Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Taken Over User/administrator Acct


  • Please log in to reply
6 replies to this topic

#1 pburrier

pburrier

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 16 September 2008 - 08:23 PM

hi, folks ... my brothers computer was infected by some kind of virus that took over his user account and will not allow him to attempt to go to any of the standard anti-virus/malware sites such as PandaScan, Trend Micro etc. it redirects him away from each including trying to come into bleeping for help? any suggestions?

He is running Windows XP release 3... normally uses Mozilla but also has same problem in Windows IE. This nasty thing also will not allow him to get to Microsoft Windows Website. The monster inevitables says it's "redirecting his browser."

I appreciate as always the superb assistance from bleeping and am contacting on his behalf. Please advise what you may want or need me to provide to assist with getting rid of this nasty thing.

Thank you, Pburrier

UPDATE 9/17/07 HERE ARE MORE SPECIFICS .... I HOPE THEY CAN HELP.

Here's the full scan report from this AM. The two remainging problems are way down at the bottom and underlined...



Avira AntiVir Personal
Report file date: Wednesday, September 17, 2008 10:03

Scanning for 1619498 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: WIN3-0

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 7/19/2008 14:00:00
AVSCAN.DLL : 8.1.4.0 40705 Bytes 7/19/2008 14:00:00
LUKE.DLL : 8.1.4.5 164097 Bytes 7/19/2008 14:00:01
LUKERES.DLL : 8.1.4.0 12033 Bytes 7/19/2008 14:00:01
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 01:00:39
ANTIVIR2.VDF : 7.0.6.153 3341312 Bytes 9/12/2008 23:22:47
ANTIVIR3.VDF : 7.0.6.166 109056 Bytes 9/16/2008 21:51:02
Engineversion : 8.1.1.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 16:58:21
AESCRIPT.DLL : 8.1.0.70 319866 Bytes 9/3/2008 23:21:15
AESCN.DLL : 8.1.0.23 119156 Bytes 7/19/2008 14:00:01
AERDL.DLL : 8.1.1.1 397683 Bytes 9/3/2008 23:21:13
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/19/2008 14:00:01
AEOFFICE.DLL : 8.1.0.23 196987 Bytes 9/3/2008 23:21:11
AEHEUR.DLL : 8.1.0.51 1397111 Bytes 9/3/2008 23:21:09
AEHELP.DLL : 8.1.0.15 115063 Bytes 5/29/2008 15:44:40
AEGEN.DLL : 8.1.0.36 315764 Bytes 8/19/2008 00:25:44
AEEMU.DLL : 8.1.0.7 430452 Bytes 8/31/2008 20:16:22
AECORE.DLL : 8.1.1.11 172406 Bytes 9/3/2008 23:21:03
AEBB.DLL : 8.1.0.1 53617 Bytes 7/19/2008 14:00:01
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/19/2008 14:00:00
AVPREF.DLL : 8.0.2.0 38657 Bytes 7/19/2008 14:00:00
AVREP.DLL : 8.0.0.2 98344 Bytes 8/31/2008 20:16:17
AVREG.DLL : 8.0.0.1 33537 Bytes 7/19/2008 14:00:00
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 7/19/2008 14:00:00
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 7/19/2008 14:00:01
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 7/19/2008 13:59:54
RCTEXT.DLL : 8.0.52.0 86273 Bytes 7/19/2008 13:59:54

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: off
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, September 17, 2008 10:03

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'RBroker.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'soffice.bin' - '1' Module(s) have been scanned
Scan process 'soffice.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '48' files ).


Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!


End of the scan: Wednesday, September 17, 2008 10:44
Used time: 40:37 Minute(s)

The scan has been done completely.

7131 Scanning directories
72907 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
72905 Files not concerned
0 Archives were scanned
2 Warnings
0 Notes

Edited by boopme, 20 September 2008 - 08:44 PM.
Cleaned tags


BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:32 PM

Posted 17 September 2008 - 04:50 PM

Welcome to BleepingComputer,

Please download MalwareBytes to your computer - along with the updates - and then transfer it via flash drive / cd to your brother's computer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 pburrier

pburrier
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 19 September 2008 - 03:04 PM

Hello Rigel,

I appreciate your suggestions and went and bought a flash drive this a.m. - downloaded program and delivered them to my bro.

Here are the results from the test. I look forward to getting him some help as he is distraught and miserable about his computer.

***********************************************************************************************************
Patty heres the report


Malwarebytes' Anti-Malware 1.28
Database version: 1176
Windows 5.1.2600 Service Pack 3

9/19/2008 12:51:21 PM
mbam-log-2008-09-19 (12-51-09).txt

Scan type: Quick Scan
Objects scanned: 51275
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> No action taken.
C:\Documents and Settings\mpg\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\mpg\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\mpg\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\mpg\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\mpg\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\mpg\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\mpg\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> No action taken.


Then he added this note.
Soon after this I got a OneCare message popping up that said I had two trojans: win32/Alureon.gen! N and win32/Alureon.AW, then a trojan dropper at win32/Alureon.J and lastly a backdoor at winnt/Nuwar.D!sys

and when I went to send you email found that my Outlook Express email address book has either ben whited out (but I don't think so) or all the entries were deleted. You address was the first one I added but it said you already exist. I added it anyway and bingo you really are the first in my brand new address book.

Edited by pburrier, 19 September 2008 - 03:06 PM.


#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:32 PM

Posted 19 September 2008 - 04:12 PM

We have a problem. This file: C:\WINDOWS\system32\drivers\tdssserv.sys is the sign of a very nasty rootkit.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 pburrier

pburrier
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 20 September 2008 - 08:03 PM

Well Rigel,

I followed your directions and took a 4gb flash drive and some cd/rw's and he backup what document files he could.

My brother proceeded to reformat the drive and then when it came to checking the capacity after reformatted the 40gb to show only 38 gb total available. He is suspicious of something still taking that area or is that normal.

He also suspects that when he plugged in the flash drive to look on Explorer that although opened nothing is afraid that his files are tainted already.

When he reboots and the Windows screen comes up it doesn't offer showing him both as administrative and guest user option to choose from. but when he looks in it says there is a a guest user already on board but then he can not find it or see it anywhere.

He doesn't know if he has to trash this drive, the flash drive and cd's or just what to do next.

He has no internet service etc as nothing has set up yet.

He has questions regarding partioning but i will look that up in tutorial. If i cannot find my answer - I will edit this note asking you.

I appreciate your time and candid honesty regarding what we should do from here. He would like to try to get ahold of Microsoft because he thinks they may be interested in having his laptop to address this. I am uncertain as to what to say about any of that.

Thank you and I look forward to your response.

Patty Burrier

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:32 PM

Posted 20 September 2008 - 11:06 PM

http://www.bleepingcomputer.com/forums/ind...st&p=798468

read this link about using a usb drive with an infected computer
Chewy

No. Try not. Do... or do not. There is no try.

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:32 PM

Posted 21 September 2008 - 12:50 PM

In addition to what Chewy suggested, you can also run a on demand scan using the anti-virus package you have installed. That brings up a question. Did your brother load and update Windows, - and - load and update anti-virus programs before he accessed the flash drive?

When he reboots and the Windows screen comes up it doesn't offer showing him both as administrative and guest user option to choose from. but when he looks in it says there is a a guest user already on board but then he can not find it or see it anywhere.

Try it booting into safe mode. If you go under user accounts, it should show the guest account. You can access that account and disable it. I also recommend creating a new user account that is classified as an administrator.

He doesn't know if he has to trash this drive, the flash drive and cd's or just what to do next.

No. Do not trash the drives. If you have the original Windows CD, you can delete the current and repartition the drives Worst case, use Active@ Kill Disk - Hard Drive Eraser and completely wipe the drive. Then reload your OS.

He would like to try to get ahold of Microsoft because he thinks they may be interested in having his laptop to address this. I am uncertain as to what to say about any of that.

They already know. The malware community is very close knit. Once something is discovered, the individual teams come up with solutions to deal with the infection. A lot of the people that deal with these malware infections have ties to Microsoft.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users