Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

viruses on the business computer


  • This topic is locked This topic is locked
3 replies to this topic

#1 SusanO13

SusanO13

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago, IL
  • Local time:11:48 AM

Posted 21 April 2009 - 09:54 PM

I tried this on April 16, but haven't received a response as yet. So here's another go.
Original post can be found here: http://www.bleepingcomputer.com/forums/t/219992/random-files-keep-reloading/

Got a virus object called 9129837.exe and a trojan called GenericRootkit.d. Rootkit was found at [c:\WINDOWS\new_drv.sys], which is no longer there. These caused a system shutdown "initiated by NT AUTHORITY SYSTEM" caused by [C:\WINDOWS\System32\Services.exe] with a status code of "-1073741819." This appears to have been fixed, the shutdown/restart has stopped after a MBAM scan which found 103 malware files.

Now there are two new files which repeatedly download back into the system. Below, I've pasted MBAM and HJ this logs.

----------------more info--------------
Now, Outlook isn't loading properly and McAfee is detecting the following:
------------------
McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Generic Rootkit.w (Trojan), Generic Rootkit.w (Trojan)
Location: C:\WINDOWS\system32\drivers\fips32cup.sys

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.
------------------
Apparently the initial problem has not been solved as I thought?

I can't seem to make McAfee stop!!! it's very frustrating. I have to go in and manually tell it not to detect EVERY SINGLE THING!

------------------end of more info------------------

Thanks in advance for your help!

Susan

------------MBAM scan results, note: I deleted these files again, but they'll probably come back.-----------

Malwarebytes' Anti-Malware 1.36
Database version: 1992
Windows 5.1.2600 Service Pack 3

4/16/2009 7:58:18 PM
mbam-log-2009-04-16 (19-58-18).txt

Scan type: Quick Scan
Objects scanned: 83167
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\ksi32sk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Camilla Protto\Local Settings\Temp\BN5B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Camilla Protto\Local Settings\Temp\BN68.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Camilla Protto\Local Settings\Temp\BND8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Camilla Protto\Local Settings\Temp\BND9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


-----------HJ this log-------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:03 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Camilla Protto\Camilla Protto.exe
C:\Program Files\IObit\Advanced SystemCare 3\Awc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


{Mod Edit: removed HJT log that are not allowed in this forum~~boopme}

Edited by boopme, 21 April 2009 - 10:25 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 PM

Posted 21 April 2009 - 10:44 PM

Hello, A few things here.. I know you are waiting and it's difficult to do. Unfortunately there are another 600 + waiting also and only so many volunteersto do this. Another is the post I removed and added here in quotes if needed. This part of our reply to logs may explain why..
Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

So what I would like to do is offer a choice. We can try cleaning your PC here or leave your now corrected HJT log post in it's place in the queue. BUT we have to close one. I will await your reply.

Now, Outlook isn't loading properly and McAfee is detecting the following:
------------------
McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Generic Rootkit.w (Trojan), Generic Rootkit.w (Trojan)
Location: C:\WINDOWS\system32\drivers\fips32cup.sys

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.
------------------
Apparently the initial problem has not been solved as I thought?

I can't seem to make McAfee stop!!! it's very frustrating. I have to go in and manually tell it not to detect EVERY SINGLE THING! Neighbor is interested in avast, but I don't want to uninstall McAfee since she's paid for it. Advice? She says that if you tell me to uninstall it, that's fine.

Thx!


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SusanO13

SusanO13
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Chicago, IL
  • Local time:11:48 AM

Posted 23 April 2009 - 11:24 AM

Let's leave the corrected HJT log post in it's place in the queue. Sorry about the second post. I figured since I made a reply to the first log it was being overlooked. I know there are many others also waiting. Thank you for your help.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 PM

Posted 23 April 2009 - 08:41 PM

Hi Susan ,I think that was the better choice and thanks for your decision and reply. I will close this with areply. I f needed I or any Staff are a pM away if you have a question. Your log will get replied to and they will take care of it. Thanks boop.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users