Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan in Windows System Files


  • Please log in to reply
23 replies to this topic

#1 Rock n' Roll Clown

Rock n' Roll Clown

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 14 August 2009 - 01:40 PM

I have been experiencing a few problems with my computer this past week. Windows Live Messenger will sign out almost instantly following sign-in attempts. And my internet browser has been re-directing to unspecified websites.

I ran AVG, Ad-Aware, and Malwarebytes', a trio which came up with a handful of infections each, infections which were seemingly dealt with. But upon reboot all of the infections returned.

I ran all of the scans a second time before rebooting and running each of them a third time. Everything came up clean so I shut down the computer and called it a night. But I fire it up the following afternoon and attempt to sign into messenger and the same sign-in to sign-out error occurs. I ran a Malwarebytes' quick scan which came up clear. But an Ad-Aware quick scan totalled up 19 infected cookies.

I uninstalled Windows Live Messenger and, again, ran all of the scans. But upon reboot and re-installation of Windows Live Messenger it happened, again. Ad-Aware dug up another 15 infected cookies. I haven't heard word from any friends about them receiving messages (containing links) from my account as can often be the case with messenger related viruses. And when I am signed-out (which happens seconds after successfully logging in) the countdown until re-sign-in does not appear, it reverts back to the sign-in screen (with e-mail and password remembered) as if shut out with re-admission frowned upon.

Wy web browser (Internet Explorer) is getting worse in frequency for re-directing to unspecified websites. It appears to happen when clicking on links, as opposed to when typing a web address into the address bar. The best example would be in opening up Google and searching (real examples) "Andy Cole", "Premier League Table 2008-2009", "Baldur's Gate", to find wikipedia pages, game guides, as well as any articles or forums which may be of interest that Google turns up. Upon clicking to open the links in a new tab or a new window it is a lottery between being forwarded to the correct website or an unspecified random website, with the latter becoming the more frequent. It has even occured with links to this very website as turned up by Google.

I am not sure what the source of these problems are but, a friend suggested (after viewing a few scan logs) that it may be a trojan residing among Windows system files. And thus explains the title of this thread.

I have logs detailing the infections found but, I am not sure which logs are allowed and which are not, so, I shall refrain from posting them until asked (if required).

On another note. I downloaded DDS but, upon my attempts to run the program it reads "Not enougn main memory to complete the sort." and goes no further.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 14 August 2009 - 02:20 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#3 Rock n' Roll Clown

Rock n' Roll Clown
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 14 August 2009 - 04:24 PM

Hi. Thanks for taking the time to help. I appreciate it.

First things first. I forgot to mention what I am running on this computer.

Windows XP
Home Ediiton
Version 2002
Service Pack 3

AVG Anti Virus 8.5 Free
Malwarebytes' Anti-Malware 1.40 Free
Ad-Aware Free Anniversary Edition
CCleaner v2.14.763
Zone Alarm Free Firewall

Now let's get back to it! Or shall I say, let's try.

When I double click to open up RootRepeal it reads "Could not boot the sector. Try adjusting the Disk Access Level in the Options dialog." and I click "OK" five times until RootRepeal opens. I go to Settings > Options and raise the Disk Access Level to High. I then go to the Files tab and click "Scan" where I select all drives followed by "OK" which leads to the same prompt as before in "Could not boot the sector. Try adjusting the Disk Access Level in the Options dialog." which this time closes after one "OK" click.

RootRepeal then presented the following findings which can be seen in the screenshot below.

Posted Image

Sector mismatch continues all the way down to Sector 62 (which is all of them).

I then proceed to turn off my firewall, completely shutdown Ad-Aware (disabling Ad-Awatch Live!), and exit the AVG Tray (I'm not sure how else to disable it). But initially none of this changes how RootRepeal opens nor how it scans (or better put, fails to). On the second attempt though it results in different error messages, which I'll show below.

First of all it presents this prompt.

Posted Image

Followed by the next screenshot upon going to the Files tab and clicking "Scan".

Posted Image

That is then followed up by an error box reading "Could not scan Drive C (error 0xc0000001)".

I then restarted in "Safe Mode" but, to no avail. I'm afraid to say that I'm sure it is down to my inexperience with working in "Safe Mode" and general lack of knowledge in regard to Computers outside of how to use one but, I could not locate RootRepeal while in "Safe Mode". It actually presented a whole other query for me as it listed two users; Administrator (which I opted for) and Jonathan, when Jonathan should be the Administrator (and solitary user). But that's for another time.

I'll do my best to achieve what is required, if there is anything that can be done.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 14 August 2009 - 04:29 PM

Please download Sophos Anti-rootkit& save it to your desktop.
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Credits to DaChew
Be sure to print out and read the User Manualand Release Notes
• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives

• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Computer Pro

#5 Rock n' Roll Clown

Rock n' Roll Clown
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 14 August 2009 - 08:20 PM

I ran Sophos Anti-Rootkit, and on the first scan it turned up four unknown hidden files, all of which were located in messenger as sharing meta data. They were listed as "Removable: Yes (but clean up not recommended)" but, I removed them by choice (I wasn't sure if the program would continue to the next stage if no files were selected, and I assumed that those four files were harmless to remove, albeit not recommended) and restarted the computer before following up with the second scan.

There were no files found that were under the "Removable: Yes (clean up recommended)" category. But there were a lot of files found within messenger that fall under the "Removable: Yes (but clean up not recommended)" category. And a few others located in other programs. I refrained from removing any further files, though, incase they're actually harmless or require to be handled with care in their removal.

Here is the log.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 14/08/2009 at 23:19:23
User "Davy" on computer "PENTIUM"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ytasfwqxhkdkpx
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ytasfwqxhkdkpx
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{33D9A760-90C8-11D0-BD43-00A0C911CE86}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{33D9A761-90C8-11D0-BD43-00A0C911CE86}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\ytasfwkmxiltpi.dll
Hidden: file C:\WINDOWS\system32\ytasfwthfulkdw.dat
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\91\1091-{028BCF37-18B6-4761-9B55-89C1B400962E}-v1091-{028BCF37-18B6-4761-9B55-89C1B400962E}-v1091-Downloaded.frx
Hidden: file C:\WINDOWS\system32\ytasfwoexoigwr.dll
Hidden: file C:\WINDOWS\system32\ytasfwyxvreexm.dat
Hidden: file C:\WINDOWS\system32\drivers\ytasfwrmfjymrf.sys
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\44\844-{028BCF37-18B6-4761-9B55-89C1B400962E}-v844-{028BCF37-18B6-4761-9B55-89C1B400962E}-v844-Downloaded.frx
Hidden: file C:\WINDOWS\Temp\ytasfwvsfuuoicct.tmp
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\45\845-{028BCF37-18B6-4761-9B55-89C1B400962E}-v845-{028BCF37-18B6-4761-9B55-89C1B400962E}-v845-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\28\28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\28\28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\18\18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\18\18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\live_4_da_moment@hotmail.com\DFSR\Staging\CS{9D933625-9DDB-60A7-3D2E-3C3F8FB48A12}\01\24-{9D933625-9DDB-60A7-3D2E-3C3F8FB48A12}-v1-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v24-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\27\27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\27\27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\01\26-{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}-v1-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v26-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\46\846-{028BCF37-18B6-4761-9B55-89C1B400962E}-v846-{028BCF37-18B6-4761-9B55-89C1B400962E}-v846-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\47\847-{028BCF37-18B6-4761-9B55-89C1B400962E}-v847-{028BCF37-18B6-4761-9B55-89C1B400962E}-v847-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\silvergypsy81@msn.com\DFSR\Staging\CS{94B7B872-9DE7-C7C4-AC26-EF8D421B4772}\01\19-{94B7B872-9DE7-C7C4-AC26-EF8D421B4772}-v1-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v19-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\silvergypsy81@msn.com\DFSR\Staging\CS{94B7B872-9DE7-C7C4-AC26-EF8D421B4772}\16\916-{D5ED56DF-5B53-4B0E-A085-76ADA950CCFB}-v916-{D5ED56DF-5B53-4B0E-A085-76ADA950CCFB}-v916-Downloaded.frx
Stopped logging on 15/08/2009 at 00:13:54


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 15/08/2009 at 00:35:12
User "Davy" on computer "PENTIUM"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ytasfwqxhkdkpx
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ytasfwqxhkdkpx
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{33D9A760-90C8-11D0-BD43-00A0C911CE86}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{33D9A761-90C8-11D0-BD43-00A0C911CE86}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\ytasfwkmxiltpi.dll
Hidden: file C:\WINDOWS\system32\ytasfwthfulkdw.dat
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\91\1091-{028BCF37-18B6-4761-9B55-89C1B400962E}-v1091-{028BCF37-18B6-4761-9B55-89C1B400962E}-v1091-Downloaded.frx
Hidden: file C:\WINDOWS\system32\ytasfwoexoigwr.dll
Hidden: file C:\WINDOWS\system32\ytasfwyxvreexm.dat
Hidden: file C:\WINDOWS\system32\drivers\ytasfwrmfjymrf.sys
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\44\844-{028BCF37-18B6-4761-9B55-89C1B400962E}-v844-{028BCF37-18B6-4761-9B55-89C1B400962E}-v844-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\45\845-{028BCF37-18B6-4761-9B55-89C1B400962E}-v845-{028BCF37-18B6-4761-9B55-89C1B400962E}-v845-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\28\28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\28\28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v28-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\18\18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\18\18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v18-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\live_4_da_moment@hotmail.com\DFSR\Staging\CS{9D933625-9DDB-60A7-3D2E-3C3F8FB48A12}\01\24-{9D933625-9DDB-60A7-3D2E-3C3F8FB48A12}-v1-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v24-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\27\27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\27\27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v27-Downloaded.frx
Hidden: file C:\Documents and Settings\Davy\Local Settings\Application Data\Microsoft\Messenger\jonny_theone@hotmail.com\SharingMetadata\leppards_gurl@hotmail.com\DFSR\Staging\CS{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}\01\26-{4D45C3C9-795F-BC3A-A9C9-30546BFC1AAC}-v1-{B77F7F5F-F252-4F2A-ADBC-CB3F1881F2D9}-v26-Downloaded.frx
Stopped logging on 15/08/2009 at 01:31:15

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 14 August 2009 - 08:44 PM

Please tell Sophos to remove these files:

Hidden: file C:\WINDOWS\system32\ytasfwoexoigwr.dll
Hidden: file C:\WINDOWS\system32\ytasfwyxvreexm.dat
Hidden: file C:\WINDOWS\system32\drivers\ytasfwrmfjymrf.sys
Hidden: file C:\WINDOWS\system32\ytasfwkmxiltpi.dll
Hidden: file C:\WINDOWS\system32\ytasfwthfulkdw.dat


and then reboot, and run a Malwarebytes Quick Scan
Computer Pro

#7 Rock n' Roll Clown

Rock n' Roll Clown
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 14 August 2009 - 10:09 PM

This scan turned up a sixth file with a similar name.

Hidden: file C:\Windows\temp\ytasfwsmyspyxctm.tmp

I assume it should also ticked for removal?

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 14 August 2009 - 10:12 PM

Yes, please remove it

Edited by Computer Pro, 14 August 2009 - 10:12 PM.

Computer Pro

#9 Rock n' Roll Clown

Rock n' Roll Clown
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 14 August 2009 - 10:58 PM

I had Sophos remove the six selected files, before running a Malwarebytes Quick Scan which came up clean.

But AVG Resident Shield (upon restarting) detected threats. I still had the internet disabled at this time, if that makes any difference.

Posted Image

Posted Image

Posted Image

Posted Image

The final two on that list (both screenshots are of the same window; the first being the infected file name and location, the second detailing the result and detection date) are old. 2008 old. I didn't think to remove them from the list.

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 15 August 2009 - 10:58 AM

Please make sure that you have AVG remove those, and then run a fresh Sophos scan.
Computer Pro

#11 Rock n' Roll Clown

Rock n' Roll Clown
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 August 2009 - 01:55 PM

I had AVG remove those threats upon detection, before calling it quits for that night. I ran a full AVG scan today which came up clean, and then a fresh Sophos scan as recommended. It found only those sharing meta data files in messenger, and nothing more.

I was able to sign-in on Windows Live Messenger today, on the first attempt with no problems. And my web browser (Internet Explorer) has not been re-directed as of this post being submitted. It seems we may have snuffed the problem out. But I don't want to speak too soon! So I'll see how it goes the next few days and report back if everything is still well and good.

Thanks, for all of your help, friend. It is greatly appreciated. Fingers crossed that it has worked.

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 17 August 2009 - 01:57 PM

Please do a fresh scan with Malwarebytes.
Computer Pro

#13 Rock n' Roll Clown

Rock n' Roll Clown
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 August 2009 - 03:35 PM

Great call, CP!

While the Malwarebytes' scan was running AVG Resident Shield brought up an alert.

Posted Image

All were moved to the Virus Vault.

And below is the log of the aforementioned Malwarebytes' scan.

Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

17/08/2009 21:20:11
mbam-log-2009-08-17 (21-20-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182943
Time elapsed: 1 hour(s), 19 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{AFA5D5CE-C55C-4CA4-99DE-98B49F31B2BB}\RP257\A0050797.sys (Trojan.TDSS) -> Quarantined and deleted successfully.



#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 17 August 2009 - 05:28 PM

Ok, good. Lets try one more scan:

Please run ATF and SAS:
Credits to Boopme

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#15 Rock n' Roll Clown

Rock n' Roll Clown
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 August 2009 - 08:28 PM

After sorting out ATF in Safe Mode, SUPER ran a complete scan and it came up clean.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/18/2009 at 02:09 AM

Application Version : 4.27.1002

Core Rules Database Version : 4060
Trace Rules Database Version: 2000

Scan type : Complete Scan
Total Scan Time : 01:04:58

Memory items scanned : 413
Memory threats detected : 0
Registry items scanned : 6681
Registry threats detected : 0
File items scanned : 75093
File threats detected : 0






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users