Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think my computer's not well


  • Please log in to reply
28 replies to this topic

#1 red_squiggle

red_squiggle

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 16 July 2009 - 01:50 PM

Hello! :trumpet:

Well, I hoped I'd never have to post on a forum such as this, but after being lax with antivirus once my Norton subscription lapsed my laptop seems to be in a right state. I'd really appreciate any help; even though most files are backed up and I'm prepared for a clean start, it would be nice to resurrect the existing system.

It's been going on over the course of a few days, and I don't have a detailed record of everything that has happened (it's been a nightmare), but I'll do my best to summarise:

1) I recently installed AVG free 8.5 to take over from Norton after a period of a few weeks running no antivirus whatsoever (fool).

2) My computer started to act 'strange' with the following obvious symptoms:

i) Searches in google seemed to be intercepted and redirected (especially those related to malware, as it turns out)

ii) A crude version of the Windows Update exclamation tray icon appeared, warning me of an infection again and again and again...

3) With this in mind I ran an AVG scan, which detected malware (including fraudpack.pmn - sorry I can't remember the text case)

4) No problem, I thought, I'll get AVG to clear this...

...it couldn't.

5) So I did what I've done in the past and loaded a trial version of Norton 360. Had a nightmare downloading the installation file, but eventually I got it working. Seems the malware wouldn't let the software update properly, or scan. Restarted my computer and hey presto...my 30 day trial had instantly expired. hmm :flowers:

What was really freaky is that while I downloaded and initialised norton some weird voice came on with some music, which I have to admit spooked me a bit!

6) Starting to panic a bit I downloaded a free trial of Kaspersky. Could only get it to install and run in safe mode at first, where it found some infections, for which clearance was 'postponed'. 'fraid I don't have details to hand...

7) Now running Kaspersky in normal mode, it finds several keyloggers, but can't identify them, which is a bit suspect to me after limited google research...

8) Tried to install SUPERAntiSpyware, but it won't let me ('...has encountered a problem and needs to close' window appears)

9) Was able to install and run Sophos Anti Rootkit in normal Windows, where it finds some hidden registry keys, but cannot remove them (\HKEY_LOCAL_MACHINE\SOFTWARE\UAC is one of them)

10) In safe mode, sophos can't run, and tells me that suspicios behaviour has been detected that may indicate the presence of malware...

Just some general points:

- My computer frequently now hangs at, or before, the blue login screen (in safe and normal mode)
- An image appears momentarily during startup that never used to (similar to the Windows field wallpaper)
- Sometimes I have to try to open Kaspersky twice before I get a response.

So there you go, any suggestions I'd be really grateful for. If anyone is able to help, please bear in mind that I will be away from home over the weekend, but I will try to reply as promptly as I can.

Also, I'm writing this from my (presumed) uninfected desktop, to try to limit the infection's 'air time', so it might be a little more tricky transferring information across, or do you think it will be OK to contnue using the laptop purely for diagnostic activity?

Many many thanks in anticipation :thumbsup:

Oh yes, and it's all happening on Windows XP Media Center Edition Version 2002 Service Pack 3. If any other info would be useful, please let me know...

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 16 July 2009 - 02:50 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 red_squiggle

red_squiggle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 16 July 2009 - 03:41 PM

Hi :thumbsup: , thanks very much for responding so quickly. I'm afraid I'm packing to leave for a short break now, returning Sunday. I'll carry out the requested actions once I return. I guess this wasn't the best time to post a query, but I just wanted to get it off my chest. It's nice to feel there is some hope..!

#4 red_squiggle

red_squiggle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 19 July 2009 - 02:13 PM

Hello again, wow that was 'fun'. The Malwarebytes install didn't 100% complete - the PC totally hung at the last moment, and though I left if for ten minutes, nothing happened so I had to restart by cutting power. Then the software wouldn't run without changing the extension in Program Files (would never have thought of doing that myself!)

Despite the install problems, it seemed to load and run OK (normal Windows, not Safe Mode), and here is the log:

Malwarebytes' Anti-Malware 1.39
Database version: 2464
Windows 5.1.2600 Service Pack 3

19/07/2009 19:54:09
mbam-log-2009-07-19 (19-54-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 208727
Time elapsed: 34 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Graeme\local settings\Temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


What's the damage? Break it to me gently :thumbsup:

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 19 July 2009 - 08:01 PM

You have been infected by a nasty rootkit of the TDSS Variant. The rootkit may steal personal data such as any online banking or credit card information. If you do anything like this on the infected computer (online shopping, online banking, or financial transactions, you need to contact your bank and credit card companies to monitor your account. Also please change all of your passwords to accounts that you use on this machine . Also, it would be wise to change the password on your router- if that applies. Because of the nature and characteristics of rootkits, some members choose to reformat their computer, and some want to keep on cleaning it. If you wish to reformat let me know, otherwise please:

Install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".

Edited by Computer Pro, 19 July 2009 - 08:37 PM.

Computer Pro

#6 red_squiggle

red_squiggle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 21 July 2009 - 04:20 PM

Hello again,

Thanks for the top notch guidance. Once I got wind of a possible keylogger, I contacted my bank straight away, so hopefully that is already covered!

Is there a realistic chance the Rootkit can be completely cured? I’d like to flush it out if possible, if only to have the satisfaction of knowing it had been beaten. Plus I’m finding this process quite interesting if I’m honest.

I just understand that Rootkits can be quite tenacious and don’t want to waste your time fighting a losing battle, plus there is a trade off between the time taken to try to cure something like this and simply starting fresh.

On a more general note, at how high a risk are any external drives I’ve used with this PC? I scanned my main USB drive with Malwarebytes and AVG and they did not detect anything, so am I right to be reasonably confident that I’m in the clear in this respect?

And you mention changing my Router password...is that to stop a hacker changing firewall settings and the like or can they do even more sinister things using this information?

I'll have a go with Rootkit Repeal and let you know how that goes.

Many thanks

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 21 July 2009 - 05:10 PM

Yes we can do our best to remove the Rootkit, but like I said in the other message, we might not be able to get it out all of the way so that we would know that it is clean.

From what I can see, you do not have any infections that would spread themselves to your USB devices.

You hit it right on the money for the reason to change the router password.

Once you have run RootRepeal, please post the log
Computer Pro

#8 red_squiggle

red_squiggle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 22 July 2009 - 11:58 AM

Hi,

I didn’t have much joy with RootkitRepeal.

When I tried to run it in both Windows normal mode and Safe Mode I got the error message:

‘Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.’

This appeared after I clicked OK about four more times.

Then got the warning:

‘Could not find module on disk!’

Details>>

Warning – could not read Windows kernel using raw-disk reading!

Could not find module on disk!

Could not find module on disk!

Could not find module on disk!


I tried adjusting the disk access level to all available levels, but the warnings still appeared.

Some of the scans still worked, but I presume the program’s operation has been compromised?

The most obvious sinister report was for:

Hidden Module [Name: UACuhdnhcxjmsodgxcjr.dll]

In Process: svchost.exe (PID: 456), Address: 0x10000000, Size: 73728.

Doesn’t look good…

Is it worth posting the reports for any of the other scans that worked?

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 22 July 2009 - 04:10 PM

Ok, then please run another Quick Scan with Malwarebytes
Computer Pro

#10 red_squiggle

red_squiggle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 23 July 2009 - 01:59 PM

Hi again, sorry for the slow-time responses. You've probably figured out that I'm based in the UK, so by the time I get back from work and run any scans to reply to you it's generally straight to bed after that!

I ran two scans last night, one in normal mode, the second in safe mode. They're in order below:

Normal:

Malwarebytes' Anti-Malware 1.39
Database version: 2482
Windows 5.1.2600 Service Pack 3

22/07/2009 23:10:39
mbam-log-2009-07-22 (23-10-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 208917
Time elapsed: 33 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


Safe Mode:

Malwarebytes' Anti-Malware 1.39
Database version: 2482
Windows 5.1.2600 Service Pack 3

23/07/2009 06:46:57
mbam-log-2009-07-23 (06-46-57).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 206646
Time elapsed: 1 hour(s), 34 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


It seems uacinit.dll refuses to take the hint........

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 23 July 2009 - 02:16 PM

Ok, lets try Sophos Anti-Rootkit:

Please download Sophos Anti-rootkit& save it to your desktop.
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Credits to DaChew
Be sure to print out and read the User Manualand Release Notes
• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives

• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Computer Pro

#12 red_squiggle

red_squiggle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 23 July 2009 - 04:38 PM

Here's the Sophos log. I should have read the instructions fully through before I started - I missed the recommendations, which means my temporary files have not been cleared and Kaspersky was running during this scan.

I will repeat with these issues rectified if necessary. Note that there were no files in the report that were recommended for clean up, so I couldn't complete all the steps.



Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 23/07/2009 at 20:46:15
User "<my name" on computer "<my computer's name>"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\uactmp.db
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temp\UAC5657.tmp
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\GBRYEQSO\AAAAAAAAAAAAAAAAAAAAAAACnnQQAAAAAAAIAAgAAAAAAVBILdSIBAAAAAAAAADEzZmQ1YTMwLTZmY2UtMTFkZS04ZjM5LTAwMWUwYjVhMDQyYQBUAAAAAAA=,,http%3A%2F%2Fad.adserverplus[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NE8XOXVI\AAAAAAAAACnnQQAAAAAAAIAAgAAAAAAuiYMdSIBAAAAAAAAADNlMmExZDJhLTZmY2UtMTFkZS04Y2FlLTAwMWQwOTYzZTYzMgBUAAAAAAA=,,http%3A%2F%2Fad.adserverplus[1].com%2F,;ord=1247504246
Hidden: file C:\WINDOWS\system32\UACrralqibivt.log
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NFB2U1GZ\AAAAAAAAAAAAAAAAAAAACr4QQAAAAAAAIAAwAAAAAAaEDudiIBAAAAAQAAAGNlMzUyNzcyLTcwMTctMTFkZS1iNTk2LTAwMWNjNDNjOWViNACxHCsAAAA=YXA-AA==,,http%3A%2F%2Ftubefaster[1].com%2F,;
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\59QVM4KQ\AAAAAACr4QQAAAAAAAIAAwAAAAAAF3H-dSIBAAAAAQAAADM2YTJlZTQwLTZmZjMtMTFkZS04OTVkLTAwMWQwOTYzZjMwOQDDYQAAAAA=YXA-AA==,,http%3A%2F%2Ftubefaster[1].com%2F,;ord=1247520125
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NFB2U1GZ\AAAAAAAAAAAAAAAAABRAwQAAAAAAAIAAwAAAAAAMdMkeiIBAAAAAAAAADUxZmFmNzhhLTcwOTUtMTFkZS04NzIwLTAwMWNjNGZhYmZlMgBUAAAAAAA=,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\9N80JTD1\AAAAAAAAAAAAAAAAAAAACr4QQAAAAAAAIAAwAAAAAApG4DdiIBAAAAAQAAAGY5OTM0ODk2LTZmZjMtMTFkZS1hNGI2LTAwMWQwOTYzZjE0OQASKCsAAAA=YXA-AA==,,http%3A%2F%2Ftubefaster[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\OJ00C234\AAAAAAAAAAAAAAAAAAAACr4QQAAAAAAAIAAwAAAAAA7aXidiIBAAAAAQAAADA4ZjJkNmZlLTcwMTYtMTFkZS04ZGMzLTAwMWNjNDNjOWYwNgBQWCsAAAA=YXA-AA==,,http%3A%2F%2Ftubefaster[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NE8XOXVI\AAAAAAAAABSAwQAAAAAAAIAAwAAAAAAie0sdiIBAAAAAQAAADRlODAwZmM4LTZmZmEtMTFkZS05MTRlLTAwMWI3OGQyOTlmNABjYgAAAAA=3dhFAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\59QVM4KQ\21=1;kr=H;kgender=m;kga=1002;kar=4;klg=en-gb;kage=28;kgg=1;kt=U;kw=high+edge+raceway;kcr=gb;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=3927500531266806[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\04VAB1PW\1002;kar=4;kgg=1;kcr=gb;khd=0;klg=en-gb;kpu=Moorsey2;kr=H;k21=1;ko=c;afc=1;k3=180;kp=1;kage=28;ctb=1;kt=U;u=tnYbiHKVVt0%7C6;dc_dedup=1;tile=1;ord=167431375[1].asx
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\5TECOQZ7\cr=gb;khd=0;klg=en-gb;kpu=Moorsey2;kr=H;k21=1;ko=c;afc=1;k3=180;kp=1;kage=28;ctb=1;kt=U;u=tnYbiHKVVt0%7C6;dc_dedup=1;dc_seed=215453954;tile=1;ord=380584050[1].htm
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\5TECOQZ7\cr=gb;khd=0;klg=en-gb;kpu=Moorsey2;kr=H;k21=1;ko=c;afc=1;k3=180;kp=1;kage=28;ctb=1;kt=U;u=tnYbiHKVVt0%7C6;dc_dedup=1;dc_seed=215453954;tile=1;ord=203617126[1].asx
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\OJ00C234\AAAAAAAAAAAAAAAAAAD9JgQAAAAAAAIAAwAAAAAA6q0TdiIBAAAAAAAAADc0M2FlMjk2LTZmZjYtMTFkZS04MmFiLTAwMWVjOWI0NGVhNgBUAAAAAAA=,,http%3A%2F%2Fad.z5x[1].net%2F,;ord=1247521517
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\VB722Q0N\AAAAAAAAAAAAAAAAABSAwQAAAAAAAIAAwAAAAAAT6wzdiIBAAAAAAAAADU1ZmMzMzcwLTZmZmItMTFkZS1hMjVlLTAwMWNjNDNjOWVjYQBDXwAAAAA=,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UPZKBDY0\AAAAAAAAAAAAAAAAAAAACr4QQAAAAAAAIAAwAAAAAAT.VFdiIBAAAAAQAAADIwM2ZiODU4LTZmZmUtMTFkZS04OTMxLTAwMWVjOWI0MzBlMgD7QisAAAA=YXA-AA==,,http%3A%2F%2Ftubefaster[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UTZOY6JA\AAAAAAAAABRAwQAAAAAAAIAAwAAAAAAPHdNdiIBAAAAAQAAADQ1ODJmMmU2LTZmZmYtMTFkZS04YzM2LTAwMWNjNDNjOWYwZQBUAAAAAAA=9RtPAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NE8XOXVI\AAAAAAAAABSAwQAAAAAAAIAAwAAAAAAQvRadiIBAAAAAQAAADU0NjZhN2Y2LTcwMDEtMTFkZS1hMzJmLTAwMWVjOWIzYjdkNgBgRAAAAAA=9RtPAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\LA6G6ZV9\AAAAAAAAAAAAAAAAAAAAAAACnnQQAAAAAAAIAAgAAAAAAZDhidiIBAAAAAAAAADcwM2MxMWNjLTcwMDItMTFkZS1iNjIzLTAwMWVjOWI0MWMyZQBUAAAAAAA=,,http%3A%2F%2Fad.adserverplus[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UTZOY6JA\AAAAAAAAAAAAAAAAABRAwQAAAAAAAIAAwAAAAAAjGJ1diIBAAAAAAAAADVjZGFjMmVjLTcwMDUtMTFkZS05MmIzLTAwMWVjOWIzODJjZQCiXgAAAAA=,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UT7Y99O0\AAAAAAAAAAAAAAAAAAD9JgQAAAAAAAIAAwAAAAAAH9l1diIBAAAAAAAAADZlZjJhMzI4LTcwMDUtMTFkZS04YmI2LTAwMWVjOWIzODJjZQBUAAAAAAA=,,http%3A%2F%2Fad.z5x[1].net%2F,;ord=1247527950
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\5TECOQZ7\CM7gMAAAAAAAIAAwAAAAAAyjV9diIBAAAAAQAAADhlODY2ODE4LTcwMDYtMTFkZS05ZmM2LTAwMWVjOWIzODdlMABUAAAAAAA=.Q5KAA==,,http%3A%2F%2Fwww.acetopsearch[1].com%2F,;ord=1247528433
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NFB2U1GZ\AAAAAAAAABRAwQAAAAAAAIAAwAAAAAAd5R.diIBAAAAAQAAAGViMThjNThhLTcwMDYtMTFkZS05YzM4LTAwMWVjOWIzODhhOABUAAAAAAA=3dhFAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\V0KKXPVR\AAAAAAAAABSAwQAAAAAAAIAAwAAAAAAPiWMdiIBAAAAAQAAAGQ1ZjAwYzE2LTcwMDgtMTFkZS04MGViLTAwMWNjNDNjOWYwOABUAAAAAAA=9RtPAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NFB2U1GZ\AAAAAAAAABRAwQAAAAAAAIAAwAAAAAAEsCodiIBAAAAAQAAADMzNTAxMTY4LTcwMGQtMTFkZS1iYmRiLTAwMWVjOWIzODM2ZQBUAAAAAAA=9RtPAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\59QVM4KQ\CM7gMAAAAAAAIAAwAAAAAAfruudiIBAAAAAQAAADFjZmQzMGYyLTcwMGUtMTFkZS04NDAzLTAwMWNjNDEwYzYwNgBUAAAAAAA=.Q5KAA==,,http%3A%2F%2Fwww.acetopsearch[1].com%2F,;ord=1247531678
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\VFTODD8P\AAAAAAAAAAAAAACM7gMAAAAAAAIAAwAAAAAAaaKydiIBAAAAAQAAAGI1Njk3MDllLTcwMGUtMTFkZS04M2E3LTAwMWQwOTYzZWM2MwD3RysAAAA=.Q5KAA==,,http%3A%2F%2Fwww.acetopsearch[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UPZKBDY0\AAAAAACr4QQAAAAAAAIAAwAAAAAA3Om4diIBAAAAAQAAAGFhYjA4YzBlLTcwMGYtMTFkZS1hZTBiLTAwMWNjNDEwYjhlNQBUAAAAAAA=YXA-AA==,,http%3A%2F%2Ftubefaster[1].com%2F,;ord=1247532345
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\O2ZQ9BXN\AAAAAAAAAAAAAAAAABSAwQAAAAAAAIAAwAAAAAAlQ28diIBAAAAAAAAADI1NTNkMDFhLTcwMTAtMTFkZS04Y2UzLTAwMWVjOWIzYWY4MQBUAAAAAAA=,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\LA6G6ZV9\AAAAAAAAAAAAAAAAAAD9JgQAAAAAAAIAAwAAAAAATdHCdiIBAAAAAAAAADJkOTEzMzIwLTcwMTEtMTFkZS1hYWU3LTAwMWVjOWI0NGNmZABUAAAAAAA=,,http%3A%2F%2Fad.z5x[1].net%2F,;ord=1247532994
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\04VAB1PW\AAAAAAAAAAAAAACM7gMAAAAAAAIAAwAAAAAAGWvjdiIBAAAAAQAAADI3MDhlYjEwLTcwMTYtMTFkZS1iMDUxLTAwMWNjNDEwYTk5NABUAAAAAAA=.Q5KAA==,,http%3A%2F%2Fwww.acetopsearch[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NE8XOXVI\AAAAAACr4QQAAAAAAAIAAwAAAAAA32fudiIBAAAAAQAAAGQ0M2FjOWM0LTcwMTctMTFkZS1iMzJmLTAwMWVjOWI0MzBkZABUAAAAAAA=YXA-AA==,,http%3A%2F%2Ftubefaster[1].com%2F,;ord=1247535851
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\GBRYEQSO\AAAAAAAAAAAAAAAAABSAwQAAAAAAAIAAwAAAAAARY7ydiIBAAAAAAAAADc2NTZjNjA0LTcwMTgtMTFkZS04ZmQ0LTAwMWNjNDNjOWQxYQBUAAAAAAA=,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UT7Y99O0\AAAAAAAAABSAwQAAAAAAAIAAwAAAAAAlQH7diIBAAAAAQAAAGMwNmYyOWM0LTcwMTktMTFkZS04MjI4LTAwMWVjOWI0NGUzZABUAAAAAAA=3dhFAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UTZOY6JA\AAAAAAAAABSAwQAAAAAAAIAAwAAAAAAKrP6diIBAAAAAQAAAGI0NzdmNDJhLTcwMTktMTFkZS1hZmVhLTAwMWNjNDEwYzhmZgBBSwAAAAA=ibBOAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;
Hidden: file C:\WINDOWS\system32\UACufyrehavjykcbafwj.dat
Hidden: file C:\WINDOWS\system32\UACccrndxupdyalxanmn.db
Hidden: file C:\WINDOWS\system32\UACtkxayaowyfdmyxgik.dll
Hidden: file C:\WINDOWS\system32\UACuhdnhcxjmsodgxcjr.dll
Hidden: file C:\WINDOWS\system32\drivers\UACubloneorruevdhxdp.sys
Hidden: file C:\WINDOWS\system32\UACroqrdttmyxfvwliic.dll
Hidden: file C:\WINDOWS\system32\UACpbddvcktnostbunhh.dll
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\5TECOQZ7\token=U&platformtoken=Win32&language=en-us&pagetitle=<my workplace was here>%20Aerospace%20-%20Staff%20Resources%20-%20Web%20Access&referer=&screen=1280x800&localtime=22%3A37[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\VFTODD8P\r=F;kgender=m;kga=1002;kar=4;klg=en-gb;kage=28;kgg=1;kt=U;kw=germany+plane+crash+car;kcr=gb;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=3731368820555430[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\04VAB1PW\r=F;kgender=m;kga=1002;kar=4;klg=en-gb;kage=28;kgg=1;kt=U;kw=germany+plane+crash+car;kcr=gb;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=9858545086393196[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UTZOY6JA\_within12mont;seg=GL_MetaViewWatchSearch_293;seg=GL_MetaViewWatchSearch_14675;tcat=108948;items=13;sz=728x90;ord=1247608724565;dcopt=ist;tile=1;um=3;us=11;[1].htm
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\GK81GAQY\rs_Listed_within12mont;seg=GL_MetaViewWatchSearch_293;seg=GL_MetaViewWatchSearch_14675;tcat=108948;items=13;sz=160x600;ord=1247608724565;tile=2;um=3;us=11;[1].htm
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\UT7Y99O0\m=2;l=9040;cxt=390000101_1333320-390000111_1333320-222000001_1331544-323000117_1328276;kw=;p=ui%3DSW7E_4dxuylFYA%3Btr%3D0fRmjp1yrwB%3Btm%3D0-0;ts=1247608806078[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NE8XOXVI\href%3Fbanner%3D253891%26place%3D19468%26rnd%3D1247679912393%26url%3D,http%3A%2F%2Fmedia.adrevolver[1].com%2Fadrevolver%2Fbanner%3Fplace%3D19468%26cpy%3D5501862,;
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\VFTODD8P\tainment;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=11;sz=728x90,728x91;dclu5=229163bb8f840f4;source=site;t=1;tile=1;ord=5195839200678340[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\04VAB1PW\food;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=14;sz=728x90,728x91;dclu5=229163bb8f840f4;source=site;t=1;tile=1;ord=413457226744671[1].75
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NFB2U1GZ\food;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=14;sz=468x62,300x251;dclu5=229163bb8f840f4;source=site;t=1;tile=2;ord=413457226744671[1].75
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\NFB2U1GZ\9;sessionstart=landingpage;safefilter=off;page=category;pid=11;kw=blinkx;fc_utarget_ok=false;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=3;~cs=i[1].gif
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\OJ00C234\ainment;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=11;sz=468x62,300x251;dclu5=229163bb8f840f4;source=site;t=1;tile=2;ord=5195839200678340[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\5TECOQZ7\entertainment;adlocation=site_above_results;campaign=;page=category;kw=blinkx;pid=11;sz=300x250;dclu5=229163bb8f840f4;source=site;t=1;tile=3;ord=5195839200678340[1]
Hidden: file C:\Documents and Settings\<my name was here>\Local Settings\Temporary Internet Files\Content.IE5\V0KKXPVR\3;sessionstart=landingpage;safefilter=off;page=category;pid=11;kw=blinkx;fc_utarget_ok=false;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=4;~cs=b[1].gif
Hidden: file C:\WINDOWS\system32\UACytmlqbvdorojkyxml.dll
Info: Starting disk scan of D: (NTFS).
Info: Starting disk scan of G: (FAT).
Stopped logging on 23/07/2009 at 21:15:49


#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 23 July 2009 - 05:10 PM

Please rerun Sophos, and once it is done, then please check this file for deletion:

Hidden: file C:\WINDOWS\system32\drivers\UACubloneorruevdhxdp.sys


Then click cleanup checked items. Then restart once it says that it has cleared the file.

Then after you have rebooted, Update Malwarebytes, then run a Quick Scan and then post a log.
Computer Pro

#14 red_squiggle

red_squiggle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 26 July 2009 - 03:29 PM

Hello again. Here goes:

Malwarebytes' Anti-Malware 1.39
Database version: 2506
Windows 5.1.2600 Service Pack 3

26/07/2009 21:06:59
mbam-log-2009-07-26 (21-06-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 206413
Time elapsed: 40 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACpbddvcktnostbunhh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACroqrdttmyxfvwliic.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACtkxayaowyfdmyxgik.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACuhdnhcxjmsodgxcjr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACrralqibivt.log (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACytmlqbvdorojkyxml.dll (Trojan.Agent) -> Quarantined and deleted successfully.


#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 26 July 2009 - 03:44 PM

Ok,looks like we got the Rootkit out. Next:

Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users