Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sudden event with several symptoms; slow, no mouse, won't shut down


  • This topic is locked This topic is locked
42 replies to this topic

#1 SmartDad33

SmartDad33

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 10 January 2010 - 09:37 AM

Windows XP Professional user, and take frequent steps to prevent problems with regular scans by Malaware Bytes, SUPERantispyware, and SpyBot, and I maintain continuous protection with McAfee. The other day while having numerous windows opened received a warning from McAfee about a program trying to make a change to the registry. I responded to not allow it, afterwhich Firefox shut itself down. Since then the computer has not been acting properly. I updated MAB and ran in safe mode. I also proceeded with the other customary steps, ATF Cleaner, CCleaner, and others including McAfee full scan in safe mode (after updating).

Present situation is that the computer is very slow starting up, Windows will not shut down (gets stuck at "shutting down") and sometimes the keyboard and mouse loose communication. I have also tried to use System Restore several times, going back to both recent dates as well as the earliest date available (October 2009). Please advise if there is another means to assess if the registry files have been changed, and a means to restore. Thank you very much, in advance.

You guys are the best!

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 14 January 2010 - 01:34 PM

Hi SmartDad33,

Lets first have a look for rootkits here. Note, if you have trouble with running GMER, try leaving Devices unchecked, before running a scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 SmartDad33

SmartDad33
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 08:38 AM

Thanks. I had some difficulty. First run it went to BSOD after an about an hour of scan. I tried again in safe mode and it took about 6 hours for this one.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 03:49:45
Windows 5.1.2600 Service Pack 3
Running: 5df5xqov.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxddqpob.sys


---- Threads - GMER 1.0.15 ----

Thread System [4:252] 896E5EAB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@imagepath \systemroot\system32\drivers\SKYNEToqnxsnkx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@fn (null)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@url http://212.117.174.14/PC_protect.exe
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@knock (null)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@timeout 300
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@type 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@count 10
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNEToqnxsnkx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtoflyxjr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETlog.dat \systemroot\system32\SKYNETgkukjkfo.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETwsp.dll \systemroot\system32\SKYNETuhwvacqj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNET.dat \systemroot\system32\SKYNEThctavxda.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwualkukjod.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 15 January 2010 - 08:52 AM

Ouch, thats quite some rootkits we have there ohmy.gif

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Since rootkit removal in this subforum is not allowed, I will have to move your topic to the HJT forum, so we can continue there. Just let me know what you decide to do: reformat or cleanup.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 SmartDad33

SmartDad33
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 12:20 PM

Thanks... been busy changing pw's all over the place and making other notifications. Since I do intend on continuing to use the computer for online banking as well as for work-related activities, music and entertainment, seems as if reinstall/reformatting is the obvious answer. The computer was issued to me with the OS installed and no disks. Assuming I can't get the disks from the original issuer, does that mean I must purchase a replacment OS?

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 15 January 2010 - 12:33 PM

Yes, unless you have the product activation key. In that case you can use a CD that matches the version and servicepack of windows that key came with.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 SmartDad33

SmartDad33
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 12:36 PM

To refine my prior question, the computer has a partioned drive, C & E. The C drive is 139 GB w/ 58 GB free, while the E is 9.65 GB mostly free with only 270 MB in use, but is labeled "HP_RECOVERY". Does this provide me with the necessities for reformatting without having external disks?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 15 January 2010 - 01:27 PM

See here on how to use HP Recovery partition.

If you have more questions, just let me know!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 SmartDad33

SmartDad33
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 01:47 PM

okay, thanks. I'm on my way and past the point of no return, formatting the HD now. I guess I better stay away from The Pirate Bay and probably Vuze. And, I guess I'll look around here at the site about maintaining better protections. This isn't my first fall from grace and I thought I was fairly diligent about keeping protections active and conducting routine malware scans.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 15 January 2010 - 01:53 PM

Indeed, better stay away from torrent/crack sites, keygens and the like smile.gif

I will post some general information that might be of user. If you have more question, just ask them!

Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 SmartDad33

SmartDad33
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 15 January 2010 - 04:03 PM

Is there any point in running a GMER scan after the HP Recovery is finished?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 15 January 2010 - 04:09 PM

No, after the recovery is finished everything should be as it was when you purchased the computer. No need to look for rootkits then smile.gif

However, if you feel safer that way, you can run it and post the log here for my review.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 SmartDad33

SmartDad33
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 17 January 2010 - 01:15 PM

I am surprised to see, after going through the recovery, which then requires the reinstallation of Firefox after downloading the application at Mozilla, that my Bookmarks are present. Then, just to check, I looked at IE which I currently use less frequently but from earlier usage had an extensive list of Favorites, and they are present too after the re-format. Does that make sense? I thought I cleaned everything out and restored the PC to factory settings.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 17 January 2010 - 01:25 PM

Did you do non-destructive recovery? This will only reset the system files, but not personal data.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 SmartDad33

SmartDad33
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 17 January 2010 - 01:41 PM

I guess that's what happened. It's very convenient for me providing the rootkit would still be gone though, right?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users