:29 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version



Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 27648 09/06/2008 02:29 PM
"C:\WINDOWS\system32\drivers\beep.sys" 27648 09/06/2008 02:29 PM
"C:\WINDOWS\system32\dllcache\beep.sys" 27648 09/07/2008 03:24 PM
"C:\WINDOWS\system32\drivers\beep.sys" 27648 09/07/2008 03:24 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version



Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 27648 09/06/2008 02:29 PM
"C:\WINDOWS\system32\drivers\beep.sys" 27648 09/06/2008 02:29 PM
"C:\WINDOWS\system32\dllcache\beep.sys" 27648 09/07/2008 03:24 PM
"C:\WINDOWS\system32\drivers\beep.sys" 27648 09/07/2008 03:24 PM
"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/10/2004 07:00 AM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/07/2008 04:27 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 08/07/2008 04:27 PM



Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\WINWH85.sys - Deleted
C:\WINDOWS\system32\drivers\WINGG54.sys - Deleted



Folder C:\Documents and Settings\Keri


The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 00:32:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"="C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"="C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE:*:Enabled:Age of Empires"
"C:\\Program Files\\Motorola\\iDEN WebJAL\\WebJAL.exe"="C:\\Program Files\\Motorola\\iDEN WebJAL\\WebJAL.exe:*:Enabled:iDEN WebJAL"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 5 Nov 2006 88 A.SHR --- "C:\i386\8E2AA4D036.sys"
Sun 5 Nov 2006 3,764 A.SH. --- "C:\i386\KGyGaAvL.sys"
Fri 12 Oct 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 5 Nov 2006 88 ..SHR --- "C:\WINDOWS\system32\8E2AA4D036.sys"
Sun 5 Nov 2006 3,764 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 5 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 30 Nov 2006 1,105,920 ...H. --- "C:\Program Files\PopCap Games\Chuzzle Deluxe\popcapgame1.exe"
Tue 10 Jul 2007 1,105,920 ...H. --- "C:\Program Files\PopCap Games\Chuzzle Deluxe\popcapgame2.exe"
Tue 27 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 5 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\Keri&John\My Documents\My Music\License Backup\drmv1key.bak"
Fri 16 Mar 2007 11,115 A.SH. --- "C:\Documents and Settings\Keri&John\My Documents\My Music\License Backup\drmv2key.bak"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,051 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 10 September 2008 - 10:12 AM

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

[kill explorer]
C:\WINDOWS\uccspecc.sys
EmptyTemp
[start explorer]

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders.


Be aware of the section in the SDFix log pertaining to:

The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:


IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 johnnybravoo77

johnnybravoo77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 10 September 2008 - 10:59 AM

Here is the OT Moveit! log:

Explorer killed successfully
C:\WINDOWS\uccspecc.sys moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\IadHide5.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\~DF9DA1.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\~DF9DAE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\hsperfdata_Keri&John\3060 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09102008_115027

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\IadHide5.dll
C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\IadHide5.dll NOT unregistered.
C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\IadHide5.dll moved successfully.
File C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\~DF9DA1.tmp not found!
File C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\~DF9DAE.tmp not found!
File C:\DOCUME~1\KERI&J~1\LOCALS~1\Temp\hsperfdata_Keri&John\3060 not found!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,051 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 10 September 2008 - 11:08 AM

How is your computer running now? Any more reports/signs of infection?

Did you reinstall your programs?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 johnnybravoo77

johnnybravoo77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 10 September 2008 - 11:27 AM

The computer runs like new! No programs to re install, in fact I went through and deleted a lot of unused programs. I believe the only thing I need advise with is, 1: What anti virus should I keep running (preferably free) and 2:, is it safe to update to service pack 3? Also, is a re-format, re-install something to consider? This is just a family computer, only one debit card is used online, which I can cancel with a phone call and be reimbursed any charges. My credit is so bad right now that I would let someone have my indentity so the bill collecters call them instead of me! Thanks for everyones help!

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,051 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 10 September 2008 - 11:43 AM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action but I cannot make that decision for you.

If you're not going to to reformat, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Free Antivirus programs: (choose and install only one)
avast! 4 Home Edition (comes with built-in anti-rootkit and anti-spyware protection)
Avira AntiVir Personal - Free Antivirus (provides some rootkit detection and removal))
AVG Anti-Virus Free Edition 8.0
RISING Antivirus Free Edition

And yes, you should update to SP3 and all critical patches that have been released since then. Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC.

See the thread "Windows Xp Service Pack 3 (sp3) Information".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 johnnybravoo77

johnnybravoo77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 10 September 2008 - 01:25 PM

Thanks again for the help! :thumbsup:

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,051 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 10 September 2008 - 01:27 PM

You're welcome. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users