Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NEED Help Please! Terrible infections on work Comp!


  • Please log in to reply
19 replies to this topic

#1 archmr10

archmr10

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 10 March 2009 - 11:49 PM

I've researched for 2 whole days to no avail. I can't seem to fix this nasty issue and I'm ready to take a step by step approach without jumping the gun. Im patient and I'd like to fix this with the right help from you guys. I apologize for the super long post, but I need to let you know all the background info...

PLease help! - -

Background: Dell Desktop XPS 710 running Windows XP SP2 with McAfee Suite. This infected desktop uses a WG111v2 Netgear Wireless USB adaptor in a home office network which uses a Netgear wireless router,comcast cable box, and 8-port linksys workgroup switch. Currently using my laptop to type this.

Total number of Computers in home office networK: 5 + my laptop. All Dell PC's. All use wired connections to the Switch except for the infected XPS machine which uses the netgear usb adaptor.

Here are the issues:

1) Practiced some bad judgement and visited a software site and got infected. Svchost.exe errors now come on at startup multiple times and I no longer have internet access.

2.) Tried to reinstall Latest netgear wireless usb adaptor driver - installation gets hung up and never finishes

3.) Before the internet access died on the XPS, all search engines results redirected to shopping websites.

4.) USB devices are not recognized from time to time. The only way I got MBAM on the machine was through my USB drive using safe mode. This is also how I got the Netgear driver onto the infected machine.

5.) Overall system stability is poor. Actions are slow. Programs open up extremely slowly. CPU Usage is 100%. Before the internet died on this machine, Mcafee updates were being blocked as were windows updates and MBAM updates.

6.) Managed to rename MBAM and did a scan a few times. 2nd and 3rd times showed nothing.


Used MBAM first time and cleared the viruses out. Ran a McAfee scan and it deleted a few files - If I recall correctly a few were labeled as "DNS Changers" and I remember the word "Rootkit" in one of them.

I researched this and immediately shutoff the computer and checked the others on the network. Seems that the router was infected and passed the "google redirecting" symptom onto the others, but otherwise they are in perfect working order. I reset the router and cable modem, reset a WPA key and set a strong router password on the router. I reset the entire home network and all the comps except my XPS can access the internet trouble free now.

Foolishly, I tried to fix this myself on the XPS and I ran SmitFraudFix free version on the comp and it helped for a little while before every symptom came back again. The more I reboot, the worse this gets.

Also, the sound driver was lost and I had to use the original driver CD to reinstall the chipset firmware to get it to work again.

Please help me. Im ready to listen and will never visit an illegitimate site again.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:35 AM

Posted 11 March 2009 - 10:51 AM

Welcome to BC

Since you say this a work computer, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. Further, they usually have procedures in place to deal with infections on the network and may not approve of employees seeking help at an online forum or outside the business office.

The malware you are dealing with may have already infected the network. The IT Department needs to be advised right away so they can take the appropriate measures.

Edited by quietman7, 11 March 2009 - 10:52 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 11 March 2009 - 11:36 AM

Welcome to BC

Since you say this a work computer, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. Further, they usually have procedures in place to deal with infections on the network and may not approve of employees seeking help at an online forum or outside the business office.

The malware you are dealing with may have already infected the network. The IT Department needs to be advised right away so they can take the appropriate measures.



Well I call it my "work computer" only because I have my projects on there. Sorry for the bad wording. The infected computer is my personal desktop computer, which is a part of my home office network that I own and adminstrate.

Again, I apologize for the confusion. Can you still help me out?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:35 AM

Posted 11 March 2009 - 11:55 AM

Please post the results of your first and last scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format:
      mbam-log-2009-01-12(13-35-16).txt <- your dates will be different from this example
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and other security programs before connecting to the Internet.

I remember the word "Rootkit" in one of them

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 11 March 2009 - 07:30 PM

Here are my 4 MBAM scans in chronological order. I'll post back with SDFix report asap - have to install it first.

FIRST

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/9/2009 11:52:46 PM
mbam-log-2009-03-09 (23-52-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 268661
Time elapsed: 1 hour(s), 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d5ed5bd-a92e-467b-a6ca-ffded6097eea}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d5ed5bd-a92e-467b-a6ca-ffded6097eea}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cb1f951e-4a43-40ae-a238-692b7fdabd67}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4d5ed5bd-a92e-467b-a6ca-ffded6097eea}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4d5ed5bd-a92e-467b-a6ca-ffded6097eea}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cb1f951e-4a43-40ae-a238-692b7fdabd67}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{4d5ed5bd-a92e-467b-a6ca-ffded6097eea}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{4d5ed5bd-a92e-467b-a6ca-ffded6097eea}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{cb1f951e-4a43-40ae-a238-692b7fdabd67}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.77,85.255.112.206 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\p.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-60-100011181-100031364-100014040-2043.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marco.ARROWSHOP\results.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marco.ARROWSHOP\Favorites\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marco.ARROWSHOP\Start Menu\SMS TRAP.url (Rogue.Link) -> Quarantined and deleted successfully.


SECOND SCAN

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/10/2009 1:02:14 AM
mbam-log-2009-03-10 (01-02-14).txt

Scan type: Quick Scan
Objects scanned: 113400
Time elapsed: 11 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


THIRD SCAN

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/10/2009 3:11:00 PM
mbam-log-2009-03-10 (15-11-00).txt

Scan type: Quick Scan
Objects scanned: 113676
Time elapsed: 11 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


FOURTH SCAN

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/10/2009 6:35:02 PM
mbam-log-2009-03-10 (18-35-02).txt

Scan type: Quick Scan
Objects scanned: 113738
Time elapsed: 10 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 11 March 2009 - 08:33 PM

This is the SDFix report.


SDFix: Version 1.240
Run by Marco on Wed 03/11/2009 at 08:18 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp16.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp17.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp18.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp19.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp1A.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp1B.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp1C.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp21.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp22.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp23.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp24.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp25.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp26.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp27.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp28.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp29.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp2A.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp2B.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp2D.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp2E.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp2F.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp32.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp33.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp34.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp35.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp36.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp37.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp38.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp39.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp6C.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp6D.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp92.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp95.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp96.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp97.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp98.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp99.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp9E.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmp9F.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpA4.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpA5.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpA7.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpA8.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpB4.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpB5.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpB6.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpB7.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpEF.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpF0.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpF3.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpF4.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpF5.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpF6.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpF7.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpFA.tmp - Deleted
C:\DOCUME~1\MARCO~1.ARR\LOCALS~1\Temp\tmpFB.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 20:27:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Marco.ARROWSHOP\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"="C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe:*:Disabled:SketchUp Application"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"="C:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe:*:Enabled:Sprite PC Service"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\Program Files\\Nexon\\Combat Arms\\NMService.exe"="C:\\Program Files\\Nexon\\Combat Arms\\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\y45uoe4.dll"
Thu 31 May 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Sat 28 Feb 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 28 Feb 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 31 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv02.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Marco.ARROWSHOP\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:35 AM

Posted 11 March 2009 - 09:33 PM

Your MBAM log indicates you are using an outdated database version 1749. Please update to the most current one (1837) and rescan again. Since you cannot use the Internet, manually download the updates from another computer, save them to a flash (usb, pen, thumb, jump) drive or CD and transfer to the infected machine. Then double-click on mbam-rules.exe to install the update. If you cannot transfer or install from the infected machine, try installing the file directly from the flash drive to your machine.Mbam-rules.exe is not updated daily. Another way to get the most current definitions is to update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

Perform a new Quick Scan in normal mode and make sure you reboot afterwards. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Edited by quietman7, 11 March 2009 - 09:44 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 11 March 2009 - 10:06 PM

Got it. Heres the new MBAM Log running in normal mode and updated. I used your method of replacing the ref file through a flash drive.


Malwarebytes' Anti-Malware 1.34
Database version: 1838
Windows 5.1.2600 Service Pack 2

3/11/2009 10:02:30 PM
mbam-log-2009-03-11 (22-02-30).txt

Scan type: Quick Scan
Objects scanned: 98128
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#9 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 March 2009 - 06:05 PM

sorry to bother you quietman7. i really appreciate all of your help. can you give me any further steps or a diagnosis of the scan posted above?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:35 AM

Posted 12 March 2009 - 08:33 PM

Lets do another scan to see if we find anything else that MBAM may have missed.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
alternate download link

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform the above instructions in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 March 2009 - 09:16 PM

I installed this in Normal Mode yet It doesnt let me run Superantispyware. There is an error and the program shuts down.

At first it wouldnt even let me install it untill I renamed the installer file on the jump drive - then i copied the renamed installer onto my infected desktop and it let me install it.

Cant run the program though. I tried to rename the executable file and still no cigar. It wont start.

#12 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 March 2009 - 09:21 PM

I installed this in Normal Mode yet It doesnt let me run Superantispyware. There is an error and the program shuts down.

At first it wouldnt even let me install it untill I renamed the installer file on the jump drive - then i copied the renamed installer onto my infected desktop and it let me install it.

Cant run the program though. I tried to rename the executable file and still no cigar. It wont start.



The error is this:

"SUPERAntiSpyware application has encountered a problem and needs to close. We are sorry for the inconvenience.....Please tell Microsoft about this problem.....

Send, Dont Send, Debug...."

What should I do? It looks like something is preventing it from installing. This happened a while ago with MBAM too, but I was able to fix that by renaming.

Let me know your thoughts.

Thanks

#13 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 12 March 2009 - 09:47 PM

Nevermind - I renamed it again, pulled it out of its install directory and onto the desktop and then renamed it there and then threw it back into its directory - Oddly this worked.

I'll get back to you shortly as soon as the scan is done. Something is definitely trying to prevent me from running this...

#14 archmr10

archmr10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 13 March 2009 - 12:14 AM

Heres the SuperAntiSpyware Log. Forgot to use the cleaner first so the first scan only found tracking cookies, but here is the second scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/13/2009 at 00:02 AM

Application Version : 4.25.1014

Core Rules Database Version : 3791
Trace Rules Database Version: 1747

Scan type : Complete Scan
Total Scan Time : 01:21:04

Memory items scanned : 288
Memory threats detected : 0
Registry items scanned : 7798
Registry threats detected : 0
File items scanned : 127969
File threats detected : 0

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:35 AM

Posted 13 March 2009 - 07:32 AM

Ok. Its not unusual for malware to target security tools and try to disable them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users