Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frustrating issue, ignored on several forums


  • Please log in to reply
15 replies to this topic

#1 Bradius80

Bradius80

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 08:43 AM

My wife's computer has some serious issues and i'm now almost entirely out of options. I've posted the problem on several of the web's biggest tech support and so-called "expert" forums only to be ignored or told to perform steps i've already stated I took to no effect.

I won't go into the whole long-winded story about it, suffice to say i'm no expert when it comes to viruses and spyware, but so far every time, no matter how severe, my wife's computer has had a virus i've been able to hunt it down and kill it....until now. Her computer is running XP SP2, at the time the problems started (about 2 months ago) no new software had been knowingly added to the computer in several months apart from World of Warcraft patches which I had no problems with on my own computer and all antivirus, malware and spyware programs were running fine.

Here's a breakdown of the symptoms:

Random lockups. Some days she can use the computer for several hours, sometimes only for half an hour and the whole computer will freeze without warning or any kind of error message.

Random ads playing through speakers. Mostly late at night, and can last for anywhere from 5 mins to an hour before it stops. The ads sometimes sound like ads on tv, sometimes it sounds like a whole movie is playing thru her speakers, though no extra processes are running in task manager and no new programs are popping up on screen. It stops as mysteriously as it starts. In fact, the day Michael Jackson died was the worst, as all we heard was "Heal the World" played in its entirety every half an hour and then it would stop again.

Internet Explorer and Firefox not working properly. Sometimes she can use one or the other to look something up or go on facebook, but most of the time the webpage either wont open at all or closes itself 2 seconds after opening. Often it'll take opening a page or typing a search (a lot of the time pages close after hitting enter when typing something to search) 5 or 6 times before the page stays open.

Clicking sounds....like the navigation click when you click a link on a webpage, though no page is actually open, nothing showing in task manager. These clicks always come in twos and take priority over any other window open. If she's playing a game at the time like World of Warcraft, it'll minimise thoguh there's no web page coming up.

As for what i've tried to clear it: I've found several spyware and viruses that closely resemble these symptoms, some of which I DID find on her computer but have since been cleaned and there's no longer any trace of them, yet the problems still persist. The only program i can now get to work at all on her computer is ad-aware which is telling me her computer is clean. Malwarebytes and all other antivirus and antispyware programs no longer run or can even be reinstalled. I've checked the registry for anything that shouldn't be there, there's no longer anything additional in the registry showing up. Nothing new comes up in task manager and even online virus and spyware scans come up negative.

I'm desperate for a solution now as we dont have a copy of windows to just reformat and reinstall, and if i cant find whats causing this and how to remove it, we'll need to buy a new computer. We need both our computers working as we rely on them for our income.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:52 AM

Posted 03 July 2009 - 08:48 AM

http://www.malwarebytes.org/forums/index.php?showforum=52

This guide shows several specific MBAM won't run solutions

Please start with this one

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Please post the rootrepeal file scan
Chewy

No. Try not. Do... or do not. There is no try.

#3 Bradius80

Bradius80
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 09:07 AM

Im not sure exactly what you mean by that. I'm posting this thread on my own computer as hers is too touchy using IE or firefox to ensure it'll stay up lon enough to post here, but i can give it a try. Could you please explain what a rootrepeal file scan is?

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:52 AM

Posted 03 July 2009 - 09:23 AM

Rootrepeal is a rootkit scanner

Odds are that her computer is infected with a rootkit

Transfer the scanner to her computer and follow that guide and see if one of the TDSS rootkits is listed, go ahead and wipe the file if you find it and then reboot and run MBAM


Once we identify and neutralize the rootkit and get MBAM working would be the time to take her computer online
Chewy

No. Try not. Do... or do not. There is no try.

#5 Bradius80

Bradius80
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 09:57 AM

Okie dokie, she's playing WoW tonight anyways, so i'll run that first thing when i get up in the morning and post the logs here for you. A lot of what i read in that MBAM fix link you posted was gibberish to me, and i'm assuming you're better equipped to know which file i'd be looking for and whether it's there than i would :thumbsup:

#6 Bradius80

Bradius80
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 10:42 AM

there's several tabs at the bottom of the scan screen, asking which part of the system i want to scan (drivers, files etc). which one of these should i be scanning to check for these rootkit files?

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:52 AM

Posted 03 July 2009 - 10:47 AM

The file tab is all we need to start with
Chewy

No. Try not. Do... or do not. There is no try.

#8 Bradius80

Bradius80
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 10:55 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/04 01:53
Program Version: Version 1.3.0.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACcspejepqlpicdam.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAChqoutbkivknbhsj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnpumfowaycqmust.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrslysgmccmpxbam.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvsdgryahwayjmuv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwinlaqllrykmihl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwispkhxllkieexu.dat
Status: Invisible to the Windows API!

Path: C:\Program Files\Sandlot\Cake Mania\cakemania.exe:{CC93F282-9F98-EEBA-1D94-B379F02AE5B6}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACpaswvgkuowyjawn.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temp\UAC6e67.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\0GH9UOFY\UACAX194XTCAKOVRX8CAVQ7717CA6Q8PU0CAFMYQR7CAE8IME1CA1159DWCASVNUT2CAFOUNY7CAHZKE0ICAYPZI97CAQ3JF90CAEJBM94CA29I0PXCA007VFFCA56E4MHCAJ161RXCATYNNXU.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9I09XT67\UACAHJZNX8CAFSPQ5NCA2PSR2CCA60O4WFCA12GS3HCAWRETQGCATR60D2CAOVM5XWCALONO1BCA0QS114CAV5IS3CCAVKZMITCA8FDVZLCA5PPKOICAC6KAJTCAHCVZCSCAZCMC7HCA5GDZY7.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\The Simpsons Music CDS\The Simpsons - Go Simpsonic With The Simpsons\03 - All Singing, All Dancing (Medley) -a)''Gonna Paint Our Wagon'' Theme & Reprise -B)A Singing, Dancing, Entertainment Machine.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\The Simpsons Music CDS\The Simpsons - Go Simpsonic With The Simpsons\30 - Cape Feare (Medley) -a)Any Last Requests -B)H.M.S. Pinafore -c)Bart's Holding The Buttercup -d)Bart & Bob Bop & Bounce -e)The Act Is Up.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\6C8T9XP8\default;sz=728x90;!c=;kvid=fnofRQS-txU;kpu=destinationhandycam;ko=u;kpid=;kr=H;u=fnofRQS-txU__7E7A1F4504BEB715;tile=1;dcopt=ist;ord=4896089513631371[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7MOQ0BU\default;sz=728x90;!c=;kvid=fnofRQS-txU;kpu=destinationhandycam;ko=u;kpid=;kr=H;u=fnofRQS-txU__7E7A1F4504BEB715;tile=1;dcopt=ist;ord=9250807700869652[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7MOQ0BU\default;sz=728x90;!c=;kvid=qq8qAkpV9YE;kpu=FullySickGrkWogBro2c;ko=u;kpid=;kr=A;u=qq8qAkpV9YE__AAAF2A024A55F581;tile=1;dcopt=ist;ord=9947658763194180[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Other\Maps-N95-au1\Private - Original\20001EA8\import\000\3080_19_00_10_01_01_02_01_03_01_04_01_05_01_06_01_07_01_08_01_09_01_10_01_11_01_12_01_13_01_14_01_15_01_16_01_17_01_18_01_00_40.mbm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Other\Maps-N95-au1\Private - Original\20001EA8\import\000\3082_19_00_10_01_01_02_01_03_01_04_01_05_01_06_01_07_01_08_01_09_01_10_01_11_01_12_01_13_01_14_01_15_01_16_01_17_01_18_01_00_40.mbm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\01\12-{0745B45F-98FD-68DB-052B-F27547A3E048}-v1-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\13\13-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v13-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v13-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\16\16-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v16-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v16-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\17\17-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v17-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v17-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\18\18-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v18-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v18-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\24\24-{061A599E-4A7D-4E31-B824-4FCB6BF7DEC1}-v24-{061A599E-4A7D-4E31-B824-4FCB6BF7DEC1}-v24-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\25\25-{06~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\26\26-{061A599E-4A7D-4E31-B824-4FCB6BF7DEC1}-v26-{061A599E-4A7D-4E31-B824-4FCB6BF7DEC1}-v26-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\alicialanglands@hotmail.com\DFSR\Staging\CS{0745B45F-98FD-68DB-052B-F27547A3E048}\27\27-{061A599E-4A7D-4E31-B824-4FCB6BF7DEC1}-v27-{061A599E-4A7D-4E31-B824-4FCB6BF7DEC1}-v27-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\daniellesommers84@hotmail.com\SharingMetadata\dcm_06@hotmail.com\DFSR\Staging\CS{60E650F5-6B3C-15EB-58C3-1E1679348B93}\01\15-{60E650F5-6B3C-15EB-58C3-1E1679348B93}-v1-{B8F19FA2-8D79-42B1-B0F8-B6DA766E176E}-v15-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\01\10-{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}-v1-{B8930477-6CAD-401B-90F0-8C0F2142E820}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\13\109-{115F103D-FFDD-46FC-BD76-38FBE65990D0}-v13-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v109-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\22\105-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v22-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v105-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\23\104-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v23-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v104-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\24\106-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v24-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v106-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\25\107-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v25-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v107-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\26\108-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v26-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v108-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\27\110-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v27-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v110-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\28\111-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v28-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v111-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\29\112-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v29-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v112-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Messenger\kristi001@hotmail.com\SharingMetadata\jadeybaby_8@hotmail.com\DFSR\Staging\CS{774B413E-BBCF-3CDB-DB8E-4A36C81E4284}\30\113-{919AEBAA-D957-4F05-AAFC-05AE97C7BA36}-v30-{2BE21A7D-5E3F-4F00-B8C1-2E06410D1074}-v113-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Completed\Phone\Apps\Un-Installed\TomTom 6 Mobile S60 3rd + Benelux + HowTo\Tomtom\private\10003a3f\import\apps:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:52 AM

Posted 03 July 2009 - 11:00 AM

Path: C:\WINDOWS\system32\drivers\UACpaswvgkuowyjawn.sys
Status: Invisible to the Windows API!


As the guide I linked to said, this is the bad file, you have to right click on that highlighted line with rootrepeal, select wipe file, immediately reboot and then use MBAM(updated) to finish the removal

That log will get us started
Chewy

No. Try not. Do... or do not. There is no try.

#10 Bradius80

Bradius80
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 11:03 AM

excellent, so what should i do next after i reboot and run mbam?

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:52 AM

Posted 03 July 2009 - 11:10 AM

See below for posting back the MBAM log, run the ATFCleaner also

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:52 AM

Posted 03 July 2009 - 11:12 AM

Also since this is a work computer we are dealing with let me add a warning

One or more of the identified infections is a rootkit/backdoor trojan(TDSS rootkit/backdoor trojan).

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#13 Bradius80

Bradius80
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 11:28 AM

Malwarebytes' Anti-Malware 1.38
Database version: 2369
Windows 5.1.2600 Service Pack 2

4/07/2009 2:21:01 AM
mbam-log-2009-07-04 (02-21-01).txt

Scan type: Quick Scan
Objects scanned: 122233
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\wininetapp.wininet (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wininetapp.wininet.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcec7j0eg5s (Rogue.AntiVirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ieocx.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACcspejepqlpicdam.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UAChqoutbkivknbhsj.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACrslysgmccmpxbam.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACvsdgryahwayjmuv.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACwinlaqllrykmihl.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Administrator\Application Data\asd.bat (Rogue.WinPCDefender) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACpaswvgkuowyjawn.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#14 Bradius80

Bradius80
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 03 July 2009 - 11:34 AM

There's the MBAM log after cleaning the system and rebooting. Also used the other program you suggested and cleaned all the files both on the main page and the firefox one (we dont use opera). So far after running MBAM the computer (IE especially) seems to be running much faster and cleaner, now i guess its a waiting game to see if any of those other strange symptoms reoccur.
Just a quick question...could all the other symptoms i listed have been part of these viruses that were found as well, such as the strange ads playing at random, the system freezes and the navigation "clicks" even though no webpage was opening, or should i expect that ithose were being caused by something else entirely?
As for what we intend to do about the security issues, we'll just have to use my laptop for banking and such for a week or two till my dad brings a copy of windows and does a full reformat of her hard drive and reinstall of the OS, or we get enough money together to buy her a new computer. Mine runs on vista and has far more security measures in place even as a default than her desktop has, and i run MBAM on my computer as a habit every 3 days to make sure its clean.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:52 AM

Posted 03 July 2009 - 11:45 AM

Run another scan after rebooting, make it a full scan with MBAM

And

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users