Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am sooooo sick of this computer


  • Please log in to reply
17 replies to this topic

#1 bomber1712

bomber1712

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 20 March 2009 - 07:38 PM

OK, so I have this Gateway Desktop computer running XP SP3. I had a CTHelper.exe issue, so I asked all of you for assistance. I ran this and posted that. I got close (I thought) to a clean computer. The last step was to run gmer.exe. Then, we would be done.....

Well, the scan showed 2 hidden Root Kits. I was referred to HJT. The person basically told me that with a root kit, I can never be sure my computer is safe, again. I needed to reformat and start over. If you want to see any of this dialog, go to these threads:

AII Forum: http://www.bleepingcomputer.com/forums/t/209801/cthelperexe-and-other-items-found-with-mbam/

HJT Forum: http://www.bleepingcomputer.com/forums/t/207934/cthelperexe-plus-a-trojan-downloader/

That's the background. Now, I used Macruim Reflect to restore my computer to a backup that I had from December 2008. I got that all done, and then ran gmer.exe to see if I still had the rootkit. IT WAS CLEAN!! YAY!!

So, before going too far, I decided to run MBAM and Super. I also ran Comodo antivirus. All of these found several issues. I wasn't really concerned with the results, until MBAM said it found a rootkit agent. I cleaned it with MBAM, and then ran MBAM, again (both times in Safe Mode). Second scan was clean. Log from 1st scan:

Malwarebytes' Anti-Malware 1.34
Database version: 1873
Windows 5.1.2600 Service Pack 3

3/19/2009 11:19:50 PM
mbam-log-2009-03-19 (23-19-50).txt

Scan type: Full Scan (C:\|F:\|I:\|)
Objects scanned: 249544
Time elapsed: 1 hour(s), 55 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1825\A0133243.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINNT\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Same held true for SAS. I ran once and it found and cleaned several items. I ran a second time, and it found nothing (Safe). Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/19/2009 at 11:35 PM

Application Version : 4.25.1014

Core Rules Database Version : 3773
Trace Rules Database Version: 1732

Scan type : Complete Scan
Total Scan Time : 02:30:58

Memory items scanned : 215
Memory threats detected : 0
Registry items scanned : 6759
Registry threats detected : 10
File items scanned : 30993
File threats detected : 7

Adware.Best Offers Network
C:\Program Files\TBONBin\tbon.exe
C:\Program Files\TBONBin\tboninst.cfg
C:\Program Files\TBONBin\Uninstall.exe
C:\Program Files\TBONBin
C:\WINNT\tboninst.cfg
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#WindowsInstaller
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBON#InstallLocation
C:\WINNT\Prefetch\UNINSTALL.EXE-2DC9F2D2.pf

Adware.MyWay
C:\Program Files\MyWay

Comodo ran and showed a backdoor something or another. I was unable to locate a log for that scan, but I ran it again and it found nothing.

Please help me! Please tell me that I do not need to reformat the HDD and start from scratch! I don't have the mental capacity to deal with that, anymore!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 20 March 2009 - 10:35 PM

According to PREX, smdat32m.sys was first seen in July 2005. Since you restored your computer to a backup created in Dec 2008, chances are the malware was on your computer at that time and was backed up as well. When you restored your computer to that date, you also restored the malware. That is why you were advised to reformat as that is the only way to be sure your system is wiped clean.

Please perform an online scan with Kaspersky WebScanner.
(Requires free Java Runtime Environment (JRE) be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 21 March 2009 - 08:27 AM

Thanks for your help. If the only good option is to reformat, I will do that. Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 21, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 21, 2009 01:43:55
Records in database: 1942823
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan statistics:
Files scanned: 159414
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:06:13


File name / Threat name / Threats count
C:\WINNT\system32\cmd.ftp Infected: Trojan-Downloader.BAT.Ftp.cq 1

The selected area was scanned.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 21 March 2009 - 08:42 AM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links previously provided. In some instance the malware may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Please download OTMoveIt3 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt3.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Files
C:\WINNT\system32\cmd.ftp

:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Return to OTMoveIt3, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders.

Also let me know how your computer is running and if there are any more reports/signs of infection.

Edited by quietman7, 21 March 2009 - 08:44 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 21 March 2009 - 09:23 AM

Here is what you asked for. I also attached a log from Comodo.

Move IT log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINNT\system32\cmd.ftp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF157C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF9DA5.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03212009_112001


Comodo Log:

TrojWare.Multi@5322930 H:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1856\A0138508.exe
Unclassified Malware@9163841 C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1825\A0133241.exe
Backdoor.Win32.Agent.~IAR@798142 C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1856\A0138463.exe


I removed all, but the scan did not finish fully. I aborted to follow your instructions.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 21 March 2009 - 10:11 AM

The infected RP***\A00*****.exe/.dll file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, they may detect and place these malicious files in quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.

How is your computer running now? Are there any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 21 March 2009 - 05:37 PM

I think I'm good! I ran SAS, MBAM, Comodo AV, and gmer. They all showed nothing!

Let me know if I should do anything to clean up what we did! And THANKS!!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 21 March 2009 - 06:53 PM

Did you create a new Restore Point and purge the old ones with Disk Cleanup?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 21 March 2009 - 07:40 PM

Yes, I sure did. I also ran cleanup on other 2 drives and cleared restore points. A funny thing, tho, when I run gmer, it restarts my computer.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 21 March 2009 - 10:53 PM

Ok then.


Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:If using Windows Vista, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 22 March 2009 - 09:09 PM

I am pretty sure that you have fixed everything! THANKS!! Should I run any clean up items, or are we done?

I am having some trouble with a sound card driver. When I rolled my computer back, I ended up with a problem with my sound card that I had fixed since the backup. Now, I can't seem to get the new driver installed. I keep getting a "access denied" error when I try to update the driver. Is this something that you can help me with, or should I post a new issue in a different forum?

Edited by bomber1712, 22 March 2009 - 11:38 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 23 March 2009 - 08:28 AM

Connect to the Internet and double-click on OTMoveIt3.exe to launch the program again.
  • Click on the green CleanUp! button.
  • When you do this, a text file named cleanup.txt will be downloaded from the Internet.
  • If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet, please allow the connection.
  • After the text file has been downloaded, you will be asked if you want to Begin cleanup process?
  • Select Yes.
-- Note: Doing this will remove any specialized tools (including this one) downloaded and used. All other programs should be kept on your machine and used on a regular basis.

This forum is for malware removal. You can start a new topic in the XP forum for your driver issue.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 23 March 2009 - 11:14 AM

I will take care of that. Do you need me to report back, or do we close the thread?

If we're closing at this time, let me give you a HUGE THANKS, once again!

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 23 March 2009 - 11:42 AM

You're welcome.

We will keep the thread open for now.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:57 PM

Posted 23 March 2009 - 08:17 PM

Done. What's next?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users