Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help my computer keeps restarting by itself and the internet won't work sometimes


  • This topic is locked This topic is locked
23 replies to this topic

#1 trehman

trehman

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 06 January 2010 - 05:50 PM

Hello,

Recently I powered off my Dell E510/5150 running on Windows 7 because for some reason while browsing the web the web pages didn't load. Then after restarting the computer after logging on a message popped up that my computer was infected with worm.win32.netsky

I did not have an antivirus installed on my computer, but I had MalwareBytes and SuperAntiSpyware. I had updated both programs the day before and scanned for infections but did not find any. Whenever I log into Windows "normally" or in SafeMode WITH Networking I am unable to use the computer and whenever I log on a spyware alert popped up stating that my computer was infected with worm.win32.netsky. I pressed okay and then there was only a black screen nothing else. I put my computer into safeMode. There was no icons or anything only a window that popped up "My Documents". Then I ran MalwareBytes AntiMalware and SuperAntiSpyware to search for infections. MalwareBytes found 30 infections and removed them all (I restarted the computer). Then I was able to log on normally but after 5mins the an error message would popup saying "Windows must now restart because the Power Service Terminated Unexpectedly".

I was able to stop my computer from restarting by going to Start>Run>system -a

I have used Smitfraudfix as well (in safe mode) and still I am incurring the problem. Please help ASAP! Thanks! :thumbsup:


EDIT: Here is a screenshot of the error messages that popup before my computer restarts.
Posted Image

Edited by trehman, 06 January 2010 - 07:23 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:50 PM

Posted 06 January 2010 - 06:57 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 trehman

trehman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 06 January 2010 - 07:24 PM

Anyone help me please!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 06 January 2010 - 10:01 PM

Hello. So you cannot run long enough to run SuperAntiSpyware next?
Post the MBAM log so I can get some idea of where to go.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 trehman

trehman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 06 January 2010 - 10:06 PM

Hello. So you cannot run long enough to run SuperAntiSpyware next?
Post the MBAM log so I can get some idea of where to go.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

I already ran both tools.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.43
Database version: 3494
Windows 6.1.7100
Internet Explorer 8.0.7100.0

1/5/2010 4:54:15 PM
mbam-log-2010-01-05 (16-54-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207425
Time elapsed: 1 hour(s), 4 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\dickwc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#6 trehman

trehman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 06 January 2010 - 10:07 PM

^The above is the most recent scan. The scan where I found 30 infections I have it if you want me to post it.

Thanks!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 06 January 2010 - 11:02 PM

Yes that and SAS please ..I am looking for specific items.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 trehman

trehman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 06 January 2010 - 11:17 PM

This is the log for MalwareBytes:


Malwarebytes' Anti-Malware 1.43
Database version: 3494
Windows 6.1.7100 (Safe Mode)
Internet Explorer 8.0.7100.0

1/4/2010 7:52:11 PM
mbam-log-2010-01-04 (19-52-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203228
Time elapsed: 23 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 12
Registry Data Items Infected: 10
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\kbdsock.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\kbdsock.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe bwsb.gio gltbr) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\coptnc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\opxfox.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\bwsb.gio (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\kbdsock.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\mshlps.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\Temp\BD.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Here is the one for SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2010 at 05:53 PM

Application Version : 4.29.1004

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 00:03:39

Memory items scanned : 346
Memory threats detected : 0
Registry items scanned : 7624
Registry threats detected : 33
File items scanned : 556
File threats detected : 10

Trojan.Agent/Gen
[winupdate86.exe] C:\WINDOWS\SYSTEM32\WINUPDATE86.EXE
C:\WINDOWS\SYSTEM32\WINUPDATE86.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#winupdate86.exe [ C:\Windows\system32\winupdate86.exe ]
C:\Windows\system32\critical_warning.html
C:\Windows\system32\winhelper86.dll

Trojan.Agent/Gen-FakeAlert[BTWSRV]
HKLM\System\ControlSet001\Services\BtwSrv
C:\WINDOWS\SYSTEM32\BTWSRV.DLL
HKLM\System\ControlSet001\Enum\Root\LEGACY_BtwSrv
HKLM\System\ControlSet002\Services\BtwSrv
HKLM\System\ControlSet002\Enum\Root\LEGACY_BtwSrv
HKLM\System\CurrentControlSet\Services\BtwSrv
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_BtwSrv

Trojan.Agent/Gen-Koobface
HKLM\System\ControlSet001\Services\fastnetsrv
C:\WINDOWS\SYSTEM32\FASTNETSRV.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_fastnetsrv
HKLM\System\ControlSet002\Services\fastnetsrv
HKLM\System\ControlSet002\Enum\Root\LEGACY_fastnetsrv
HKLM\System\CurrentControlSet\Services\fastnetsrv
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_fastnetsrv

Trojan.Dropper/Win-NV
HKLM\System\ControlSet001\Services\FastUserSwitchingCompatibility
C:\WINDOWS\SYSTEM32\FASTUV32.DLL
HKLM\System\ControlSet001\Enum\Root\LEGACY_FastUserSwitchingCompatibility
HKLM\System\ControlSet002\Services\FastUserSwitchingCompatibility
HKLM\System\ControlSet002\Enum\Root\LEGACY_FastUserSwitchingCompatibility
HKLM\System\CurrentControlSet\Services\FastUserSwitchingCompatibility
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FastUserSwitchingCompatibility
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\xxop81
C:\WINDOWS\SYSTEM32\XXOP81.DLL

Trojan.Downloader-Gen
HKLM\System\ControlSet001\Services\Ias
C:\WINDOWS\SYSTEM32\IASEX.DLL
HKLM\System\ControlSet001\Enum\Root\LEGACY_Ias
HKLM\System\ControlSet002\Services\Ias
HKLM\System\ControlSet002\Enum\Root\LEGACY_Ias
HKLM\System\CurrentControlSet\Services\Ias
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Ias




Here is another one:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2010 at 05:59 PM

Application Version : 4.29.1004

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 00:02:25

Memory items scanned : 346
Memory threats detected : 0
Registry items scanned : 7603
Registry threats detected : 1
File items scanned : 0
File threats detected : 1

Trojan.Agent/Gen
[winupdate86.exe] C:\WINDOWS\SYSTEM32\WINUPDATE86.EXE
C:\WINDOWS\SYSTEM32\WINUPDATE86.EXE



And this is the most recent:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2010 at 07:17 PM

Application Version : 4.29.1004

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 00:22:05

Memory items scanned : 377
Memory threats detected : 0
Registry items scanned : 7608
Registry threats detected : 2
File items scanned : 23382
File threats detected : 52

Trojan.Agent/Gen
[winupdate86.exe] C:\WINDOWS\SYSTEM32\WINUPDATE86.EXE
C:\WINDOWS\SYSTEM32\WINUPDATE86.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#winupdate86.exe [ C:\Windows\system32\winupdate86.exe ]
C:\Windows\system32\critical_warning.html
C:\Windows\system32\winhelper86.dll
C:\Windows\Prefetch\WINUPDATE86.EXE-EA43F556.pf

Adware.Vundo/Variant-NetFilter
C:\USERS\TANZEEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\6IHSD3J7\DFGHFGHGFJ[1].DLL

Adware.Tracking Cookie
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@zedo[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@tribalfusion[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@content.yieldmanager[3].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@tacoda[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@www.burstbeacon[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@network.realmedia[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@www.burstnet[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@advertising[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@admarketplace[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@ad.yieldmanager[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@bridge1.admarketplace[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@counter.surfcounters[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@realmedia[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@clicktorrent[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@doubleclick[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@bs.serving-sys[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@revsci[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@collective-media[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@burstnet[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@atdmt[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@invitemedia[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@interclick[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@media6degrees[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@burstbeacon[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@adbrite[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@at.atwola[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@adserver.adtechus[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@insightexpressai[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@kontera[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@enhance[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@pro-market[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@adlegend[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@www.apartmentfinder[1].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@stat.dealtime[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@apartmentfinder[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@statcounter[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@serving-sys[2].txt
C:\Users\Tanzeel\AppData\Roaming\Microsoft\Windows\Cookies\Low\tanzeel@smartadserver[2].txt

Trojan.Agent/Gen-VB[LSM32]
C:\WINDOWS\SYSTEM32\LSM32.SYS
C:\Windows\Prefetch\LSM32.SYS-A73DA6F9.pf

Trojan.Agent/Gen-BackDoor[Opeia]
C:\WINDOWS\SYSTEM32\OPEIA.EXE
C:\Windows\Prefetch\OPEIA.EXE-418BFA39.pf

Trojan.Agent/Gen-Rogue[Installer]
C:\WINDOWS\SYSTEM32\WINLOGON86.EXE
C:\Windows\Prefetch\WINLOGON86.EXE-C3E4F672.pf

Trojan.Agent/Gen-WIWOW64
C:\WINDOWS\SYSTEM32\WMDTC.EXE

Trojan.Downloader-Gen/SVCHost-Fake
C:\WINDOWS\TEMP\VRPI.TMP\SVCHOST.EXE
C:\Windows\Prefetch\SVCHOST.EXE-F6FA7E90.pf

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 06 January 2010 - 11:37 PM

Ok from what I see her I need to advise you of this first.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


to continue cleaning
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 trehman

trehman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 January 2010 - 03:30 PM

I get an error while trying to install Dr. Web Cureit

This is the error message I receive: "The Archive is either in unknown format or damaged"

Also I was looking over the MBAM and Avast! logs, and this certain trojan/virus seems to keep coming back and its located in the same area as well. I don't think its getting deleted as Avast! said the file cannot be "Moved to the Chest"

Here is a screenshot of the Trojan/Virus MBAM has found:
Posted Image

Here is the log:

Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 6.1.7100
Internet Explorer 8.0.7100.0

1/7/2010 6:49:31 AM
mbam-log-2010-01-07 (06-49-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 208477
Time elapsed: 49 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\SDFix\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\SDFix\apps\dummy.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\dickwc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Thanks once again!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 07 January 2010 - 04:15 PM

This is part of the rootkits ability to survive.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 trehman

trehman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 January 2010 - 04:39 PM

For some reason I can't scan.

I get an error message:

"Could not initialize driver! Please contact the author!"

I also get this error message whenever I launch RootRepeal

Posted Image

Edited by trehman, 07 January 2010 - 04:42 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 07 January 2010 - 08:43 PM

we'll use an alternate while I check that error.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 trehman

trehman
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 January 2010 - 09:44 PM

The same file detected by malwareBytes (C://windows/System32/drivers/dickwc.sys) is detected and is described as an "unknown hidden file" by Sophos.

Where is says "Removable" it says "Yes (but clean up not recommended for this file)"

What should I do?


Here is the log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 1/7/2010 at 21:20:23 PM
User "Tanzeel" on computer "DELL_5150-PC"
Windows version 6.1 SP 0.0 build 7100 SM=0x100 PT=0x1 Win32
Info: Starting registry scan.
Stopped logging on 1/7/2010 at 21:21:57 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 1/7/2010 at 21:23:48 PM
User "Tanzeel" on computer "DELL_5150-PC"
Windows version 6.1 SP 0.0 build 7100 SM=0x100 PT=0x1 Win32
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\drivers\dickwc.sys
Info: Starting disk scan of E: (FAT).
Stopped logging on 1/7/2010 at 21:44:11 PM

Edited by trehman, 07 January 2010 - 09:46 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 07 January 2010 - 11:25 PM

Ok as this is a rootkit file and not safely removeable here. We need a custom script written...
That driver is protecting it.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title (such as Sophos found dickwc.sys) and post that complete log.

Skip the Rootrepeal step and include the Sophos log instead.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users