Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Beat SKYNET, But Am I Still Infected? How To Tell?


  • Please log in to reply
18 replies to this topic

#1 mwp9009

mwp9009

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 12 August 2009 - 02:22 PM

Hello,
Thanks to Bleeping Computer, I think I beat a Skynet infection (as well as the "your're computer is infected!" infection) I received Sunday, August 9. 2009. I am using an Inspiron laptop using Windows XP. I have downloaded: MalwareBytes Anti-Malware, Dr. Web Cureit! and Avast! and have run these three, plus ATF-EXE and Superantispyware, all in safemode. I used the programs in this order: ATF-EXE, SAS. These did not do the job, so I downloaded: MBAM which cleared out the "Your're Infected!" problem, then I installed avast! which caught the SKYNET infection and it deleted those files. I finally downloaded and ran Dr. Web Cureit!. This has been an ongoing process for me, and I think I am completely cured. However, there are three things that make me suspicious:

-After a clean scan from Dr. Web Cureit! (which took over three hours), I did a search for "SKYNET" files on my computer and found the following files were still present in my system32 files:

SKYNETftlabeqg.dll, SKYNETuhokvevg, SKYNETvmfhscka.dll, SKYNETxvwqwapb.

I scanned these files with MBAM and avast! and both programs regarded them as safe. Nonetheless, I saved copies of all four in "My Documents" (in case they were needed .dll files) and then deleted the originals from system32. Was this a sound action to take? Should I get rid of them all, even the ones in My Documents?

-I keep having problems accessing Yahoo! Mail. At first I thought this was due to avast!'s security clashing with Yahoo!'s ads (that did turn out to be part of it), but I still have problems replying to emails and often get the "Error: 999" screeen.

-Mozilla Firefox (the latest build) is acting strange. Two cursors often appear: one in the web address box, the other on the screen (like say, in a sign in box). Also, Firefox often goes back a page when I hit the backspace (delete) button instead of deleting something (did not have these problems before). Should I uninstall and then reinstall Firefox?

Please help me out. Like I noted above, this has been an ongoing process and I would like to know if I am "clean." Thank you for your time and help.

MWP9009

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:38 PM

Posted 12 August 2009 - 02:29 PM

Hello and welcome.. Let;s try this rootkit scan.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mwp9009

mwp9009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 12 August 2009 - 04:43 PM

Boopme,
Thanks a lot for your quick reply. Please let me know if my computer is at risk; I have done one PayPal transaction since Sunday (8/9/09). I did not include a copy of the saved RootRepeal scan file; please let me know if you need that as well. Here are the results of the RootRepeal scan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/12 17:25
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB07DF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA612000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xADCCB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_534.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ffa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb07ff8ae

Hidden Services
-------------------
Service Name: SKYNETnonbosqj
Image Path: C:\WINDOWS\system32\drivers\SKYNETaqnpbgdt.sys

==EOF==

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:38 PM

Posted 12 August 2009 - 07:24 PM

Hello, it's still has a piece left. Let's try to kill it this way.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mwp9009

mwp9009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 12 August 2009 - 09:13 PM

Boopme,
Did as you instructed.

Here are the results of the scan from MBAM:

Malwarebytes' Anti-Malware 1.40
Database version: 2593
Windows 5.1.2600 Service Pack 3

8/12/2009 9:12:53 PM
mbam-log-2009-08-12 (21-12-53).txt

Scan type: Quick Scan
Objects scanned: 115843
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here are the results from the Sophos ARK scan:
Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/12/2009 at 21:19:20 PM
User "mwp9009" on computer "whatever9009"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\mwp9009\Application Data\Macromedia\Flash Player\#SharedObjects\7XHWDDR6\www.apliterature.info\index.php\1010110A\1ac39cdfb3884948811abb3142c8d108fded387248ebd2ae529eee170cda6296f8bae2be0d2f46f417025\OdeoPodcastPlayerColors.sol
Hidden: file C:\Documents and Settings\mwp9009\Application Data\Macromedia\Flash Player\#SharedObjects\7XHWDDR6\cgi.embedproxies.com\index.php\1010010A\2f73b7c0bca13a3d200e1ee3e26c20bb2a5dc3ea1fd142ea05b7865312db26e1d8da4dcf98c96cee17080\OdeoPodcastPlayerColors.sol
Hidden: file C:\Documents and Settings\mwp9009\Application Data\Macromedia\Flash Player\#SharedObjects\7XHWDDR6\cgi.embedproxies.com\index.php\1010010A\15749b36c59c9e004b004b36d69c77d51bb0d153b111e8aaf4477f79578995c929bca7d6a7ad1dd617210\OdeoPodcastPlayerColors.sol
Stopped logging on 8/12/2009 at 21:50:07 PM


I followed your instructions and did not delete these files (I was sorely tempted). Also, I noticed that the SKYNET files from my earlier RootRepeal scan did not show up. Anyway, please look things over and thank you.
-MWP

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:38 PM

Posted 12 August 2009 - 09:35 PM

Ok, Wanted to be sure . How is it running now any problems?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mwp9009

mwp9009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 12 August 2009 - 11:49 PM

Boopme,
Wow! Thanks for another quick reply. I'm still having the same problems as before, i.e. Firefox is taking FOREVER to open Yahoo! mail and let me check my messages. Also, having the same weird cursor problem when using Firefox. However, I do not have any problem with Yahoo! when I am using Internet Explorer and no problems with IE in general.

I have a few questions for you, please bear with me:

-Should I uninstall and reinstall Firefox (or some variation thereof; I know there is some way to download a "refreshed" version without having to actually uninstall the whole thing)?

-What about that SKYNET file that RootRepeal discovered? Can it be considered a "neutered" file?

-What about the three files the ARK scan picked up? Just harmless junk?

-Does everything else look OK and I can go about my business?

Thank you again for all your help.

MWP

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:38 PM

Posted 13 August 2009 - 02:58 PM

Hi, I think the reinstall of Firefox is a good idea as some files may have been corrupted by the malware.. Skynet has been removed.
I want to check the last 3 tems tho.. I am waiting on info if they are malware..
Do you watch podcasts?

I also still want to run these to see if there is other malware


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mwp9009

mwp9009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 13 August 2009 - 11:31 PM

Boopme,
Very sorry that it has taken me so long to reply, but I ran into some weirdness while doing the scans. Here's my tale:

-Updated Superantispyware
-Made certain that the Scanner Options were set according to your instructions
-Rebooted into safe mode
-Ran ATF-Cleaner in Safe Mode (for both IE and Firefox)
-Scanned with Superantispyware (hereafter SAS)
-After 1 hr. 42 min., SAS did not find anything; completely clear
-Rebooted into regular Windows session
-Attempted to retrieve SAS file...nothing was there for the scan I had just ran!
-Decided to run SAS again
-SAS detected 33 files. This time it saved a log. Here it is:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/13/2009 at 11:47 PM

Application Version : 4.27.1002

Core Rules Database Version : 4056
Trace Rules Database Version: 1996

Scan type : Complete Scan
Total Scan Time : 00:57:06

Memory items scanned : 733
Memory threats detected : 0
Registry items scanned : 6020
Registry threats detected : 0
File items scanned : 64000
File threats detected : 33

Adware.Tracking Cookie
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@fastclick[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@atdmt[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@ads.pointroll[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@apmebf[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@bs.serving-sys[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@interclick[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@ads.bridgetrack[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@trafficmp[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@yieldmanager[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@warnerbros.112.2o7[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@mediaplex[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@serving-sys[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@doubleclick[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@realmedia[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@collective-media[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@tribalfusion[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@adlegend[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@ad.yieldmanager[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@advertising[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@2o7[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@richmedia.yahoo[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@ads.cnn[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@specificmedia[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@revsci[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@questionmarket[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@adserver.adtechus[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@specificclick[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@intermundomedia[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@media6degrees[2].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@nextag[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@kontera[1].txt
C:\Documents and Settings\Mwp9009\Cookies\mwp9009@a1.interclick[2].txt

*****OK! After doing this, I ran MBAM as you instructed. Here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2618
Windows 5.1.2600 Service Pack 3

8/14/2009 12:07:26 AM
mbam-log-2009-08-14 (00-07-26).txt

Scan type: Quick Scan
Objects scanned: 114709
Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\13345004 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\13345004\13345004 (Rogue.Multiple) -> Quarantined and deleted successfully.


Please look it all over and let me know what you think. Thanks again for all the time you are spending on this.

MWP

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:38 PM

Posted 15 August 2009 - 09:54 AM

Looks good,how is it running?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mwp9009

mwp9009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 20 August 2009 - 04:02 PM

Boopme,
Things are running great now! I did a clean reinstall of Firefox and it too is back to normal. What a pain in the neck, but thank you so much for your help with all this. I regard myself as fortunate I was able to take care of the problem without damaging my computer. Please let me know if I can do anything to help out bleepingcomputer.com or any other site you guys support. Thanks again.

-MWP9009

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:38 PM

Posted 20 August 2009 - 05:54 PM

Update MBAM and run a complete scan please
Chewy

No. Try not. Do... or do not. There is no try.

#13 mwp9009

mwp9009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 20 August 2009 - 11:26 PM

Hello DaChew,
Thanks for wanting to look over these. I did a complete scan with MBAM. The results follow, BUT be sure to read the information I typed after the results:

Malwarebytes' Anti-Malware 1.40
Database version: 2667
Windows 5.1.2600 Service Pack 3

8/21/2009 12:14:38 AM
mbam-log-2009-08-21 (00-14-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184141
Time elapsed: 52 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*****
While I was running MBAM, my TREND Micro "realtime protection" popped up that it had found three new viruses:

A0121239.dll
A0121683.dll
A0121684.dll

It identified two of the viruses as "TROJ_TDSS.AJD" and one of them as "TROJ_TDSS.ANQ" I don't know if these are real or a result of reinstalling Firefox or maybe a recent Microsoft update I DL'ed. Any help would be greatly appreciated (and BTW, all three have been quarantined).

-MWP9009

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:38 PM

Posted 21 August 2009 - 01:52 AM

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Chewy

No. Try not. Do... or do not. There is no try.

#15 mwp9009

mwp9009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 21 August 2009 - 03:09 PM

Hello DaChew,

Followed your instructions. Here's the information:

Friday, August 21, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 20:29:00
Records in database: 2672515
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Objects scanned 67791
Threats found 2
Infected objects found 3
Suspicious objects found 0
Scan duration 01:08:30

File name Threat Threats count
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\84.tmp Infected: Trojan.Win32.Tdss.anuv 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\86.tmp Infected: Trojan.Win32.Tdss.anuv 1
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\88.tmp Infected: Trojan.Win32.Tdss.anus 1
Selected area has been scanned.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users