Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I got Conficker... Microsoft MSRT says I'm clean though?!?


  • This topic is locked This topic is locked
15 replies to this topic

#1 buzzhunter

buzzhunter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 06 April 2009 - 10:26 AM

Hello people, thanks in advance for any help you can provide. Apologies up front for not being as specific as I might like... I have to try to remember what's going on with my infected home computer in order to report it to you from my clean work computer.

I am running Windows XP with Service Pack 2. Here's a summary of some of the symptoms I've seen:

- Strange miniature blue dialog box popus up in bottom left on start. Can't click it or close it before it disappears after a few seconds.
- "Old school" gray windows taskbar missing several buttons.
- Can't connect to internet at all. Firefox/IE crash before opening. No other programs can automatically connect, including security.
- Can't copy and paste files, or drag and drop. Get an RPC error.
- Can't run many security programs. Norton does not open (except for scan only in safe mode), other programs will not update (no connecton).
- Can't load Microsoft Security Update exe. Get "Not a Win32 Appilcation" error.
- Can't load and run Malwares Bytes Anti-Malware. Get Run-time error '372': Failed to load control 'vbalGrid' from vbalsgrid6.ocx.
- Can't search computer.
- Can't run System Restore ("System Restore is not able to protect your computer...")

I WAS able to run Microsoft's Malware Removal Tool (MSRT), but it said I was totally clean of Conficker and everything else it checks for. I figured it must be something else, despite the symptoms looking the same... until I found a file "C:\Win32.Worm.Downladup.Gen.log" on my hard drive (changed the extension to .logbad for now).

Looking at a previous HJT log I noticed svchost.exe was missing. I tried running SFC.EXE /SCANNOW but that didn't find anything missing. My computer came loaded with Windows XP, so I don't think I have a disc anyway (though I might be able to get one). I've backed up all my personal files, so it wouldn't be the end of the world if I had to reformat. I'd just rather not have to. Thanks for any help you can provide.

Steve


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 9:13:07.14 on Sun 04/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = localhost;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\sorry.exe,c:\windows\system32\twext.exe,c:\windows\system32\twex.exe,c:\windows\system32\sdra64.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\companion\modules\messmod4\v6\yhexbmes.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
uRun: [DW4] c:\program files\the weather channel fw\desktop weather\DesktopWeather.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [iLike] c:\program files\ilike\1.2.13\ilikesidebar.exe /checkforupdate
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\companion\modules\messmod4\v6\yhexbmes.dll
Trusted Zone: recruitmax.com\bearingpoint
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} - file://e:\components\hidinputmonitorx.ocx
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} - file://e:\components\A9.ocx
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139613480375
DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} - file://e:\components\wmvhdrating.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SubSystems: Windows = basejini32

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\t5kkff7p.default\
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-05 09:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 09:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 09:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 09:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 21:49 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR
2009-04-02 21:49 <DIR> --d----- c:\program files\AVG
2009-04-02 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-02 19:55 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-02 19:55 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-02 19:55 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-02 19:55 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-02 19:55 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-02 19:54 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-02 19:54 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-04-02 19:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-02 19:53 70 a------- C:\Win32.Worm.Downladup.Gen.logbad
2009-03-31 08:25 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-31 08:22 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-31 08:22 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-31 08:22 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-31 08:22 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-31 08:22 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-31 08:22 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-31 08:22 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-31 08:13 <DIR> --d----- c:\program files\MSXML 6.0
2009-03-08 14:20 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-08 14:19 <DIR> --dsh--- c:\windows\system32\twain32
2009-03-08 14:19 66,560 a------- C:\om2hxvdanf3h.exe
2009-03-08 13:37 132,623 a------- c:\windows\system32\rn.tmp

==================== Find3M ====================

2009-02-26 08:37 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-11 13:54 22,528 a------- c:\windows\system32\~.exe
2009-01-07 12:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2005-06-16 20:11 29,494,124 ac------ c:\program files\citizencope2005-06-12d2t09.wav
2005-06-16 20:05 47,209,388 ac------ c:\program files\citizencope2005-06-12d2t08.wav
2005-06-16 19:53 56,671,484 ac------ c:\program files\citizencope2005-06-12d2t07.wav
2005-06-16 19:38 69,678,044 ac------ c:\program files\citizencope2005-06-12d2t06.wav
2005-06-16 19:23 38,208,284 ac------ c:\program files\citizencope2005-06-12d2t05.wav
2005-06-16 19:13 40,115,756 ac------ c:\program files\citizencope2005-06-12d2t04.wav
2005-06-16 19:04 63,675,740 ac------ c:\program files\citizencope2005-06-12d2t03.wav
2005-06-16 18:48 65,811,356 ac------ c:\program files\citizencope2005-06-12d2t02.wav
2005-06-16 18:34 63,120,668 ac------ c:\program files\citizencope2005-06-12d2t01.wav
2005-06-16 18:17 73,617,644 ac------ c:\program files\citizencope2005-06-12d1t08.wav
2005-06-16 17:58 35,726,924 ac------ c:\program files\citizencope2005-06-12d1t07.wav
2005-06-16 17:49 75,769,724 ac------ c:\program files\citizencope2005-06-12d1t06.wav
2005-06-16 17:32 41,573,996 ac------ c:\program files\citizencope2005-06-12d1t05.wav
2005-06-16 17:20 56,222,252 ac------ c:\program files\citizencope2005-06-12d1t04.wav
2005-06-16 16:46 56,930,204 ac------ c:\program files\citizencope2005-06-12d1t03.wav
2005-06-16 16:17 45,852,284 ac------ c:\program files\citizencope2005-06-12d1t02.wav
2005-06-16 15:48 52,042,748 ac------ c:\program files\citizencope2005-06-12d1t01.wav
2004-08-04 03:56 4,096 a--sh--- c:\windows\system32\botrc.dat
2006-05-03 06:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 07:47 31,232 ---shr-- c:\windows\system32\msfDX.dll

============= FINISH: 9:13:46.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:41 AM

Posted 06 April 2009 - 11:26 AM

Hello, buzzhunter

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I need some time to look over your log, I will post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 buzzhunter

buzzhunter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 06 April 2009 - 02:17 PM

Thanks so much for the help. I've seen the work you folks have done on here before and very much appreciate it. Right now I'm responding from work, which is easy, but when I am at home I can't get online from the infected computer. I can use the internet browser on my PS3 at home, but my responses will be more limited. I can download files to a USB, though, so if I need to run anything like ComboFix, I should be able to do that. Just let me know what I need to do, I look forward to figuring out what the heck this is!

Steve

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:41 AM

Posted 06 April 2009 - 04:20 PM

Hello,

Registry Backup

Backup Your Registry with ERUNT
  • Download from here
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

OTMoveIt

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    c:\windows\sorry.exe
    c:\windows\system32\twext.exe
    c:\windows\system32\twex.exe
    c:\windows\system32\sdra64.exe
    
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
    "Windows"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
    32,5c,63,73,72,73,73,2e,65,78,65,20,4f,62,6a,65,63,74,44,69,72,65,63,74,\
    6f,72,79,3d,5c,57,69,6e,64,6f,77,73,20,53,68,61,72,65,64,53,65,63,74,69,\
    6f,6e,3d,31,30,32,34,2c,33,30,37,32,2c,35,31,32,20,57,69,6e,64,6f,77,73,\
    3d,4f,6e,20,53,75,62,53,79,73,74,65,6d,54,79,70,65,3d,57,69,6e,64,6f,77,\
    73,20,53,65,72,76,65,72,44,6c,6c,3d,62,61,73,65,73,72,76,2c,31,20,53,65,\
    72,76,65,72,44,6c,6c,3d,77,69,6e,73,72,76,3a,55,73,65,72,53,65,72,76,65,\
    72,44,6c,6c,49,6e,69,74,69,61,6c,69,7a,61,74,69,6f,6e,2c,33,20,53,65,72,\
    76,65,72,44,6c,6c,3d,77,69,6e,73,72,76,3a,43,6f,6e,53,65,72,76,65,72,44,\
    6c,6c,49,6e,69,74,69,61,6c,69,7a,61,74,69,6f,6e,2c,32,20,50,72,6f,66,69,\
    6c,65,43,6f,6e,74,72,6f,6c,3d,4f,66,66,20,4d,61,78,52,65,71,75,65,73,74,\
    54,68,72,65,61,64,73,3d,31,36,00
    
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • OTMI log
  • Gmer log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 buzzhunter

buzzhunter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 06 April 2009 - 05:09 PM

Great, thanks! I will download what I need and go home and try it right away! I may be unable to post, though, until I get back here tomorrow (9AM EST). Thanks so much for your help, I'll let you know how it comes out just as soon as I can.

Steve

#6 buzzhunter

buzzhunter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 06 April 2009 - 05:13 PM

I can already tell one problem I'm going to have... I can't copy & paste files OR drag & drop. I don't think I will be able to move files to the desktop to run them, I'll have to run them from the USB. Will this cause a problem?

Thanks again.

Steve

#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:41 AM

Posted 06 April 2009 - 05:28 PM

No, this should be fine :thumbup2:

As for copying and pasting files, you will need to do this to give me the logs. Do you have another clean computer that you can post from?

If so, I would recommend you cut the internet access on your infected pc. Use a USB stick to transfer files needed to the infected pc, save the logs from the infected machine to the USB and paste it here through your clean PC.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:41 AM

Posted 06 April 2009 - 05:48 PM

Hello,

It has just come to my attention that one of these infections has backdoor capablities.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 buzzhunter

buzzhunter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 07 April 2009 - 12:39 PM

Jat,

Thank you SO much for your timely help on this matter. I've decided to take your advice and reformat entirely. Since my computer had come preloaded with XP, I went ahead and ordered my own copy of XP with SP2 (screw Vista). Any advice on what I should backup from my computer before I do that? I've already backed up my personal files (documents, pictures, game saves, etc.), but should I backup my MS Office, Norton, etc. too? If this isn't the proper forum, my apologies, just want to make sure I'm not making such a major move without considering all I need to do.

Thanks again! Even though we didn't technically "save" it, I'm glad I got such helpful advice. :-)

Steve

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:41 AM

Posted 07 April 2009 - 12:50 PM

Hello,

Backup all work, music, pictures and personal files. Also some of the hardware installed may require a software installation for it to work correctly. You should have a cd with driver installations on them come with your pc, or you may have to download them from the manufacturers site. See the "After the Install" part of the following guide for a clearer picture:

http://web.mit.edu/ist/products/winxp/adva...all-format.html

Other software such as Microsoft Office and Norton Antivirus should be reinstalled using their respective cd's that you first used to install them.

Hope that answered your question :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 buzzhunter

buzzhunter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 07 April 2009 - 03:17 PM

Thanks so much, Jat. Final question... my hard drive is split into two partitions, C: and D: for recovery. Do I need to keep this in mind when reformatting? Thanks...

Steve

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:41 AM

Posted 07 April 2009 - 03:21 PM

Yes, since the infection is located on the C:\ partition, this is the one you will need to reformat and reinstall windows on. You will be presented with a screen asking which partition you wish to install Windows on, so choose drive C.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 buzzhunter

buzzhunter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 07 April 2009 - 03:24 PM

OK, so the reformat won't touch the recovery drive D:? Should I consider my recovery options from D: first? Now that I think about it, that may have what I need to do a reload anyway, and might be why I don't have disks...

Thanks Jat. You're the best. I never thought I'd be so excited to reformat my hard drive. :-)

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:41 AM

Posted 07 April 2009 - 03:30 PM

If you do not have the disk and your computer already came partitioned, its likely they are located on the partitioned drive, yes. See this Video for a visual understanding.

Also, you may want to post in the Windows XP Forum for more detailed help, as my advice alone may be insufficient.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 buzzhunter

buzzhunter
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 07 April 2009 - 03:31 PM

Thanks Jat, I'll do so. All the best in the future...

Steve




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users