Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

after infection removal can't connect to internet


  • Please log in to reply
15 replies to this topic

#1 deal

deal

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 26 March 2009 - 10:42 AM

If you have any suggestions I would appreciate it. From reading I thought about uninstalling SP3 but would prefer some expert advice. Thanks.

Folders Infected: 3
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\pp04.exe (Worm.Koobface) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\dll32.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ExtSecurityCenter (Rogue.ExtSecurityCenter) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3d4c25-4dc6-462d-a142-ee84fdbbfae1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca3d4c25-4dc6-462d-a142-ee84fdbbfae1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca3d4c25-4dc6-462d-a142-ee84fdbbfae1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rvoruviju (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Compaq_Owner\Application Data\VirusRemover2009 (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\VirusRemover2009\Logs (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:
C:\WINDOWS\pp04.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dll32.dll (Backdoor.Bot) -> Delete on reboot.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1249\A0094513.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1250\A0094532.exe (Rogue.VirusRemover2009) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sys.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\MTYDNX4I\virusremover2009_setup_free_rezer_en[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\MTYDNX4I\virusremover2009_setup_free_rezer_en[3].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\VirusRemover2009\Logs\scns.log (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\mstre15.exe (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy39.exe (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2792f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2808f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2810f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\Kbebuxoj.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ld02.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 March 2009 - 12:41 PM

Hi,

To be sure everything has been gone, do a new full scan with MBAM. Post the logfile in your next reply. :thumbsup:

Beside that, do this also:

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#3 deal

deal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 26 March 2009 - 02:04 PM

Thanks for your quick response. Here is the latest MBAM scan results. I'm running the other one now and will post the results.

Malwarebytes' Anti-Malware 1.34
Database version: 1902
Windows 5.1.2600 Service Pack 2

03/26/2009 2:58:15 PM
mbam-log-2009-03-26 (14-58-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 208196
Time elapsed: 1 hour(s), 55 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 March 2009 - 01:43 AM

May I have the Kaspersky log too? :thumbsup:

#5 deal

deal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 27 March 2009 - 09:27 AM

Yes indeed, the first time it ran I lost the results (I think somebody closed the window while I was away). I also jumped the gun and uninstalled and reinstalled SP3 and that led to a huge download from Windows Update. It's almost finished and I'm about to start the scan again. For good measures I'll run the MBAM scan again as well and if it finds anything at all I'll post those results too.

Thanks so much for your patience.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 March 2009 - 09:33 AM

That's ok. And you're most welcome. :thumbsup:

#7 deal

deal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 27 March 2009 - 12:36 PM

That was a lengthy scan, here are the results:

I'm in the process of updating and running MBAM again now.

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 27, 2009 13:40:06
Records in database: 1976549
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\

Scan statistics:
Files scanned: 115921
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:22:26


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\catchme.zip Infected: Trojan-Spy.Win32.Zbot.gbd 1
C:\WINDOWS\pp05.exe Infected: Backdoor.Win32.Agent.afci 1
D:\I386\Apps\APP21128\src\HPSummer2005.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1

The selected area was scanned.

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 March 2009 - 12:40 PM

Hi,

Go to Start > My Computer.
Delete the following files:
C:\Documents and Settings\Administrator\Desktop\catchme.zip
C:\WINDOWS\pp05.exe
D:\I386\Apps\APP21128\src\HPSummer2005.exe
(If you don't know the folder "D:\I386\Apps\APP21128", you may delete the whole folder)

#9 deal

deal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 27 March 2009 - 02:11 PM

OK, The D drive is a recovery partition and I'm not sure how to access it in order to remove that file. ???

I updated and ran MBAM and it also found the pp05.exe file but nothing else. So I may just be clean now?

Thanks for all your help.

Malwarebytes' Anti-Malware 1.35
Database version: 1906
Windows 5.1.2600 Service Pack 3

03/27/2009 3:05:43 PM
mbam-log-2009-03-27 (15-05-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 216374
Time elapsed: 1 hour(s), 23 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\pp05.exe (Trojan.Agent) -> No action taken.

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 March 2009 - 02:14 PM

Can't you just access the D-drive?

#11 deal

deal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 27 March 2009 - 02:49 PM

I had system and hidden files filtered out. But after fixing that, the D:\i386 folder just shows a lock and I cant view the contents of it.

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 March 2009 - 02:52 PM

Hi,

Then we do it automatically:

Download this file to your Desktop: http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
Start the setup_.exe-file and click "Next".
The tool will be unzipped now to his own folder on the Desktop, confirm this by pressing "Next" again.
Now, click "Scan" to start the quick scan.
When it's finished, the found malware will be showed to you, press "Delete".
Now click the button "Reports" in the main screen and save the logfile to your Desktop.
Post this logfile in your next reply
After that you'll get this message: "Do you want to uninstall?", choose "Yes".
The tool will be deleted then.

#13 deal

deal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 27 March 2009 - 03:46 PM

Makes me nervous messing with Compaq's recovery partition but hey, did it anyways:

Scan
----
Scanned: 116227
Detected: 3
Untreated: 0
Start time: 03/27/2009 4:16:23 PM
Duration: 00:26:01
Finish time: 03/27/2009 4:42:24 PM


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.MyWay.j File: D:\I386\Apps\APP21128\src\HPSummer2005.exe//WiseSFXDropper//WISE0016.BIN
deleted: adware not-a-virus:AdWare.Win32.MyWay.j File: D:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1255\A0103220.exe//WiseSFXDropper//WISE0016.BIN
deleted: adware not-a-virus:AdWare.Win32.MyWay.j File: D:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1255\A0103220.exe//WiseSFXDropper


Events
------
Time Name Status Reason
---- ---- ------ ------
03/27/2009 4:16:29 PM Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

#14 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 March 2009 - 03:47 PM

Do you still have problems? :thumbsup:

#15 deal

deal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 27 March 2009 - 03:53 PM

Nothing I can see. The machine is working now. I assume its clean now. Nothing is showing any hits.

Thanks so much for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users