Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-Malware tools being killed during scans


  • Please log in to reply
4 replies to this topic

#1 Event Horizons

Event Horizons

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 September 2009 - 12:13 PM

I picked up a machine (XP pro, SP3) from a customer on 9/1 that had an infection that would allow you to start an anti-malware tool (I tried Autoruns first, then Malwarebytes, and Spybot S&D, along with a few other items) but the program would be killed while scanning. After it was killed, the infection would then block access to the EXE, preventing you from deleting it or overwriting it. Renaming the programs before running them did not help.

SAV had been on the machine, which is what gave the customer her first warning. However, by the time I got there it had been disabled, though parts of it were still showing in the task manager.

Extensive searching only found two people with similar problems and only a few hints on what to try to do.

http://www.bleepingcomputer.com/forums/t/254129/cant-run-antimalware-mwaw-hjt-ddsscr-etc/

and

http://samimikhail.blogspot.com/2009/08/vi...s-update-6.html

My usual procedure is to slave the hard drive in another machine and perform a virus-scan.

When I did this, SAV Coprorate 8.1 found some items...
Trojan.Fakealert!gen
Infostealer
Infostealer.Snifula.B
Backdoor.HaxDoor.I

Malwarebytes found "Backdoor.Sdbot"

However, when I put the hard drive back, this did not resolve the fundamental issue of not being able to run the malware tools.

The trick that finally worked for me (based on something I read somewhere...I must have spent 3 hours scouring posts from other people!) was to kill "explorer" via the task manager and then launch applications from there.

I was then able to run Sysinternals "autoruns". I re-installed and ran "Malwarebytes" and after a 10 hour scan, it found and removed a number of items, including the following...
Adware.minibug
Adware.Starware
Backdoor.sdbot

I re-installed SAV but it would not start properly. I then uninstalled it fully and re-installed from scratch. It is now running properly.

I followed up with a scan by Spybot S&D and it found and removed the following...
lundl_haxdoor
win32.delc.uc
(Those may have just been residue items)

I am now running another Malwarebytes scan, but the machine seems to be behaving properly.

Every day I learn something new!

Hopefully this will help someone else.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:28 PM

Posted 03 September 2009 - 08:47 PM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Event Horizons

Event Horizons
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 03 September 2009 - 11:06 PM

This is being posted from the workstation that was infected.
It is now behaving properly and a second scan with MBAM (8 hours+) was 100% clean.

Remember that when I ran the scan, I had killed "explorer" and was launching from the task manager.

Here is the MBAM log from when it was infected...
<------ mbam-log-2009-09-03 (07-29-43).txt ------>
Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 5.1.2600 Service Pack 3

9/3/2009 7:29:43 AM
mbam-log-2009-09-03 (07-29-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 760738
Time elapsed: 9 hour(s), 54 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 41
Files Infected: 88

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\starware (Adware.Starware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\CelebrityNews (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\CelebrityNews\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\CelebrityNews\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\EntertainmentMarketingSP (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\EntertainmentMarketingSP\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\EntertainmentMarketingSP\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\ScreensaversMarketingSitePager\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\ScreensaversMarketingSitePager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\CelebrityNews (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\CelebritySearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\EntertainmentMarketingSP (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\SearchAssistPlus (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\SearchMatch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\SearchMatch\searchMatchPages (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware\bin (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware\icons (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120802.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120803.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120804.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120805.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120806.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120807.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120808.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120809.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120810.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120811.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120812.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120813.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120814.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120815.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120816.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120817.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120818.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120819.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11302725-DC24-455F-9351-4073264CCDA0}\RP328\A0120820.dll (Backdoor.Sdbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\TemE0.tmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\celebrity_news.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\celebrity_search.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\EntertainmentMarketingSP\images\active\EntertainmentMarketingSP0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Tem18A.tmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\CelebrityNews\CelebrityNewsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\CelebrityNews\CelebrityNewsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\CelebritySearch\CelebritySearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\CelebritySearch\CelebritySearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Layouts\PreferencesLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Layouts\PreferencesLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\SearchMatch\SearchMatchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Donna.MIERS-QH6HNVVXK\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware\brand.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware\StarwareConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware\StarwareUninstall.exe (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware\bin\Starware.dll (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware\icons\star_16.ico (Adware.Starware) -> Quarantined and deleted successfully.

<------ end of "mbam-log-2009-09-03 (07-29-43).txt" ------>


This is the report from Spybot S&D.
I'll be honest in that I don't fully understand all the items in the report.
<------ "Fixes.090903-0928.txt" ------>

--- Report generated: 2009-09-03 09:28 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $D80580B5] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

1und1_Haxdoor: [SBI $05838486] Library (File, fixed)
C:\WINDOWS\system32\lps.dat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-03 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-01 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-09-01 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-01 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-09-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-01 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-01 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-01 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-01 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-25 Includes\Trojans.sbi (*)
2009-09-01 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

<------ end of "Fixes.090903-0928.txt" ------>

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:28 PM

Posted 04 September 2009 - 07:20 AM

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete..
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Event Horizons

Event Horizons
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 05 September 2009 - 11:31 AM

As I noted initially, after I successfully ran the MBAM scan (the log shown) and told it to "clean" everything, the machine started behaving more normally.

I also went through with Sysinternals "AutoRuns" and removed everything that was not vouchsafed.
A Spybot S&D scan was performed and all problems it found were corrected.

However, I neglected to mention that the workstation was normally part of a domain with roving profiles, which it did not have access to when on my workbench.

As such, I was reluctant to greatly disturb the user profile that was normally used at the office, not having a lot of experience with the quirks of such configurations. The "Temporary Internet Files" of that profile were the reason the scans took so long!

When I returned the machine to the customer and booted it up there, it came up cleanly, albiet very slow and sluggish.

I deleted the "Temporary Internet Files" (which took a fair amount of time!) and fiddled with a few other minor settings.

When I left, the workstation was humming along quite well and performing quickly.

My main purpose of posting this was to get the word out as to what I had to do to get a handle on this infection.

My steps, boiled down, were as follows...
1) Mounted the hard drive as a slave in another clean computer and scanned for Viruses using Symantec Corp. 8.1
2) Restored the drive to the workstation and boot normal mode.
At this point, if I launched an Anti-Malware tool, it would start, but it would be killed while it was scanning.
3) Used task manger to kill "explorer"
4) Installed and ran MBAM. Cleaned everything it found.
5) Ran Sysinternals "Autoruns" Deleted everything that was not known to be good.
6) Installed and ran Spybot S&D. Fixed all problems found.
(Machine now booted and seemed to run normally.)
7) Uninstalled, re-installed Symantec and updated.
8) Ran MBAM, Spybot S&D and SAV scans. All clean.
9) Returned workstation customer location, removed "Temporary Internet Files".

All now seems to be well.

In my personal experience, in the last six months there seems to be a resurgence, a new "wave", of malware that is hitting my customers and each one is nastier then the last!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users