Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM Found Problems but Restart Failed


  • This topic is locked This topic is locked
14 replies to this topic

#1 pizzaandbeer

pizzaandbeer

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 04 July 2009 - 10:49 AM

Symptoms:


There were unexpected popups so I updated and ran MBAM. Some problems were detected and MBAM needed a restart. During the restart, there was a "blue screen of death" that said something like Windows has encountered a critical error and needs to shut down now, and then it shut down. Since then, I can only log in reliably in safe mode. In normal mode the system locked up when I moved the mouse to select the user. I switched to classic login (enter name and password) so all I need to do is hit Enter and sometimes I can log in normally. (There's only one user and no password.) I cannot connect to the network - the system reports that (wired) connection is "disabled" (I've tried enabling it to no avail) and there are no wireless adapters, but I look and I'm pretty sure they are installed.


OS - Windows XP Media Center Edition Version 2002 SP3

What has been done:


MBAM - re-ran and completed cleaning.

SuperAntiSpyware.

System diagnostics. (From Dell.)



BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 09 July 2009 - 12:53 AM

Hi pizzaandbeer,

Sorry the time has slipped by. Do you still want help? Could you supply the reports from both MBAM and SuperAntiSpyware that show what infections they found?

SuperAntiSpyware can cause a bluescreen. Please look at this information:

* NOTE: If you get a blue screen type crash or any other crash of SUPERAntiSpyware when trying to run the scan then after a reboot, configure the below options and rescan* Run SuperAntiSpywareo In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button.
o Click the Scanning Control tab.
o Under Scanner Options uncheck the below two options+ Use Kernel Direct File Access (recommended)
+ Use Kernel Direct Registry Access (recommended)
o Then try doing a new Complete scan.
[/list][/list]



Let me know if this fixes the bluescreen problem. Either way, we can go from there.

Zllio

#3 pizzaandbeer

pizzaandbeer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 09 July 2009 - 08:23 AM

Thanks for getting back to me. Here are the last few MBAM logs. Looking back at my notes about what I did, I see that I did not run SuperAntiSpyware, but I did run DrWeb which deleted a couple of restore points. The blue screen was a one-time thing.

--------------------------

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/1/2009 5:17:02 PM
mbam-log-2009-06-01 (17-17-02).txt

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\reader_s.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


--------------------------

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/1/2009 6:25:07 PM
mbam-log-2009-06-01 (18-25-07).txt

Scan type: Quick Scan
Objects scanned: 92471
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux (Trojan.JSRedir.H) -> Bad: (C:\WINDOWS\system32\..\xfvb.vli) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\config\systemprofile\reader_s.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\rdl1.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\heather ross\local settings\Temp\rdl1.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rdl1D6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\~TM17A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\~TM54EA3A.TMP (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\microsoft common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


--------------------------

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/1/2009 6:49:57 PM
mbam-log-2009-06-01 (18-49-57).txt

Scan type: Quick Scan
Objects scanned: 92377
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


--------------------------

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/16/2009 6:22:02 AM
mbam-log-2009-06-16 (06-22-02).txt

Scan type: Quick Scan
Objects scanned: 94490
Time elapsed: 2 hour(s), 12 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

#4 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 09 July 2009 - 10:32 AM

Hi pizzaandbeer,

You had some pretty heft malware there, so let's do this next:




Step 1: ATF Cleaner



If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, right-click on the icon and select "run as Administrator".


Please download ATF Cleaner by Atribune & save it to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Step 2: Next I would like for you to run an online scan called Kaspersky online scan



To run this scan, your Java needs to be up-to-dat and you will need to disable any antivirus program you have running. I'll give you the instructions you need:

The newest Java download and installation should remove old versions of Java. Check add/remove programs after we run the installation to see if this was the case. If you're not sure, ask.

Please go to Current Java Download and do the following:* Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
* Click the "Download" button to the right.
* Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
* Click on Continue.
* Click on the link to download Windows Offline Installation (jre-6u14-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
* Close any programs you may have running - especially your web browser.
* Double-click on the Java installation program on your desktop and allow it to install the newest version.(Vista users, right click on the jre-6u14-windows-i586-p.exe and select "Run as an Administrator.")



Here is a link that will help you determine how to disable your particular antivirus program:

How to Temporarily Disable your Anti-virus, Firewall and Anti-Malware Programs




To start the Kaspersky Online Scanner, click on the magnifying glass and then on accept.
A database will be installed on your computer
Then run the full scan


Step 3: Please post the logs or reports for the following:Kaspersky Online Scan

Let me know how this went?
Zllio


#5 pizzaandbeer

pizzaandbeer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 July 2009 - 02:20 AM

Does not look too good.

Just to be clear, on the computer that has / had the malware I have to use SAFE mode. I can sometimes logon in normal mode, but I have not been able to connect to the network. I am using a second computer and copying the needed downloads on a thumb drive.

Given that, I did not expect to be able to use the Kaspersky online scan, but I followed the instructions just in case.

ATF cleaner did clean off some files.

I downloaded the JRE file, but I could not install it in safe mode.

I logged off and tried normal mode which worked. After logging in there was a popup that said I had removed some program and asked if I wanted to remove personal settings. I assumed this had something to do with the ATF clean and I did not record exactly what these were - one was something associated with services.exe and one was something like a faxview. I clicked on remove the settings.

Then I tried to run the JRE program and got a blue screen with the following: (this is the same blue screen I mentioned in my original post)

"A problem has been detected and windows has been shut down to prevent damage to your computer. . . .

(snip)

Technical information:

STOP: 0x0000008E (0xC0000005, 0xA8ECF8D3, 0xBA4E7970, 0x00000000)

000008E5 - Adress A8ECF8D3 base at A8ECF000, Datestamp 49c97a84"

I'm not sure how useful this is.

Did I get the wrong JRE file? I followed the links you described, but the program name was not the same - I got jre-6u14-windows-i586

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:20 AM

Posted 12 July 2009 - 01:29 PM

Hello pizzaandbeer
I believe zillio has gone awat for a few days. He asked me to keep an eye on his topics

Did I get the wrong JRE file?


I believe you want the Java SE Runtime Environment
JRE 6 Update 14
5th one down
---------------------------------

Try downloading Dr. Web CureIt to your flash drive and run it


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by garmanma, 12 July 2009 - 01:31 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 pizzaandbeer

pizzaandbeer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 13 July 2009 - 08:35 AM

c.exe;C:\Documents and Settings\Heather Ross\Local Settings\Temp;Trojan.PWS.Panda.114;Deleted.;
A0074245.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP324;Trojan.Packed.393;Deleted.;
A0074255.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP324;Trojan.PWS.Panda.114;Deleted.;
A0084295.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP325;Trojan.Packed.365;Incurable.Moved.;
A0086315.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP326;Trojan.Packed.365;Incurable.Moved.;

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:20 AM

Posted 13 July 2009 - 07:18 PM

Please run part 1 of S!Ri's SmitfraudFix .
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 pizzaandbeer

pizzaandbeer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 13 July 2009 - 10:40 PM

SmitFraudFix v2.423

Scan done at 20:39:59.62, Mon 07/13/2009
Run from C:\Documents and Settings\Heather Ross\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\cmd.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Heather Ross


C:\DOCUME~1\HEATHE~1\LOCALS~1\Temp


C:\Documents and Settings\Heather Ross\Application Data


Start Menu


C:\DOCUME~1\HEATHE~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.google.com/"
"SubscribedURL"="http://www.google.com/"
"FriendlyName"=""

o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS



Scanning for wininet.dll infection


End

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:20 AM

Posted 14 July 2009 - 07:18 PM

How is it running now? Are you able to get online?

One more time with mbam
Update mbam and run a FULL scan
Please post the results
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 pizzaandbeer

pizzaandbeer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 15 July 2009 - 07:43 AM

I'm still having problems loggin on in normal mode - here are the results of three attempts.

Startup #1 - froze after loggin in before any desktop icons appeared; no response to keyboard or mouse (tried caps lock & num lock, ctrl-alt-del)

Startup #2 - waited a little longer after login screen appeared before hitting enter; no keyboard response, mouse moved but after a few seconds it froze.

Startup #3 - hit enter as soon as login appeared; a popup window opened titled "Desktop" with the following message

rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxscom.inf,FaxUnInstall.PerUser has been removed from this computer. Do you want to clean up your personalized settings for this program?

The window has a choice of Yes or No buttons, with No as the default. This is the same as (or at least very similar to) what I saw once before. Last time I selected "Yes" and then got the Blue Screen "Windows is being shut down ...". This time I'm trying "No" ... and it just sits there (popup window still open) with the hour glass spinning. I still have mouse and keyboard control. Tried using the "X" to close the window -- nothing happens. Trying ctrl-alt-delete to see if I can stop this process -- nothing happens. Since nothing has changed for several minutes, I'm trying "Yes" ... and I get the "(Not Responding)" indication on the title bar. (Duhh! if it hadn't told me, I NEVER would have known it wasn't responding :thumbsup: ) Seems like all I can do is turn it off with the power button.

I'm thinking I need to reload some component of the OS, or maybe even the whole thing, but I don't want to do this if I don't need to, or if there is malware that will still be around after I am done.

Trying safe mode again. Downloaded and installed (via flash drive) the latest version of MBAM. More malware is found -- how can this be happening when I'm not getting online??? Here's the latest log:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/15/2009 5:26:20 AM
mbam-log-2009-07-15 (05-26-20).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 165725
Time elapsed: 1 hour(s), 33 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\012RS5U7\166[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\8RATLMNO\install.48031[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\8RATLMNO\test2[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#12 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:20 AM

Posted 15 July 2009 - 05:37 PM

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent)

You have a rootkit infection

HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 pizzaandbeer

pizzaandbeer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 16 July 2009 - 01:44 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 23:30
Program Version: Version 1.3.2.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBA3DF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9E27000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Heather Ross\Local Settings\Application Data\Microsoft\Messenger\superjeeves@hotmail.com\SharingMetadata\choir_freak73@live.com\DFSR\Staging\CS{76535B78-E35B-2A60-D901-C286A19A215B}\01\10-{76535B78-E35B-2A60-D901-C286A19A215B}-v1-{F9C46960-2D81-4A2F-8425-3DCF6016CD33}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\configuration\adpglobal\Common\adpicon.ico:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

==EOF==

#14 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:20 AM

Posted 16 July 2009 - 05:39 PM

I believe it is best for you to submit a HJT/DDS log

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

They are very busy, so there is a bit of a wait
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:20 AM

Posted 17 July 2009 - 10:16 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/242275/rootkit-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users