Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro 2010: No success with MBAM and need help


  • This topic is locked This topic is locked
21 replies to this topic

#1 akdavis

akdavis

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 15 October 2009 - 03:23 PM

Avira tried to stop it, but failed. I have run MBAM twice (forgot to update MBAM first time) and the malware is still there. Here is the last MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/15/2009 3:14:43 PM
mbam-log-2009-10-15 (15-14-43).txt

Scan type: Quick Scan
Objects scanned: 102969
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 5
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Start Menu\Programs\Startup\ikowin32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Local Settings\temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Local Settings\temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Local Settings\temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Local Settings\temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Application Data\svcst.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Alan\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\984.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

Please help if you can.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:51 PM

Posted 15 October 2009 - 03:43 PM

Hello and welcome. Let's try this now.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 15 October 2009 - 04:06 PM

Sadly, I've been here before, but couldn't retrieve my password. :thumbsup: In the process of performing the SAS scan now. I noticed in another thread you suggested also updating to Windows Service Pack 3. Should I do this at any point in the process?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:51 PM

Posted 15 October 2009 - 04:10 PM

You can try,but many times when infected windows will stop the Update.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 15 October 2009 - 06:21 PM

Okay, back up and running after MBAM restart. Overt signs of the infection are gone. Program is gone from the taskbar and no more windows popping up. IE does not redirect. Logs below.

SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/15/2009 at 05:51 PM

Application Version : 4.29.1004

Core Rules Database Version : 4168
Trace Rules Database Version: 2090

Scan type	   : Complete Scan
Total Scan Time : 01:48:54

Memory items scanned	  : 228
Memory threats detected   : 0
Registry items scanned	: 6037
Registry threats detected : 14
File items scanned		: 356619
File threats detected	 : 23

Trojan.Dropper/Gen-NV
	[restorer64_a] C:\WINDOWS\SYSTEM32\RESTORER64_A.EXE
	C:\WINDOWS\SYSTEM32\RESTORER64_A.EXE
	[restorer64_a] C:\DOCUMENTS AND SETTINGS\ALAN\RESTORER64_A.EXE
	C:\DOCUMENTS AND SETTINGS\ALAN\RESTORER64_A.EXE
	[mserv] C:\DOCUMENTS AND SETTINGS\ALAN\APPLICATION DATA\SERES.EXE
	C:\DOCUMENTS AND SETTINGS\ALAN\APPLICATION DATA\SERES.EXE
	[svchost] C:\DOCUMENTS AND SETTINGS\ALAN\APPLICATION DATA\SVCST.EXE
	C:\DOCUMENTS AND SETTINGS\ALAN\APPLICATION DATA\SVCST.EXE

Rogue.AntiVirusPro2010
	[Antivirus Pro 2010] C:\PROGRAM FILES\ANTIVIRUSPRO_2010\ANTIVIRUSPRO_2010.EXE
	C:\PROGRAM FILES\ANTIVIRUSPRO_2010\ANTIVIRUSPRO_2010.EXE
	C:\Documents and Settings\Alan\Start Menu\Programs\ANTIVIRUSPRO_2010\AntivirusPro_2010.lnk
	C:\Documents and Settings\Alan\Start Menu\Programs\ANTIVIRUSPRO_2010\Uninstall.lnk
	C:\Documents and Settings\Alan\Start Menu\Programs\ANTIVIRUSPRO_2010
	C:\Program Files\ANTIVIRUSPRO_2010\AVEngn.dll
	C:\Program Files\ANTIVIRUSPRO_2010\data\daily.cvd
	C:\Program Files\ANTIVIRUSPRO_2010\data
	C:\Program Files\ANTIVIRUSPRO_2010\htmlayout.dll
	C:\Program Files\ANTIVIRUSPRO_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
	C:\Program Files\ANTIVIRUSPRO_2010\Microsoft.VC80.CRT\msvcm80.dll
	C:\Program Files\ANTIVIRUSPRO_2010\Microsoft.VC80.CRT\msvcp80.dll
	C:\Program Files\ANTIVIRUSPRO_2010\Microsoft.VC80.CRT\msvcr80.dll
	C:\Program Files\ANTIVIRUSPRO_2010\Microsoft.VC80.CRT
	C:\Program Files\ANTIVIRUSPRO_2010\pthreadVC2.dll
	C:\Program Files\ANTIVIRUSPRO_2010\Uninstall.exe
	C:\Program Files\ANTIVIRUSPRO_2010\wscui.cpl
	C:\Program Files\ANTIVIRUSPRO_2010
	HKLM\SOFTWARE\AntivirusPro_2010
	HKLM\SOFTWARE\AntivirusPro_2010#info
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010#DisplayName
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010#UninstallString
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run#Antivirus Pro 2010 [ "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide ]

Trojan.Unknown Origin
	HKU\S-1-5-21-1891462814-1093553118-4216441478-1005\Software\Microsoft\Windows\CurrentVersion\Run#mserv [ C:\Documents and Settings\Alan\Application Data\seres.exe ]
	HKU\S-1-5-21-1891462814-1093553118-4216441478-1005\Software\Microsoft\Windows\CurrentVersion\Run#svchost [ C:\Documents and Settings\Alan\Application Data\svcst.exe ]

Rogue.XP AntiSpyware2009-Trace
	C:\WINDOWS\system32\_scui.cpl

Rogue.XP AntiSpyware 2009
	HKU\S-1-5-21-1891462814-1093553118-4216441478-1005\Control Panel\don't load#wscui.cpl [ No ]

Trojan.Agent/Gen-FakeAlert
	C:\DOCUMENTS AND SETTINGS\ALAN\APPLICATION DATA\LIZKAVD.EXE

MBAM:
Malwarebytes' Anti-Malware 1.41
Database version: 2969
Windows 5.1.2600 Service Pack 2

10/15/2009 6:10:01 PM
mbam-log-2009-10-15 (18-10-01).txt

Scan type: Quick Scan
Objects scanned: 97452
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\umabepyjex.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\765.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

Thanks for getting me to this point. Is there anything else I should do to confirm infection is gone? Is now a good time to update to SP3, or am I risking causing problems?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:51 PM

Posted 15 October 2009 - 06:46 PM

Ok this was good. do one more update and MBAM Quick scan. If alll clean go onto update. Let me know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 15 October 2009 - 10:12 PM

Looks clean. Thanks.

Malwarebytes' Anti-Malware 1.41
Database version: 2970
Windows 5.1.2600 Service Pack 2

10/15/2009 10:11:42 PM
mbam-log-2009-10-15 (22-11-42).txt

Scan type: Quick Scan
Objects scanned: 99579
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:51 PM

Posted 16 October 2009 - 12:22 PM

Yep, Good to go.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 17 October 2009 - 10:13 AM

Looks like I may not be out of the woods, or perhaps I am very unlucky of late and this is a separate issue. Computer started acting funny last night, with CPU churning, multiple instances of iexplorer showing up in the task manager for no reason and Avira taking up CPU cycles for no apparent reason. I ran an MBAM scan and nothing was found. Still seemed like the CPU was churning when it shouldn't be, but it was too late to investigate so I shut down and went to bed. Started it up this morning and noticed the CPU still behaving oddly. Saw something called _ex-08.exe that shouldn't be there and tried to end it. "Security Tool" (sure looks alot like what I had before) then started running rampant. Updated MBAM and ran another scan. Items were detected and removed and following restart there's nothing in the taskbar, but the way this came about makes me leary. Seems like the CPU is working hard everytime I open IE. Looking at task manager, with IE open, Avira starts running up near 90%. Close IE and Avira goes back to normal. Seems strange. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2975
Windows 5.1.2600 Service Pack 3

10/17/2009 10:01:31 AM
mbam-log-2009-10-17 (10-01-31).txt

Scan type: Quick Scan
Objects scanned: 108103
Time elapsed: 8 minute(s), 10 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\18131620\18131620.exe (Rogue.SystemSecurity) -> Unloaded process successfully.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\promoreg (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18131620 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\18131620 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\18131620\18131620.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alan\Local Settings\temp\ie3.tmp (Trojan.Agent) -> Delete on reboot.

Sorry for bringing this back up to the top.

Edited by akdavis, 17 October 2009 - 10:23 AM.


#10 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 17 October 2009 - 01:51 PM

I followed the previous procedure with ATF and SAS. Looks like the computer was forced to reboot when SAS tried to remove found items. Not sure where to go from here.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/17/2009 at 12:42 PM

Application Version : 4.29.1004

Core Rules Database Version : 4171
Trace Rules Database Version: 2093

Scan type	   : Complete Scan
Total Scan Time : 01:50:50

Memory items scanned	  : 215
Memory threats detected   : 1
Registry items scanned	: 6108
Registry threats detected : 0
File items scanned		: 362160
File threats detected	 : 2

Trojan.Dropper/Sys-MS32Clod
	C:\WINDOWS\SYSTEM32\MS32CLOD.DLL
	C:\WINDOWS\SYSTEM32\MS32CLOD.DLL

Trojan.Dropper/UserInit-Fake
	C:\WINDOWS\SYSTEM32\USERINIT.EXE

Edited by akdavis, 17 October 2009 - 01:52 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:51 PM

Posted 17 October 2009 - 07:18 PM

Hello. Pesky critter. What Antivirus is installed?

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

We should also run Part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by boopme, 17 October 2009 - 07:20 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 17 October 2009 - 09:52 PM

The computer rebooted when I tried to scan with rootrepeal.exe. Randomly after reboot there is an empty notepad document on the desktop labelled "settings." Ran smitfraudfix.exe without apparent problems:

SmitFraudFix v2.424

Scan done at 21:48:37.54, Sat 10/17/2009
Run from C:\Documents and Settings\Alan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alan\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Alan


C:\DOCUME~1\Alan\LOCALS~1\Temp


C:\Documents and Settings\Alan\Application Data


Start Menu


C:\DOCUME~1\Alan\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Google\googletoolbar1.dll FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="ms32clod.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS



Scanning for wininet.dll infection


End

Oh, and I use Avira.

Edited by boopme, 17 October 2009 - 10:01 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:51 PM

Posted 17 October 2009 - 10:04 PM

Ok we should run Part 2.. I'll look back in morning.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 17 October 2009 - 10:24 PM

I was not prompted to replace an infected file. The program did not prompt for restart. Disk Cleanup randomly started running after I ran the initial scan (I cancelled it). I restarted manually. Text from rapport.txt below:

SmitFraudFix v2.424

Scan done at 22:15:43.04, Sat 10/17/2009
Run from C:\Documents and Settings\Alan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

 Killing process


 hosts

127.0.0.1	   localhost

 VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


 Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


 Generic Renos Fix

GenericRenosFix by S!Ri


 Deleting infected files

C:\Program Files\Google\googletoolbar1.dll Deleted

 IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



 Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


 RK


 DNS



 Deleting Temp Files


 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


 RK.2



 Registry Cleaning
 
Registry Cleaning done. 
 
 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


 End

Thanks and good night.

#15 akdavis

akdavis
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 18 October 2009 - 05:00 PM

I assume this didn't cure the infection. No overt signs, but it sure seems like the hard drive is working for no apparent reason. Nothing is visible running in task manager. Maybe I'm paranoid at this point. I've had the computer disconnected from the internet and backup harddrive since this reoccurence and have just been using a USB flash drive to move the cleaning and detection programs and log files to my wife's mac.

Edited by akdavis, 18 October 2009 - 05:02 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users