Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am a novice...


  • Please log in to reply
4 replies to this topic

#1 foodfromafar

foodfromafar

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 28 November 2009 - 10:53 PM

Hello! I've tried to read through forum posts to figure out the problem I am having. I'm actually working on a relative's computer for them. They were infected with Antivirus System Pro a couple of weeks ago. I downloaded and ran rkill and then MalwareBytes AntiMalware which solved the problem. I then installed XP Service Pack 3 and other windows updates. Everything was fine.

Today, someone using the same computer went to an adult site and reinfected it with Antivirus System Pro. It wouldn't run rkill or MBAM at first. I tried the Win32kDiag.exe log thing, but that wasn't working either. Task manager would not come up. I finally rebooted and clicked ctrl-alt-del during the reboot and got the Task Manager window. I deleted 2 files in TM called ratsysguard.exe or something like that and was able to run rkill and MBAM after that. MBAM found one trojan:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/28/2009 10:39:10 PM
mbam-log-2009-11-28 (22-39-10).txt

Scan type: Quick Scan
Objects scanned: 106828
Time elapsed: 24 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Then I tried to go to the Microsoft website in IE to check for updates and I was redirected to a search page that couldn't load. I realized that even though a Trojan was removed, there is still something affecting the system. So I rebooted the computer and the ratsysguard file started to load again. I deleted it in Task Manager, ran rkill and MBAM finding the same Trojan.

The only firewall is the XP firewall which is enabled. Please tell me what I need to do to. I apologize for not being able to figure it out from other posts.

Pauline

Edited by foodfromafar, 28 November 2009 - 10:55 PM.


BC AdBot (Login to Remove)

 


#2 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 28 November 2009 - 11:32 PM

I performed 3 scans mentioned in another post that sounded similar to my problem:

#1 RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/28 23:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6829000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==

#2 WIN32kDiag.txt

Running from: C:\Documents and Settings\relative's name\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\relative's name\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Finished!

#3 Log.txt from cmd Start menu thing:

Volume in drive C has no label.
Volume Serial Number is F08E-39CD

Directory of C:\WINDOWS\$hf_mig$\KB968389\SP2QFE

02/06/2009 01:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\$hf_mig$\KB975467\SP2QFE

02/06/2009 01:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

Hope this helps you figure it out! Pauline

#3 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 29 November 2009 - 03:22 AM

OK, I updated MBAM manually since I kept getting an Error 732 when I tried to update the files. I scanned the computer again and found 4 trojans. The sysguard.exe no longer appear in Task Manager on start up. Then I ran Combofix. Internet Explorer is back on track and I think everything is good to go.

I made sure the Windows XP firewall was turned on and I updated the IE security settings as per the article on here, "Practice Internet Safety". I am also going to download SuperAntiSpyware. Hopefully this will help prevent a recurrence.

If you have any other suggestions, they are most welcome. Pauline

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:03:56 AM

Posted 30 November 2009 - 02:07 AM

If you have any other suggestions, they are most welcome. Pauline

Pauline,
You don't need any help from me .... you are doing just fine on your own. Well done.

One tip that may help ... Download and use Firefox instead of IE for most internet activity.
Educating the user is another matter .... ?

Good luck.

BTW Your RR and Win32kDiag were clear of rootkits.
Your "#3 Log.txt from cmd Start menu thing:" was not complete ... but the date "02/06/2009" on the SP2 uninstall file did look suspicious to me when it should probably have been "2004" sometime ????
You might want to run that one again and post it?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 foodfromafar

foodfromafar
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 09 December 2009 - 02:36 PM

Thank you, AustAlien! I am now researching Vundo trojan for same computer. It seems to have been stopped in its tracks, but you can never be too sure...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users