Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC_Antispyware 2010 / AV Care invasion


  • Please log in to reply
7 replies to this topic

#1 thecaptainms

thecaptainms

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 28 August 2009 - 07:20 PM

Here's the deal: Running Windows XP 2002 version, SP 3. Just got infected by both PCA 2010 and AV Care simultaneously. I've had one or both before, but not at the same time. Usual fix was to run Malwarebytes' Anti-Malware. Here's where things get tricky . . .

I can't run the program. I downloaded the install file again and THAT wouldn't run. When I try to run MWAM, I see the exe file in the task manager, but nothing happens. I also can't run my McAfee scan because it says "Error Starting On Demand Scanner." Even worse, when I go to system restore, it behaves as if there are NO restore points. I can't even page back before this month. I have 12% of my HDD allocated for SR, so I know this is incorrect.

The only saving grace is that deleting the registry files and the program folders seem to have mitigated the impact somewhat. But I'm really worried about the inability to run these programs. Something else is up beyond the usual nuisance malware. Any help would be much-appreciated. Thanks.

(Moderator edit: post move to more appropriate forum. jgw)

Edited by jgweed, 28 August 2009 - 07:39 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 AM

Posted 28 August 2009 - 07:41 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Chewy

No. Try not. Do... or do not. There is no try.

#3 thecaptainms

thecaptainms
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 28 August 2009 - 07:59 PM

Successfully downloaded and extracted file. When I tried to run the program, I got an error saying "Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog." I did so, but still got the error. Here's what the output of the scan was:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/28 20:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7A16000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7999000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3B51000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xB908C000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7557000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACac9c.tmpvecrdp.dll]
Process: svchost.exe (PID: 1056) Address: 0x009c0000 Size: 217088

Object: Hidden Module [Name: UACnxoqfwdqvu.dll]
Process: svchost.exe (PID: 1056) Address: 0x00980000 Size: 77824

Object: Hidden Module [Name: UACbedojhemet.dll]
Process: svchost.exe (PID: 1056) Address: 0x00cd0000 Size: 73728

Object: Hidden Module [Name: kbiwkmkfwguduh.dll]
Process: svchost.exe (PID: 1056) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: UACac9c.tmpvecrdp.dll]
Process: Iexplore.exe (PID: 1628) Address: 0x00d60000 Size: 217088

Object: Hidden Module [Name: kbiwkmtufhsmbj.dll]
Process: Iexplore.exe (PID: 1628) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: UACnxoqfwdqvu.dll]
Process: explorer.exe (PID: 3896) Address: 0x00bf0000 Size: 77824

Object: Hidden Module [Name: kbiwkmtufhsmbj.dll]
Process: explorer.exe (PID: 3896) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: UACbaeovecrdp.dll]
Process: Iexplore.exe (PID: 2680) Address: 0x00f50000 Size: 217088

Object: Hidden Module [Name: kbiwkmtufhsmbj.dll]
Process: Iexplore.exe (PID: 2680) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: kbiwkmtufhsmbj.dll]
Process: firefox.exe (PID: 2784) Address: 0x007e0000 Size: 28672

Object: Hidden Module [Name: UACbaeovecrdp.dll]
Process: Iexplore.exe (PID: 2316) Address: 0x01150000 Size: 217088

Object: Hidden Module [Name: kbiwkmtufhsmbj.dll]
Process: Iexplore.exe (PID: 2316) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: UACbaeovecrdp.dll]
Process: Iexplore.exe (PID: 3808) Address: 0x01150000 Size: 217088

Object: Hidden Module [Name: kbiwkmtufhsmbj.dll]
Process: Iexplore.exe (PID: 3808) Address: 0x10000000 Size: 28672

==EOF==

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 AM

Posted 28 August 2009 - 08:06 PM

Please follow the directions in this post by Blade running the scanners so you post logs in the HJT forum

http://www.bleepingcomputer.com/forums/ind...t&p=1403667

This is a nasty rootkit

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#5 thecaptainms

thecaptainms
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 28 August 2009 - 08:10 PM

Well, I need to get a new laptop, anyway, but I also need to use this computer through the weekend for some non-sensitive work-related stuff. Is there anything I can do now that will be a short-term fix until I can make that purchase next week? I will avoid all password sites, banking, etc, until then.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 AM

Posted 28 August 2009 - 08:18 PM

If you stay connected to the internet expect the infection to get worse, our attempts to remove it with selfhelp tools would probably crash windows.
Chewy

No. Try not. Do... or do not. There is no try.

#7 thecaptainms

thecaptainms
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 28 August 2009 - 08:25 PM

Ok, I'm keeping my connection time minimal. I will have to upload a few things at some point, however. This laptop is 6 years old, so no big loss - the timing really sucks, though. Already changed my banking, etc, passwords. Not going to worry about social networking and minor stuff like that. May go buy new laptop tomorrow. Would prefer to buy through Dell directly, but need laptop ASAP. Thanks for your help. Question - what are the odds I've been compromised significantly at this point?

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:11 AM

Posted 28 August 2009 - 08:28 PM

Question - what are the odds I've been compromised significantly at this point?


~100%
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users