Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Protect 2009 Residuals - Please Help!


  • Please log in to reply
13 replies to this topic

#1 CheeTien

CheeTien

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 01 March 2009 - 09:02 AM

Dear Sir,

After many hours, I finally was able to remove Spyware Protect 2009 from my computer, or so I thought. Ever since then, my computer has been running much slower, particularly on startup, so i checked my msconfig -> startup settings and noticed a new startup item named "2cfd402c1" with a command line of "rundll32.exe "C:\Documents and Settings\Administrator\Application Data\Macromedia\Common\2cfd402c1.dll". I have tried everything from removing the registry line via regedit (line keeps popping back up after restart), to deleting the file in the specified folder (comes back after restart), to disabling that command in msconfig (item comes back checked after each restart." Malwarebytes has found 8 infections related to this, but is unable to clean them...it says itll clean on reboot, but when i run malware again after the reboot, the same infections popped up. Super antispyware doesnt find anything. Here are the logs:

Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 3

2/28/2009 8:47:35 PM
mbam-log-2009-02-28 (20-47-35).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 137476
Time elapsed: 24 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/01/2009 at 05:46 AM

Application Version : 4.25.1014

Core Rules Database Version : 3779
Trace Rules Database Version: 1738

Scan type : Complete Scan
Total Scan Time : 00:40:01

Memory items scanned : 279
Memory threats detected : 0
Registry items scanned : 5993
Registry threats detected : 0
File items scanned : 65362
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt


Could someone please help me remove these things? Thank you very much in advance.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:52 AM

Posted 01 March 2009 - 01:49 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 CheeTien

CheeTien
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 01 March 2009 - 03:00 PM

Now, whenever I start up, i get an error window named RUNDLL having to do with that 2cfd402c1.dll file. Thanks so much for willing to help Rigel. This is the SDFix log:

SDFix: Version 1.240
Run by Administrator on Sun 03/01/2009 at 11:50 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 11:54:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACftpuhrdc.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACftpuhrdc.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACxejyrdpm.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACesubnaup.dat"
"uaclog"="\\?\globalroot\systemroot\system32\UACqlgqsagm.dll"
"uacmask"="\\?\globalroot\systemroot\system32\UAClonhvmki.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UAClalskkcb.dll"
"UACproc"="\\?\globalroot\systemroot\system32\UACavfbayvp.log"
"uacurls"="\\?\globalroot\systemroot\system32\UACxbwxjgvi.log"
"uacerrors"="\\?\globalroot\systemroot\system32\UACinjknaql.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACftpuhrdc.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACftpuhrdc.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACxejyrdpm.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACesubnaup.dat"
"uaclog"="\\?\globalroot\systemroot\system32\UACqlgqsagm.dll"
"uacmask"="\\?\globalroot\systemroot\system32\UAClonhvmki.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UAClalskkcb.dll"
"UACproc"="\\?\globalroot\systemroot\system32\UACavfbayvp.log"
"uacurls"="\\?\globalroot\systemroot\system32\UACxbwxjgvi.log"
"uacerrors"="\\?\globalroot\systemroot\system32\UACinjknaql.log"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\svcho.exe"="C:\\WINDOWS\\svcho.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 12 Jan 2009 47,616 ..SHR --- "C:\WINDOWS\system32\ahuin.exe"
Sat 28 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 25 Jan 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:52 AM

Posted 01 March 2009 - 03:20 PM

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 CheeTien

CheeTien
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 01 March 2009 - 04:15 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3897 (20090228)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=769f10004b52904983d634b670f7f9fd
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-01 09:06:58
# local_time=2009-03-01 01:06:58 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=261044
# found=1
# scan_time=1552
C:\WINDOWS\system32\ahuin.exe a variant of Win32/Kryptik.ES trojan (unable to clean - deleted) 00000000000000000000000000000000

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:52 AM

Posted 01 March 2009 - 05:57 PM

Good...

Now please update and rerun Superantispyware and Malwarebytes - don't forget to update! Post their new logs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 CheeTien

CheeTien
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 01 March 2009 - 09:32 PM

still no success 8(

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 3

3/1/2009 5:47:49 PM
mbam-log-2009-03-01 (17-47-49).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 137009
Time elapsed: 24 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\Common\2cfd402c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\syssvc.exe (Trojan.Fraudtool) -> Quarantined and deleted successfully.





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/01/2009 at 06:28 PM

Application Version : 4.25.1014

Core Rules Database Version : 3779
Trace Rules Database Version: 1738

Scan type : Complete Scan
Total Scan Time : 00:34:32

Memory items scanned : 469
Memory threats detected : 0
Registry items scanned : 6001
Registry threats detected : 0
File items scanned : 23500
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:52 AM

Posted 01 March 2009 - 09:48 PM

I am asking another tech to take a look at this thread. Hopefully it will not be long - Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 CheeTien

CheeTien
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 01 March 2009 - 09:53 PM

Thanks so much again Rigel. Youre a godsend!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:52 AM

Posted 01 March 2009 - 10:47 PM

Hi , it appears that this malware, 2cfd402c1.dll file, is corrupted or an orphaned registry entry.
The Cannot find or error loading error message usually occurs when the associated .dll has been removed. The file may have been removed during an anti-virus scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up.

If the file was removed but not the entry, Windows will display an error message indicating that the file was not found or there was an error loading. You need to remove this registry entry so Windows stops searching for the program when it loads.

To resolve this download and run Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns and extract (unzip) the file there. (click HERE if your not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file with the error message.
Right-click on the file and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 CheeTien

CheeTien
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 01 March 2009 - 11:01 PM

I deleted the appropriate line on Autoruns, but the error window still popped on startup. Also, I hear an error noise a few minutes later...and malware still finds the infections and is unable to remove.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 02 March 2009 - 01:11 PM

Hello.

First, there were signs of a rootkit infection. You should be warned, take a read below.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy. If you want to continue follow the steps below please.


Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt


How to Restore from the ERUNT Backup
Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo off

    If exist "C:\looking.txt" Del /q /s "C:\looking.txt"
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" > C:\looking.txt


    Echo ------------------ RUN KEY ------------------------------- >> C:\looking.txt


    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >>C:\looking.txt


    Echo ------------------ DIR FOLDER ------------------------------- >> C:\looking.txt


    Dir "C:\Documents and Settings\Administrator\Application Data\Macromedia\Common" >> C:\looking.txt
    Notepad C:\looking.txt

    Exit

    Del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad will soon open. This is normal please do not panic. Once it's complete copy and paste the contents of notepad in your next reply.

Note: If you closed notepad accidentally, it can also be found at C:\looking.txt

If the log is too big, attach it please.


Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Let me know how it goes. :thumbsup:

With Regards,
Extremeboy

Edited by extremeboy, 02 March 2009 - 01:11 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 CheeTien

CheeTien
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 02 March 2009 - 04:45 PM

A friend came over and did some funky stuff and I think cleaned up the problem...or so it appears. So I guess im okay for now. A BIG BIG THANK YOU to all you nice people that helped, Rigel (!), boopme, and extremeboy! I really appreciate your time, effort, and willingness to help. Best wishes!

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 02 March 2009 - 04:58 PM

Hello.

Glad it got fixed. I have recently seen this infection too. Many people infected with this "sound hijack" was also infected with the rootkit and a rogue program.

Although it may be fixed beware of the Rootkit, it may still be active.

Anyways, glad everything is back to normal.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users