Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PDF virus disabled antivirus, explorer.exe, system restore


  • Please log in to reply
20 replies to this topic

#1 josh_junk

josh_junk

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 27 July 2009 - 09:41 AM

Using XP Home.

I caught a virus last night -- someone sent me a PDF which has a virus wrapped in it. I, like a dummy, clicked on it.

Norton caught something was wrong and then it tried to stop it and then tried to stop the virys from sending out emails. It all happened very quickly.

I tried to clean the computer right away, but it disabled all my anti-virus and malware software (Norton, SuperAntiSpyware and Malwarebytes' Anti-Malware).

After a second reboot it deleted my explorer.exe process so I have no desktop icons or taskbar.

I have a laptop so I was able to download Combofix and run it via a USB drive on my desktop. After Combofix was through I was able to re-install Malwarebytes' Anti-Malware and run it (full system scan), which caught some nasties.

I might be clean now (probably not), but all the installed anti-virus and malware software is still restricted (I can't open them) and my explorer.exe is still gone.

I tried to use system restore which doesn't work in regular or safe mode. So no desktop icons or taskbar for me.

No XP error messages.

So --

1) Downloaded virus wrapped in PDF
2) Access restricted to Norton, SuperAntiSpyware and Malwarebytes' Anti-Malware in regular and safe mode
(Windows Explorer has also been restricted)
3) No explorer.exe process on boot-up so I have no desktop icons or taskbar
4) System restore does not work

Help would be greatly appreciated.

I can run programs off a USB drive from the Task Manager, which I still have access to.

PS. I am not a Combofix pro, but I was trying to fix this issue on my own. Sorry if I jumped the gun!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 27 July 2009 - 10:27 AM

Hello, try this for the desktop.
Open Task Manager (Ctrl + Alt + Del) and go to File >> New Task (Run...) >> type explorer.exe >> Enter

Then, do a search for your explorer.exe via your search function..

You may find the copy of explorer.exe via either of below locations..

C:\WINDOWS\ServicePackFiles\i386\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

Just choose either one of them and copy/paste it to C:\WINDOWS folder.. if C is where windows was installed.


Now try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 27 July 2009 - 08:33 PM

Just got to my computer.

Tried to copy a clean version of explorer.exe but the 'bad' explorer.exe is still in the C:\WINDOWS folder. Tried to delete it or copy over it and got a error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Can not click on it to start the service (same error).

Try Fatdcuk's fix which worked. Quick scan came up clean (didn't fix my lock-out issue) so I will post my prior scans since infections (5 in total).

I think the first scan cleaned up a bad malware removal tool I installed by accident (malware removal bot) after the initial infection from the virus wrapped PDF.

Thanks --

________________________

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/27/2009 1:41:25 AM
mbam-log-2009-07-27 (01-41-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 213558
Time elapsed: 1 hour(s), 23 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1f26a7a704abd8f4f8801f37167d691f (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\aa02c0f5889834c42886c1a98ea53266 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\b575e3c1288dd9e4a83e9e064562cdc1 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\d37f1f5d110c2ea4c85ec64e702394b9 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxtray (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\malwareremovalbot\(default) (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\malwareremovalbot\(default) (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\igfxtray.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\application data\Mozilla\Firefox\Profiles\w3hk02ge.default\Cache\D8AABD14d01 (Rogue.Installer) -> Quarantined and deleted successfully.
c:\program files\motorola phone tools\MPT_TEST_Info.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0182174.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183369.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183376.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\DataBase.ref (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\MalwareRemovalBot.url (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\program files\malwareremovalbot\vistaCPtasks.xml (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot on the Web.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\malwareremovalbot\Log\2009 Jul 26 - 10_00_49 PM_953.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\malwareremovalbot\Log\2009 Jul 26 - 10_16_29 PM_328.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\Desktop\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

________________________

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/27/2009 1:50:34 AM
mbam-log-2009-07-27 (01-50-34).txt

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
________________________

Malwarebytes' Anti-Malware 1.39
Database version: 2510
Windows 5.1.2600 Service Pack 3

7/27/2009 2:03:00 AM
mbam-log-2009-07-27 (02-03-00).txt

Scan type: Quick Scan
Objects scanned: 90983
Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\classapi64.dll (Trojan.Hijacker) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt64chain (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\classapi64.dll (Trojan.Hijacker) -> Delete on reboot.
c:\WINDOWS\system32\mapitools.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
________________________

Malwarebytes' Anti-Malware 1.39
Database version: 2510
Windows 5.1.2600 Service Pack 3

7/27/2009 8:40:51 AM
mbam-log-2009-07-27 (08-40-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 225473
Time elapsed: 1 hour(s), 30 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\netlogon.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\tifiuen.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\netlogon.dll.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\f27e7237.sys.vir (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183367.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183368.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183373.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183374.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183375.exe (Rustock.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183394.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183401.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1883\A0183435.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1884\A0183476.dll (Trojan.Hijacker) -> Quarantined and deleted successfully.
________________________

Malwarebytes' Anti-Malware 1.39
Database version: 2510
Windows 5.1.2600 Service Pack 3

7/27/2009 9:09:08 PM
mbam-log-2009-07-27 (21-09-08).txt

Scan type: Quick Scan
Objects scanned: 90776
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

________________________

#4 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 27 July 2009 - 08:48 PM

Forgot to update on the last one -- and it found something

Malwarebytes' Anti-Malware 1.39
Database version: 2515
Windows 5.1.2600 Service Pack 3

7/27/2009 9:46:17 PM
mbam-log-2009-07-27 (21-46-17).txt

Scan type: Quick Scan
Objects scanned: 90917
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\ConnectionsTab (Hijack.ConnectionControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

__________________________________

And, after finding it in the first instance (see above)

C:\WINDOWS\ServicePackFiles\i386\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

have both disappeared after a reboot!

Edited by josh_junk, 27 July 2009 - 08:56 PM.


#5 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 27 July 2009 - 11:35 PM

Full scan -- another alert

Malwarebytes' Anti-Malware 1.39
Database version: 2515
Windows 5.1.2600 Service Pack 3

7/27/2009 11:35:56 PM
mbam-log-2009-07-27 (23-35-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 225590
Time elapsed: 1 hour(s), 35 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{88a9728d-068d-4be5-99bd-49cc3fd4bc94}\RP1884\A0183578.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 29 July 2009 - 12:20 AM

Hello, sorry but the site went down for a day. Lets look for a rootkit.

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
Not this >>> SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 July 2009 - 10:15 PM

Thank you for the response.

RootRepeal does not run. It just hangs on the "Initializing, please wait..." screen.

Tried to rename it to winlogon.exe, and it still does not run.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 30 July 2009 - 03:42 PM

Ok, let's update and rerun MBAm and then see if it'll run. Some times there are malwares in the way.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 30 July 2009 - 04:04 PM

Hi -- I did that last night (I did not post the log, but it caught one new virus and cleaned it). After a reboot RootRepeal would still not initialize.

I can run this again tonite and post the log if you think that would be helpful.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 30 July 2009 - 07:03 PM

Believe it or not ,sometimes knowing what malware was found and removed or not is helpful ion knowing what tool or steo is next.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 30 July 2009 - 09:42 PM

Here is my MBAM report from last night, tonite, and the SmithFraud fix log

Malwarebytes' Anti-Malware 1.39
Database version: 2515
Windows 5.1.2600 Service Pack 3

7/30/2009 1:19:05 AM
mbam-log-2009-07-30 (01-19-05).txt

Scan type: Quick Scan
Objects scanned: 90898
Time elapsed: 10 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\winlogon.sys (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
___________________________

Malwarebytes' Anti-Malware 1.39
Database version: 2534
Windows 5.1.2600 Service Pack 3

7/30/2009 10:26:44 PM
mbam-log-2009-07-30 (22-26-44).txt

Scan type: Quick Scan
Objects scanned: 91527
Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

___________________________

SmitFraudFix v2.423

Scan done at 22:28:59.35, Thu 07/30/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\DOCUME~1\Owner\LOCALS~1\Temp


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{109FB21D-CAC9-4877-A298-983EB2318D44}: NameServer=192.168.0.1


Scanning for wininet.dll infection


End

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 31 July 2009 - 12:56 PM

Are you running the latest Adobe reader and flashplayer (if you use the flashplayer)?
http://www.adobe.com/

aRE YOUR wINDOWS uPDATES FULLY DONE AS OF LAST tuesday.. there were patches for this.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 31 July 2009 - 03:06 PM

I am away from that computer right now, but I know that I am not running the latest version of Adobe Reader.

If Flash does not manually update itself it is likely that I am not running the most recent version of Flash either.

Should I update to the latest version of Adobe Reader (and Flash, if I am not using the most recent version)?

I have set Windows updates to automatic, so any MS updates prior to 7/27 (date of infection) should have been done. There have been no updates since 7/27/09.

#14 josh_junk

josh_junk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 01 August 2009 - 12:17 PM

OK. I have installed Flash 10 and Adobe Reader 9.1.

Windows Updates installed Cumulative Security Update for IE8 for XP (KB972260)

Also, IE works, but FF does not ("Firefox is configured to a proxy server that is refusing connections").

Also the "Connection Settings" dialog box in the FF "Network Tab" has been deleted in FF 3.0.12.

So, I updated to FF 3.5.1 -- same proxy issue and no "Network Tab" to change.

Uninstalled and reinstalled FF (using Revo Uninstaller). FF 3.5.1 now works.

Ran another scan

Malwarebytes' Anti-Malware 1.39
Database version: 2541
Windows 5.1.2600 Service Pack 3

8/1/2009 1:04:14 PM
mbam-log-2009-08-01 (13-04-14).txt

Scan type: Quick Scan
Objects scanned: 91855
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 02 August 2009 - 02:17 PM

Hello,yes older versions of Adobe,Flash ,Java and even windows can be exploited. That is usually the reason fo any upgrade or patch.
Let's check your JAVA
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).

How is the PC running?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users