Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I know I was infected. How do I confirm I am now clean?


  • Please log in to reply
13 replies to this topic

#1 Dr.B

Dr.B

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 18 December 2008 - 09:40 PM

This is my first post to this forum, so I appologize in advance if I left something out. This is also my first virus headache with this computer after three years of safe computing. I picked up some viruses through the internet. I am using Windows XP media edition Service Pack 3. I have McAfee virus scanner. The first thing I noticed was that my internet browser froze when I went to a specific site. My virus scanner found some viruses and alerted me. Below is from the log of my virusscan

12/14/2008 8:00:39 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpqlt.sys Generic.dx
12/14/2008 8:01:39 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\TDSSbrsr.dll FakeAlert-AG.gen.a
12/14/2008 8:01:51 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\TDSSoiqh.dll Generic.dx
12/14/2008 8:01:55 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\TDSSriqp.dll FakeAlert-AG.gen.a
12/14/2008 8:02:28 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\Temp\TDSSaeec.tmp Generic.dx

12/14/2008 10:00:46 PM Statistics:
12/14/2008 10:00:46 PM Files scanned: 67597
12/14/2008 10:00:46 PM Files infected: 5
12/14/2008 10:00:46 PM Files cleaned: 0
12/14/2008 10:00:46 PM Files deleted: 5
12/14/2008 10:00:46 PM Files moved: 0


12/15/2008 7:32:17 AM Statistics:
12/15/2008 7:32:17 AM Files scanned: 827
12/15/2008 7:32:17 AM Files infected: 0
12/15/2008 7:32:17 AM Files cleaned: 0
12/15/2008 7:32:17 AM Files deleted: 0
12/15/2008 7:32:17 AM Files moved: 0

12/15/2008 10:29:50 PM Deleted FASTDAVE\Dave Bender C:\Documents and Settings\Dave Bender\Local Settings\Temp\TDSS8701.tmp Generic.dx
12/15/2008 10:30:01 PM Move failed (Clean failed) FASTDAVE\Dave Bender C:\Documents and Settings\Dave Bender\Local Settings\Temp\TDSSdb80.tmp Generic.dx

12/15/2008 11:38:22 PM Statistics:
12/15/2008 11:38:22 PM Files scanned: 12080
12/15/2008 11:38:22 PM Files infected: 2
12/15/2008 11:38:22 PM Files cleaned: 0
12/15/2008 11:38:22 PM Files deleted: 1
12/15/2008 11:38:22 PM Files moved: 0


12/16/2008 7:51:17 PM Statistics:
12/16/2008 7:51:17 PM Files scanned: 2
12/16/2008 7:51:17 PM Files infected: 0
12/16/2008 7:51:17 PM Files cleaned: 0
12/16/2008 7:51:17 PM Files deleted: 0
12/16/2008 7:51:17 PM Files moved: 0


12/17/2008 11:54:40 PM Statistics:
12/17/2008 11:54:40 PM Files scanned: 1
12/17/2008 11:54:40 PM Files infected: 0
12/17/2008 11:54:40 PM Files cleaned: 0
12/17/2008 11:54:40 PM Files deleted: 0
12/17/2008 11:54:40 PM Files moved: 0

12/18/2008 12:01:54 AM Deleted FASTDAVE\Dave Bender C:\Documents and Settings\Dave Bender\Local Settings\Temp\TDSSdb80.tmp Generic.dx
12/18/2008 12:29:42 AM Deleted FASTDAVE\Dave Bender C:\quarantine\TDSSdb80.tmp.Vir Generic.dx
12/18/2008 12:33:19 AM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP993\A0132088.sys Generic.dx
12/18/2008 12:33:19 AM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP993\A0132089.dll FakeAlert-AG.gen.a
12/18/2008 12:33:26 AM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP993\A0132090.dll Generic.dx
12/18/2008 12:33:27 AM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP993\A0132091.dll FakeAlert-AG.gen.a
12/18/2008 12:44:07 AM Deleted FASTDAVE\Dave Bender C:\WINDOWS\SYSTEM32\TDSShrxr.dll FakeAlert-AG.gen.a
12/18/2008 12:44:07 AM Deleted FASTDAVE\Dave Bender C:\WINDOWS\SYSTEM32\TDSSmtql.dll FakeAlert-AG.gen.a
12/18/2008 12:44:14 AM Deleted FASTDAVE\Dave Bender C:\WINDOWS\SYSTEM32\TDSSoiqt.dll Generic.dx
12/18/2008 12:44:42 AM Deleted FASTDAVE\Dave Bender C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpqlt.sys Generic.dx

12/18/2008 12:50:35 AM Statistics:
12/18/2008 12:50:35 AM Files scanned: 75674
12/18/2008 12:50:35 AM Files infected: 10
12/18/2008 12:50:35 AM Files cleaned: 0
12/18/2008 12:50:35 AM Files deleted: 10
12/18/2008 12:50:35 AM Files moved: 0


12/18/2008 3:05:21 AM Statistics:
12/18/2008 3:05:21 AM Files scanned: 146643
12/18/2008 3:05:21 AM Files infected: 0
12/18/2008 3:05:21 AM Files cleaned: 0
12/18/2008 3:05:21 AM Files deleted: 0
12/18/2008 3:05:21 AM Files moved: 0

12/18/2008 3:57:27 AM Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP994\A0132200.dll FakeAlert-AG.gen.a
12/18/2008 4:09:59 AM Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP994\A0132201.dll FakeAlert-AG.gen.a
12/18/2008 5:47:46 AM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP994\A0132202.dll Generic.dx
12/18/2008 5:47:46 AM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP994\A0132203.sys Generic.dx

12/18/2008 6:16:08 AM Statistics:
12/18/2008 6:16:08 AM Files scanned: 75907
12/18/2008 6:16:08 AM Files infected: 4
12/18/2008 6:16:08 AM Files cleaned: 0
12/18/2008 6:16:08 AM Files deleted: 4
12/18/2008 6:16:08 AM Files moved: 0


I successfully ran Adaware on 12/14, but when I had the infection 12/15 the system would not allow me to complete any adware or spybot search and destroy. When I tried to go on to the trendmicro site it would hijack me to other odd sites. I was unable to download malwarebytes. The trojan seemed to have all the sites blocked that could help me. I downloaded malwarebytes AM on another machine and tried to run it on the infected machine and again it was prevented. Finally through some searches I found I could change the name of the MBAM and it finally ran to clean my system. I am posting below three logs from MBAM. (note: I also ran the online free scan from trendmicro a couple of time to try to ensure I was clean. Can anyone tell me if I am truly clean? Or is there something else I should do.

I read some of the forums and got nervous about the viruses that are imbedded deep in the root registery (?) and that they may be set up to steal my information. I use the computer for quicken and a few other financial things that I certainly do not want to be hacked into and steal any hard earned dollars I have left after the crash in financials. Any help and advice you folks can provide me would be appreciated.

MBAM logs follows:

virus filled:

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3

12/18/2008 12:50:12 AM
mbam-log-2008-12-18 (00-50-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126062
Time elapsed: 51 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Dave Bender\Local Settings\Temp\TDSSdb80.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\quarantine\TDSSdb80.tmp.Vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP993\A0132092.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSShrxr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSmtql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSoiqt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSxfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpqlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSac4c.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave Bender\Local Settings\Temp\TDSS86e2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave Bender\Local Settings\Temp\TDSSb583.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave Bender\Local Settings\Temp\TDSSdb42.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSbubv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSnmxh.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Next scan:

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3

12/18/2008 6:15:15 AM
mbam-log-2008-12-18 (06-15-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126352
Time elapsed: 50 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP994\A0132202.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP994\A0132203.sys (Trojan.TDSS) -> Quarantined and deleted successfully.


Finally a clean scan:

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3

12/18/2008 7:16:56 AM
mbam-log-2008-12-18 (07-16-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126301
Time elapsed: 49 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 18 December 2008 - 09:49 PM

Hello let me say you have one there that bothers me ,the TDDS.

Lets get another look at it. I would like you to run these please,
SDFix

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


S!Ri's SmitfraudFix (only this part now)
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Dr.B

Dr.B
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 18 December 2008 - 10:48 PM

I ran SDFix and have copied the report.txt below. I would like to add the fact that my virus scanner found two trojans in the SDFix folder named catchme.exe and Cghtme.exe. I have included this after the report.txt. Finally I ran option 1 of smitfraudFix and have copied the rapport.txt. Thanks in advance. Let me know the next step.

SDFix: Version 1.240
Run by Administrator on Thu 12/18/2008 at 10:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSpqlt.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSpqlt.sys - Deleted
C:\WINDOWS\system32\TDSSlrvd.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSLRVD.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSOSVD.dat - Deleted





Removing Temp Files

ADS Check :

[Note this is the log of the virus scan]

12/18/2008 10:26:18 PM Deleted FASTDAVE\Dave Bender C:\SDFix\apps\Cghtme.exe Generic.dx
12/18/2008 10:30:25 PM Deleted FASTDAVE\Dave Bender C:\SDFix\catchme.exe Generic.dx



SmitFraudFix v2.387

Scan done at 22:35:53.84, Thu 12/18/2008
Run from C:\Documents and Settings\Dave Bender\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dave Bender\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Dave Bender


C:\DOCUME~1\DAVEBE~1\LOCALS~1\Temp


C:\Documents and Settings\Dave Bender\Application Data


Start Menu


C:\DOCUME~1\DAVEBE~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS



Scanning for wininet.dll infection


End

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 19 December 2008 - 12:15 AM

Hello again. First that is just the Virus scanner doing it's job and finding a program that would be dangerous to your PC, had it not been a safe program we would want to remove it.
I need to just post this important warning now about you having a Compromised PC. Especially if you do financial matters with this machine.

One or more of the identified infections is a backdoor / rootkit trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Dr.B

Dr.B
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 19 December 2008 - 03:53 PM

Boopme,

Thanks for the help so far. I would like to finish cleaning the machine if it is not too much trouble on your part. I would like to do this if for no other reason than to safely retrieve my data that is on my infected computer. I have not been good enough at being sure my data is backed up and I assume there is risk in transfering the virus back onto a clean machine when the data is transferred back. So, if you have other ideas of things I can do to eliminate whatever malware is left, I would be very interested in following your instructions.

Dr.B

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 19 December 2008 - 04:02 PM

Ok good I think we can get this out. Next we'll run the Smitfraud cleaner.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


NOW ,UPDATE and run MBam again,post that new log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Dr.B

Dr.B
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 19 December 2008 - 06:15 PM

This is the report from SmithfraudFix:

SmitFraudFix v2.387

Scan done at 17:05:46.28, Fri 12/19/2008
Run from C:\Documents and Settings\Dave Bender\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D475EE3-4163-4D7C-B83D-84088FDCC77B}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D475EE3-4163-4D7C-B83D-84088FDCC77B}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D475EE3-4163-4D7C-B83D-84088FDCC77B}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

This is the MBAM log:

Malwarebytes' Anti-Malware 1.31
Database version: 1523
Windows 5.1.2600 Service Pack 3

12/19/2008 6:05:42 PM
mbam-log-2008-12-19 (18-05-42).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 126680
Time elapsed: 50 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Also, Again it may not be relevant but my virus scanner removed two items. See log below.

12/19/2008 5:49:04 PM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP995\A0132280.exe Generic.dx
12/19/2008 5:49:05 PM Deleted FASTDAVE\Dave Bender C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP995\A0132314.exe Generic.dx

Let me know what you think.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 19 December 2008 - 10:20 PM

OK this went well we will get those 2 in the last step after these.

Let's clean up and see what junk is left.
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Follow with SAS scan/log.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Dr.B

Dr.B
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 20 December 2008 - 11:14 AM

Hello. The log from super anti spyware is below. I wasn't paying close enough attention and started the program prior to getting into safe mode, but then realized my error and repeated the instructions with a reboot in safe mode. This is the log from that.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/20/2008 at 11:00 AM

Application Version : 4.23.1006

Core Rules Database Version : 3680
Trace Rules Database Version: 1659

Scan type : Complete Scan
Total Scan Time : 00:52:10

Memory items scanned : 161
Memory threats detected : 0
Registry items scanned : 6594
Registry threats detected : 8
File items scanned : 79972
File threats detected : 1

MyWay Search Assistant Computers
HKLM\Software\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\Programmable
C:\PROGRAM FILES\MYWAYSA\SRCHASDE\1.BIN\DESRCAS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKU\S-1-5-21-3833725050-430818744-3201488877-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 20 December 2008 - 03:08 PM

Hi we look good here. Any more sign or symptoms?

The earlier referenced.. I would like to add the fact that my virus scanner found two trojans in the SDFix folder named catchme.exe and Cghtme.exe.
This is really just the AV doing it's job. These specialized tools are system intruders and are detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky etc..) as a "RiskTool"or "PUP"-- Potentially Unwanted Program or Even Malware; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Edited by boopme, 20 December 2008 - 03:09 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Dr.B

Dr.B
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 21 December 2008 - 06:43 PM

Hello,
Thank You so much for your help. I am not aware of more problems, but I was unsure I had more problems before we cleaned things up further. I think I will take your advice and wipe the computer clean before I do anything senstive just in case. Are you aware of any references and good guidance for reformatting?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 21 December 2008 - 07:24 PM

Good choice as you will be confident from then on. The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Killdisk.

One of the best sources of Information on this is http://www.michaelstevenstech.com/

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 dkate

dkate

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 28 December 2008 - 04:14 PM

This is the daughter of Dr.B. We have downloaded Killdisk to clean the PC and installed it successfully and created our boot disk. In using Killdisk, however, we have the option of erasing the whole hard disk including 2 different Dell partitions. However, we are reluctant to proceed with wiping the entire thing without knowing what these partitions are for. Does anyone know about using Killdisk on a Dell XP PC and these partitions and their purpose? We have all the boot disks, also, so that isn't a concern.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 28 December 2008 - 04:43 PM

Hello, a good question . Please ask this same question in the XP forum up top. There are some Dell experts there. I would prefer they answer as they use those system and are more familiar with it's idiosyncrasies.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users