Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware has TAKEN-over my XP Pro- Help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 lost2pc

lost2pc

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 28 August 2009 - 10:22 AM

I so appreciate all the help the MyAntispyware/Patrik is giving to all us frustrated PC users. Since Patrik's recommendation was that I run ComboFix, and the link led me here, I decided to just post here. So Hello BleepingComputer and THANKS for helping the PC Community.
This vicious virus has prevented me from downloading ComboFix, it has disabled my ThinkVantage Productivity Center (I initially tried to do a System Restore which started up but would keep disappearing after about a 1 minute).
My heartache started on 8/21 when McAfee AntiVirus reported an error unable to complete my scheduled full system scan, then I tried running Malwarebyte and it would run for 3 seconds and then disappear. I started getting this warnings my computer was infected, and then it started automatically installing PC Antispyware 2010. So, in Safe-Mode I re-installed, from flash-drive Mbam.exe renamed it 'stripper' it too ran Quick Scan for about 3-seconds and vanished. At one point Mbam.exe gave me "error code 707 (3,0) Now the malware has stopped me from editing the Registry "administrator denied access" on my own computer (the gall!). Then the malware blocked all my efforts to run MalwareByte or SuperAntispyware, Stopzilla, ComboFix. HiJackThis even after renaming each one.
The malware installed a fake MS logo shield in my taskbar, then a big red circle with white X. After numerous attempts and not without a fight, I was able to remove PC Antispyware 2010, then Protection System, then CoreGuard via the Control Panel. Now I can't even access Google Search. Sadly, I don't have another computer to use while I try to fix the infected Laptop - sending this post from a friend's Desktop. Please, I am willing to try anything to remove and fix my PC, but I am not very Tech-savvy.
BTW- When I was able to gain access to my Registry editor, I removed the following:
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000};
HKEY_CLASSES_ROOT\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D};
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Protection System?;
Braviax.exe.
I also removed C:\Documents and Settings\All Users\Start Menu\Programs\Protection System; C:\Program Files\Protection System, multiple XX-rated image desktop icons.
On 8/23 I was able to get Norman Malware Cleaner to run - Copyright © 1990 - 2009, Norman ASA. Built 2009/08/19 05:48:17 Norman Scanner Engine Version: 6.01.09 Nvcbin.def Version: 6.01.00, Date: 2009/08/19 05:48:17, Variants: 3695880

Scan started: 22/08/2009 23:09:24

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode with network) Service Pack 2
Logged on user: LENOVO-C2C1C07B\Mxx Lxx

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe rundll32.exe tapi.nfo beforeglav" -> "Explorer.exe"
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000001
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoFolderOptions = 0x00000001

Scanning running processes and process memory...

Number of processes/threads found: 1693
Number of processes/threads scanned: 1693
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 44s
canning file system...

Scanning: C:\*.*

C:\Documents and Settings\Mxx Lxx\Local Settings\Temp\msupd_2.exe (Infected with W32/Obfuscated.P2!genr)
Norman Malware Cleaner
Copyright © 1990 - 2009, Norman ASA. Built 2009/08/19 05:48:17

Norman Scanner Engine Version: 6.01.09
Nvcbin.def Version: 6.01.00, Date: 2009/08/19 05:48:17, Variants: 3695880

Scan started: 22/08/2009 23:25:45

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode with network) Service Pack 2
Logged on user: LENOVO-C2C1C07B\Mxx Lxxx

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe rundll32.exe tapi.nfo beforeglav" -> "Explorer.exe"

Scanning running processes and process memory...

C:\Program Files\Protection System\psystem.exe (Infected with W32/FakeAV.Q!genr)
Terminated process
Removed registry value: HKCU\Software\Microsoft\Windows\CurrentVersion\Run -> Protection System = ""C:\Program Files\Protection System\psystem.exe" -noscan"
Edit/Delete Message

BC AdBot (Login to Remove)

 


#2 lost2pc

lost2pc
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 29 August 2009 - 01:04 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 14:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA00E4000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9D5F6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xA94C1000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF779D000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UAClevjilwrow.dll]
Process: svchost.exe (PID: 1620) Address: 0x00a50000 Size: 65536

Object: Hidden Module [Name: UACc18a.tmpgvqdmx.dll]
Process: svchost.exe (PID: 1620) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACltyouymmpl.dll]
Process: Explorer.exe (PID: 2280) Address: 0x10000000 Size: 49152

Object: Hidden Handle [Index: 5032, Type: Key]
Process: firefox.exe (PID: 3176) Address: 0xe2a3de58 Size: -

Object: Hidden Module [Name: UACihlngvqdmx.dll]
Process: Iexplore.exe (PID: 1372) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACihlngvqdmx.dll]
Process: Iexplore.exe (PID: 3008) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACihlngvqdmx.dll]
Process: Iexplore.exe (PID: 6080) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwroepkhcnx.sys

==EOF==

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 14:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UAClevjilwrow.dll]
Process: svchost.exe (PID: 1620) Address: 0x00a50000 Size: 65536

Object: Hidden Module [Name: UACc18a.tmpgvqdmx.dll]
Process: svchost.exe (PID: 1620) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACltyouymmpl.dll]
Process: Explorer.exe (PID: 2280) Address: 0x10000000 Size: 49152

Object: Hidden Handle [Index: 356, Type: Event]
Process: ACWLIcon.exe (PID: 4676) Address: 0x83c61b70 Size: -

Object: Hidden Handle [Index: 360, Type: Port]
Process: ACWLIcon.exe (PID: 4676) Address: 0xe342b430 Size: -

Object: Hidden Module [Name: UACihlngvqdmx.dll]
Process: Iexplore.exe (PID: 1372) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACihlngvqdmx.dll]
Process: Iexplore.exe (PID: 3008) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACihlngvqdmx.dll]
Process: Iexplore.exe (PID: 6080) Address: 0x10000000 Size: 217088

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:09 PM

Posted 29 August 2009 - 01:12 PM

RootRepeal shows you have the Max++ infection. Therefore please post your rootrepeal log in the HJT forum because you wont be able most likely to produce a DDS/HJT log.

I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

If you have any problems/questions about the above, please let me know!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:09 AM

Posted 29 August 2009 - 11:27 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/253441/rootrepeal-log-pc-cant-run-hijackthismbamexe-ive-max-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users