Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange computer problems Potentially a Trojan.


  • This topic is locked This topic is locked
37 replies to this topic

#1 snkzato1

snkzato1

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 06 July 2009 - 01:55 PM

Hello,
I usually have no problems fixing PC problems, especially trojans, but this one has me stumped completely. I returned home from a 4th of July Holiday with a tower that had no problems (seemingly) and wound up with the biggest mess I've ever seen. I turned my PC (HP using Windows XP media center) as normal, and surfing the net, when I start getting loads and loads of error messages, stuff about "f.exe and b.exe" and my computer grinds to a halt. First thing I do is load up Superantispyware (thanks for recommending it, its wonderful) and let it start running. Immediately it starts finding loads and loads of trojans. I still have no clue how this came to be, but it was late, I was tired and let it run as I dozed off. Wake up next morning to a desktop of error messages and Superanti had be disabled. I figure a good reboot should help me with a fresh computer to try and fight with, but that doesn't turn out to be the case. I continually reboot the pc to only have an error ("loginui.exe" if I'm not mistaken) pop up and the pc reboots or just freezes. Try safe mode and am as stuck as before. So, sadly I shrug my shoulders and do a system recovery. I had a blank windows xp which was fine, I have everything saved on externals so its really just an inconvenience. I started to install drivers on my computer again and upon the first reboot I get the same login error....GREAT :thumbsup: . Fortunately though, safe mode will boot, but the only spyware removal programs that will run are glary utilities and ad-aware, neither of which find anything. Mal-Aware, Superanti, and Combofix won't run. If I try and run superanti it says I don't have administrative abilities...although I am the administrator...great. Mal-Aware and Combofix won't even turn on, a double click gets me an hourglass for a second and then nothing. So I try reinstalling superanti and mal-aware. Download new isntallers and...you guessed it, nothing works. Superanti always errors and needs to shut down and mal-aware does the hourglass then nothing. To make sure it isn't a fluke I try a basic installer (itunes) and that works fine, but nothing anti malware/trojan/spyware. Another reboot later (just to make sure it wasn't a fluke) has my computer almost literally back to how it was before I had problems right before the weekend, same desktop icons, same mydocuments layout, all the same, minus some programs working (bittorrent, winrar, etc.). Never in my many years of using computers has anything like this ever happened. My PC currently is disconnected from the internet and if I use taskmanager it isn't using more than 1% of its power.

I have never seen anything like this and am quite stumped. Any help would be so appreciated.

Thank you

Edit: the error is indeed logonui.exe "application error" it reads "the instruction 0x0085024d referenced memory at "0x0085024d. the memory could not be written. press of to terminate or cancel to debug. If I hit the x button enough it will eventually load windows. Once Windows opens I get a "data execution prevention" error stating that windows has closed Userinit logon application

Edited by snkzato1, 06 July 2009 - 03:19 PM.


BC AdBot (Login to Remove)

 


#2 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 06 July 2009 - 09:15 PM

hope this does not constitute as bumping, but I have uncovered that something called "protection system" has been installed on my computer. I looked it up and found out (and to no surprise) that it is problematic, however, like I said I can't install or run any anti malware or trojan programs. A bunch of odd porn short cut icons appeared on my desktop as well.

#3 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 July 2009 - 03:59 PM

I got Dr. Web Cure it to run and it found a huge collection of mess. Cleaned it up, and nothing has changed. I saved a log if that can help. I managed to install mal-aware using the "trick" suggested by other team members, but no matter what I do it won't actually run.

Still haven't tried connecting it to the internet since I'm sure it would only aggravate the issue.

#4 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 July 2009 - 04:16 PM

Not sure if you are aware of this but

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.


and, if you had run that tool prior to this event it COULD maybe explain a bit of your problems :thumbsup:

That said, WILL Malwarebytes install and run?

if not, you can try to rename the exe to maybe star.exe and see if it will run?

If it will you could let us see the report it generates for someone to check and see what MIGHT be going on?

Does one dare ask if System Restore is enabled or has it too fallen foul of this 'incident'?
( of interest, did you leave the Computer on and unattended while you were away so that it may have been used by anyone?)

#5 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 July 2009 - 06:23 PM

Nope, the computer was off during the weekend, which is what really confuses me. I went on a website I normally go (its a Topgear sight, British motoring show) and the whole thing went nuts. I have had malware problems before (as in months and months ago, but had been completely cleaned), but my computer had been clean and running very well up until Sunday night when I got home.

I got Mal-aware to install, by changing the file type to an .src, but I can not get it to run even though I tried changing the extension on that as well. SuperAnti is installed, but will not run at all except for its bootsafe feature.

This is the Dr. Web logfile

cidaemon.exe;C:\WINDOWS\system32;Trojan.Packed.140;Deleted.;
grpconv.exe;C:\WINDOWS\system32;Trojan.Packed.140;Deleted.;
mountvol.exe;C:\WINDOWS\system32;Trojan.Packed.140;Deleted.;
netstat.exe;C:\WINDOWS\system32;Trojan.Packed.140;Deleted.;
powercfg.exe;C:\WINDOWS\system32;Trojan.Packed.140;Deleted.;
UACopabpulnbeavsvnfj.dll;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;
UACpbpnqxtgpkobgyrnf.dll;C:\WINDOWS\system32;Trojan.Packed.365;;
asr_fmt.exe;C:\WINDOWS\system32\dllcache;Trojan.Packed.140;Deleted.;
asr_ldm.exe;C:\WINDOWS\system32\dllcache;Trojan.Packed.140;Deleted.;
calc.exe;C:\WINDOWS\system32\dllcache;Trojan.Packed.140;Deleted.;
findstr.exe;C:\WINDOWS\system32\dllcache;Trojan.Packed.140;Deleted.;
tdl2.tmp;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Trojan.Spambot.2424;Deleted.;
VRT21.tmp;C:\WINDOWS\temp;Trojan.MulDrop.32532;Deleted.;
cloaker.exe;c:\hp\bin;Trojan.PWS.Stealer.origin;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
Oblivion.exe;C:\Program Files\Bethesda Softworks\Oblivion;Trojan.Packed.140;Deleted.;
drv.dll;C:\Program Files\drv;Trojan.Hooker.21164;Deleted.;
drv.sys;C:\Program Files\drv;Trojan.NtRootKit.3021;Deleted.;
DocProc.exe;C:\Program Files\HP\Digital Imaging\DocProc;Trojan.Packed.140;Deleted.;
help_home.exe;C:\Program Files\HP\Digital Imaging\help\cuetour\fscommand;Trojan.Packed.140;Deleted.;
HP_IZE.exe;C:\Program Files\HP\Photosmart Essential;Trojan.Packed.140;Deleted.;
icwtutor.exe;C:\Program Files\Internet Explorer\Connection Wizard;Trojan.Packed.140;Deleted.;
wnzip32.exe;C:\RECYCLER\S-1-5-21-3805503672-1571473380-770131209-6012;Win32.HLLW.Lime.5;Deleted.;
iisrstas.exe;C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e;Modification of Win95.Memorial;Moved.;
perfmon.exe;C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e;Trojan.Packed.140;Deleted.;
stimon.exe;C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e;Trojan.Packed.140;Deleted.;
UACopabpulnbeavsvnfj.dll;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;
UACpbpnqxtgpkobgyrnf.dll;C:\WINDOWS\system32;Trojan.Packed.365;;
TELNET.EXE;D:\I386;Trojan.Packed.140;Deleted.;
DEFINST.EXE;D:\I386\Apps\APP24619\src\VIRUSDEF;Trojan.Packed.140;Deleted.;



#6 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 July 2009 - 08:05 PM

Update:
I found a sort of backdoor method to opening Mal-Aware. If I selected the .exe (I had tried opening it as .src .com and other formats) and selected to scan the program WITH Mal-Aware it would open. The scan is going on now and I will post the log when it comes in.

I dunno if that is a piece of info that can help to others, and not sure if that will always work, but it did in this case and maybe could be explored further.

#7 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 July 2009 - 11:17 AM

Hopefully somebody is reading this.
I'll post the mal-aware log next post, found about 15 items.

Update: Tried to log into windows not in safe mode and got the same
logonui.exe "application error" it reads "the instruction 0x0085024d referenced memory at "0x0085024d. the memory could not be written. press of to terminate or cancel to debug

opening task manager is impossible as it keeps closing while in normal mode.

Superanti is making SOME progress in opening (I guess?) the errors have changed, but the main error is still regarding administrator rights. It worries me that someone hacked into my PC and disabled Superanti somehow and now I can't mend it.

Thanks,
SNK

#8 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 July 2009 - 01:47 PM

Nope, the computer was off during the weekend, which is what really confuses me. I went on a website I normally go (its a Topgear sight, British motoring show) and the whole thing went nuts. I have had malware problems before (as in months and months ago, but had been completely cleaned), but my computer had been clean and running very well up until Sunday night when I got home.


did you have this problem before or after you 'visited' that web site?

#9 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 July 2009 - 01:55 PM

Nope, the computer was off during the weekend, which is what really confuses me. I went on a website I normally go (its a Topgear sight, British motoring show) and the whole thing went nuts. I have had malware problems before (as in months and months ago, but had been completely cleaned), but my computer had been clean and running very well up until Sunday night when I got home.


did you have this problem before or after you 'visited' that web site?

after
I go there often for news on when new episodes air and what not, so this was a surprise to me.

#10 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 July 2009 - 02:30 PM

??do you have that web site listed in your Favourites or do you google the address?

I wonder if you have hit on a 'fake' web site by mistake ?

On the affected computer do you do on-line Banking etc

If you CAN get the Mlawarebytes report on forum someone can check it out but I think you may have problems ; I think I will ask someone from the HJT Team AII First Responders to check this out :thumbsup:

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 AM

Posted 08 July 2009 - 04:48 PM

Hello snkzato1,

You have a rather nasty trojan on your machine. We can kill it, but first please read the warning below

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

***************************************************

If you wish to continue in the cleaning of this machine, please go ahead and post the Malwarebytes log you generated. We'll see where we need to go from there.

~Blade

Edited by Blade Zephon, 08 July 2009 - 04:49 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 July 2009 - 10:15 PM

Hello snkzato1,

You have a rather nasty trojan on your machine. We can kill it, but first please read the warning below

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

***************************************************

If you wish to continue in the cleaning of this machine, please go ahead and post the Malwarebytes log you generated. We'll see where we need to go from there.

~Blade

I'll have them posted in the morning.
Thank you for responding!
The computer has been disconnected from the internet since I discovered the problem.

#13 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 09 July 2009 - 07:41 AM

here are the logs!

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/7/2009 9:13:02 PM
mbam-log-2009-07-07 (21-13-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 269589
Time elapsed: 34 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\HP_Administrator\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Administrator\Application Data\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\mozilla firefox\components\dfff.dll (Trojan.Agent.V) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\pp10.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.


and then

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/8/2009 10:41:03 AM
mbam-log-2009-07-08 (10-41-03).txt

Scan type: Quick Scan
Objects scanned: 98687
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And fortunately my computer is just used for school work. Nothing personal on there except for some song lyrics :thumbsup:

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 AM

Posted 09 July 2009 - 02:18 PM

Hello snkzato1,

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

In your next reply, please include the following:
RootRepeal log

Edited by Blade Zephon, 09 July 2009 - 02:38 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 09 July 2009 - 02:36 PM

AS you say the computer was turned off while you were away, since your return to the computer , did you use any USB stick, or CD etc and if so did you check that item for infections prior to using it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users